Re: ACLs generated by SDM look ambiguous

Zenith888 · ‎10-05-2010

Hi,

This router was initially configured thru SDM software and later modified by CCP. They created the following ACLs:

access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit any
access-list 2 remark Auto generated by SDM Management Access feature
access-list 2 remark CCP_ACL Category=1
access-list 2 permit 10.10.10.0 0.0.0.255
access-list 100 remark Auto generated by SDM Management Access feature
access-list 100 remark CCP_ACL Category=1
access-list 100 permit tcp 10.10.10.0 0.0.0.255 host 10.10.10.1 eq telnet
access-list 100 permit tcp 10.10.10.0 0.0.0.255 host 10.10.10.1 eq 22
access-list 100 permit tcp 10.10.10.0 0.0.0.255 host 10.10.10.1 eq www
access-list 100 permit tcp 10.10.10.0 0.0.0.255 host 10.10.10.1 eq 443
access-list 100 permit tcp 10.10.10.0 0.0.0.255 host 10.10.10.1 eq cmd
access-list 100 permit udp 10.10.10.0 0.0.0.255 host 10.10.10.1 eq snmp
access-list 100 deny   tcp any host 10.10.10.1 eq telnet
access-list 100 deny   tcp any host 10.10.10.1 eq 22
access-list 100 deny   tcp any host 10.10.10.1 eq www
access-list 100 deny   tcp any host 10.10.10.1 eq 443
access-list 100 deny   tcp any host 10.10.10.1 eq cmd
access-list 100 deny   udp any host 10.10.10.1 eq snmp
access-list 100 permit ip any any
access-list 101 remark Auto generated by SDM Management Access feature
access-list 101 remark CCP_ACL Category=1
access-list 101 permit ip 10.10.10.0 0.0.0.255 any
dialer-list 1 protocol ip permit
no cdp run

To my uneducated guess the red ACL 101 virtually duplicates green ACL 2 and both of them negate the rest of ACLs. Is that correct? What is the best course of action regarding securing access to this router?

Thank you for all the help you can provide!

Zen

Calin C. · ‎10-05-2010

Dear Zen,

You have there different ACL. One rule is in ACL 2 and the other one is in ACL 101 and another set or rules in ACL 100...I don't see how can ACL 2 and 101 could negate each other or any other rule in other ACL. These are independent rules in different ACLs. Or I understood wrong your question?

Regarding your question about how to secure your device. Here would be a good start:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml

and some step by step practice:

https://www.infosecisland.com/blogview/3309-How-to-secure-a-Cisco-router.html

http://www.dslreports.com/faq/7766

Good luck,

Calin

tprendergast · ‎10-05-2010

Zen,

Your ACLs are all independant of each other. As such, ACL2 and ACL101 have no effect on ACL100. Think of them as namespaces. Access-lists are processed top-down only within the same access-list. Your router will not process Access-List 1, then Access-list 2, then Access-list 3 for the same traffic. You can only apply 1 ACL to a direction on any particular interface.

For example, if you wanted ACL100 to govern the traffic to your device, you would apply ACL100 to your inbound or outbound interface.

It can be easy in SDM to create multiple access lists without realizing what you are doing.

Access-list 2 is a standard access-list, and does not consider anything other than IP addresses and to permit or deny the traffic.

Access-list 100 & 101 are extended access-lists, and can consider the source IP, destination IP, protocol, and type of traffic (port #).

Zenith888 · ‎10-06-2010

Does that mean that ACLs are applied only to certain interfaces and only in specific direction (in or out)?

I thought of them as sort of firewall where they were numbered for convenience, but applied summarily.

Jon Marshall · ‎10-06-2010

No they are not applied summarily. As the others have said they are treated as individual access-lists. They may or may not be in use on your router as we can't see because you haven't supplied the rest of the config. Access-lists can be used for all kinds of things other than simply deny or premitting traffic through an interface eg. QOS packet matching/NAT configurations/Policy Based Routing etc.

To see whether these acls are actually being used you need to look at the whole router config to see of they have been applied anywhere.

Jon

tprendergast · ‎10-06-2010

Does that mean that ACLs are applied only to certain interfaces and only in specific direction (in or out)?

I thought of them as sort of firewall where they were numbered for convenience, but applied summarily.

ACLs on routers are applied to interfaces with a direction. For example:

- You want to apply ACL 101 to traffic coming in from the internet towards your company. Your router has a WAN interface Serial0/0.

- You would do:

- conf t

- int s0/0

- ip access-group 101 in

This would look something like this:

interface Serial0/0
description WAN Interface

ip address 1.1.1.2 255.255.255.252
ip access-group 101 in

That will have all traffic coming inbound to that interface be passed through your access-list 101 before it is allowed to continue through the traffic path. Think of the number on the access-list as a unique identifier or name in the context of firewall ACLs. You may have a firewall ACL called "outside_access_in", and one called "inside_access_out" that serve two different purposes. All the traffic through the firewall does not pass through both access-lists, only the one that is applied to the specific interface.

Hope that helps!