-
Cisco IOS XR Virtual Firewall Configuration Guide, Release 3.7
-
Preface
-
Configuring Virtual Firewalls on the Multiservice Blade
-
Configuring the Management Interface on the Virtual Firewall
-
Configuring Virtualization on the Virtual Firewall
-
Configuring Authentication and Accounting Services on the Virtual Firewall
-
Configuring Security Access Control Lists on the Virtual Firewall
-
Configuring Application Protocol Inspection on the Virtual Firewall
-
Configuring High Availability on the Virtual Firewall
-
Configuring SNMP on the Virtual Firewall
-
Configuring an XML Interface on the Virtual Firewall
-
Configuring System Message Logging on the Virtual Firewall
-
Managing the Virtual Firewall Software
-
Configuring VRF-Aware Service Infrastructure for the Virtual Firewall
-
Configuring TCP/IP Normalization and IP Reassembly Parameters on the Virtual Firewall
-
Configuring Network Address Translation on the Virtual Firewall
-
Using the Command-Line Interface on the Virtual Firewall
-
Virtual Firewall System Error Messages
-
Index
-
Table Of Contents
Configuring Security Access Control Lists on the Virtual Firewall
Information About Security Access Control Lists
Configuration Examples for Security Access Control Lists
Basic ACL Configuration: Examples
Inbound and Outbound ACLs: Example
IP Addresses for ACLs with NAT: Example
Configuring Security Access Control Lists on the Virtual Firewall
This module describes security access control lists (ACLs) and how to configure them on your Cisco IOS XR software. ACLs provide basic security for your network by filtering traffic and controlling network connections.
Feature History for Configuring ACLs on the VFW Application
Release 3.5.0
This feature was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0
No modification.
Release 3.7.0
No modification.
Contents
•
Information About Security Access Control Lists
•
Information About Security Access Control Lists
An ACL consists of a series of statementscalled ACL entries that collectively define the network traffic profile. Each entry permits or denies network traffic (inbound and outbound) to the parts of your network specified in the entry. Besides an action element (permit or deny), each entry also contains a filter element based on criteria such as source address, destination address, protocol, protocol-specific parameters, and so on. An implicit deny-all entry exists at the end of every ACL, so you must configure an ACL on every interface where you want to permit connections. Otherwise, the VFW application denies all traffic on the interface.
ACLs provide basic security for your network by allowing you to control network connection setups rather than processing each packet. Such ACLs are commonly referred to as security ACLs.
You can configure ACLs as parts of other features (for example, security, network address translation [NAT], and so on). The VFW application merges these individual ACLs into one large ACL called a merged ACL. The ACL compiler then parses the merged ACL and generates the ACL lookup mechanisms. A match on this merged ACL can result in multiple actions.
When you use ACLs, you may want to permit all e-mail traffic on a circuit, but block Telnet traffic. You can also use ACLs to allow one client to access a part of the network and prevent another client from accessing that same area.
When configuring ACLs, you must apply an ACL to an interface to control traffic on that interface. Applying an ACL on an interface assigns the ACL and its entries to that interface.
You can apply only one extended ACL to each direction (inbound or outbound) of an interface. You can also apply the same ACL on multiple interfaces.
The following additional information is provided in this section:
ACL Types and Uses
You can configure extended ACLs only on the VFW application. Extended ACLs control network access for IP traffic.
Note
ACL Guidelines
This section describes the guidelines to observe when you configure and use ACLs in your network. It contains the following subsections:
•
ACL Entry Order
An ACL consists of one or more entries. You can specify as match criteria the source and destination addresses, the protocol, the ports (for TCP or UDP), the ICMP type, or ICMP code. By default, the VFW application appends each ACL entry at the end of the ACL. You can also specify the location of each entry within an ACL.
The order of the entries is important. When the VFW application decides whether to accept or refuse a connection, the VFW application tests the packet against each ACL entry in the order in which the entries are listed. After it finds a match, the VFW application does not check any more entries. For example, if you create an entry at the beginning of an ACL that explicitly permits all traffic, the VFW application does not check any further statements in the ACL.
ACL Implicit Deny
All ACLs have an implicit deny entry at the end of the ACL, so, unless you explicitly permit it, traffic cannot pass. For example, if you want to allow all users to access a network through the VFW application except for those with particular IP addresses, then you need to deny the particular IP addresses in one entry and then permit all other IP addresses in another entry.
Maximum Number of ACL Entries
The VFW application supports a maximum of 256 K entries. Some ACLs use more memory than others, and these include ACLs that use large port number ranges or overlapping networks (for example, one entry specifies 10.0.0.0/8 and another entry specifies 10.1.1.0/24). Depending on the type of ACL, the actual limit the VFW application can support may be less than 256 K entries.
If you exceed the memory limitations of the VFW application, the module generates a syslog message and increments the Download Failures counter in the output of the show interface interface_name command. The configuration remains in the running-config and the interface stays enabled. The ACL entries stay the same as they were before the failing configuration was attempted.
For example, if you add a new ACL with 10 entries, but the addition of the sixth entry fails because of memory exhaustion, the VFW application removes the five entries that you successfully entered.
How to Configure ACLs
Configuring ACLs
The following task describes the steps required to configure ACLs.
Note
Prerequisites
You must attach from the route processor to the VFW application before you can perform this task. See the "Attaching to the VFW Application" section on page VFC-14.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
DETAILED STEPS
Step 1
changeto context-name
Example:firewall/Admin# changeto C1
firewall/C1#
Logs into the correct context. If you are operating in multiple contexts, observe the CLI prompt to verify that you are operating in the desired context.
Note
Step 2
configure
Example:firewall/Admin# configure
Enter configuration commands, one per line. End with CNTL/Z.
firewall/Admin(config)#
Enters global configuration mode. You are now within configuration mode of the VFW application.
Step 3
access-list name extended {deny | permit} {protocol} {src_ip_address netmask | any | host src_ip_address} {dest_ip_address netmask | any | host dest_ip_address}
Example:firewall/Admin(config)# access-list INBOUND extended deny ip 192.168.12.0 255.255.255.0 anyfirewall/Admin(config)# access-list INBOUND extended permit ip any anyCreates an ACL based on IP source and destination addresses. The protocol argument is the name or number of an IP protocol. Allowable values are listed in Table 5.
Add entries to the ACL as required using the same access-list name.
Step 4
access-list name extended {deny | permit} {tcp | udp} {src_ip_address netmask | any | host src_ip_address} [operator port1] {dest_ip_address netmask | any | host dest_ip_address} [operator port2]
Example:firewall/Admin(config)# access-list INBOUND line 10 extended permit tcp 192.168.12.0 255.255.255.0 gt 1024 172.27.16.0 255.255.255.0 lt 4000Creates an ACL based on TCP or UDP source or destination ports. Allowable TCP and UDP port numbers are listed in Table 6 and Table 7. Allowable operators are as follows:
•
•
•
•
•
Step 5
access-list name extended {deny | permit} icmp {src_ip_address netmask | any | host src_ip_address} {dest_ip_address netmask | any | host dest_ip_address} [icmp_type] [code operator code]
Example:firewall/Admin(config)# config)# access-list INBOUND permit icmp host 192.168.12.5 host 10.0.0.5 echoCreates an ACL based on ICMP type. Allowable ICMP types are listed in Table 8. Allowable operators are as follows:
•
•
•
•
•
Step 6
access-list nameremark text
Example:firewall/Admin(config)# access-list INBOUNDremark This is an inbound access list(Optional) Adds comments about an extended ACL to clarify the function of the ACL. You can enter only one comment per ACL and the comment always appears at the beginning of the ACL.
Enter an unquoted text string with a maximum of 100 alphanumeric characters You can enter leading spaces at the beginning of the text. Trailing spaces are ignored.
Step 7
access-list name resequence [number1][number2]
Example:firewall/Admin(config)# access-list INBOUND resequence 10 10(Optional) Resequences the entries in an ACL with a specific starting number and interval.
•
•
Step 8
interface interface_name
Example:firewall/Admin(config)# interface inside1Configures an interface.
Step 9
access-group {input | output} acl_name
Example:firewall/Admin(config-if)# access-group input INBOUNDApplies the ACL to an individual interface.
Step 10
exit
Example:firewall/Admin(config-if)# exit
firewall/Admin(config)#
Exits interface configuration mode.
Step 11
access-group {input | output} acl_name
Example:firewall/Admin(config)# access-group input INBOUNDApplies an ACL globally to all interfaces in a context.
Step 12
exit
Example:firewall/Admin(config-if-mgmt)# exit
firewall/Admin#
Exits global configuration mode.
Step 13
copy running-config startup-config
Example:firewall/Admin# copy running-config startup-config
(Optional) Saves your configuration changes to flash memory.
Step 14
show running-config access-list
Example:firewall/Admin# show running-config access-listDisplays and verifies the ACL configuration information.
Allowable protocol values for the access-list command are listed in Table 5.
Allowable TCP port numbers for the access-list command are listed in Table 6.
Allowable UDP port numbers for the access-list command are listed in Table 7.
Allowable ICMP types are listed in Table 8.
Troubleshooting Tip
To display ACL statistics for a particular ACL, use the show access-list command.
Configuration Examples for Security Access Control Lists
This section provides examples of extended ACLs. Use extended ACLs when you want to specify both the source IP address and the destination IP address (IP), ports (TCP or UDP), and ICMP types. For details about configuring extended ACLs, see the "Configuring ACLs" section.
•
•
•
Basic ACL Configuration: Examples
The following ACL allows all hosts (on the interface to which you apply the ACL) to go through the VFW application:
firewall/Admin(config)# access-list ACL_IN extended permit ip any anyThe following ACL prevents hosts on 192.168.1.0/24 from accessing the 209.165.201.0/27 network. All other addresses are permitted.
firewall/Admin(config)# access-list ACL_IN extended deny tcp 192.168.1.0 255.255.255.0 209.165.201.0 255.255.255.224firewall/Admin(config)# access-list ACL_IN extended permit ip any anyIf you want to restrict access to only some hosts, then enter a limited permit entry. By default, all other traffic is denied unless explicitly permitted.
firewall/Admin(config)# access-list ACL_IN extended permit ip 192.168.1.0 255.255.255.0 209.165.201.0 255.255.255.224For a list of permitted keywords and well-known port assignments, refer to Table 6. DNS, Discard, Echo, Ident, NTP, RPC, SUNRPC, and Talk each require one definition for TCP and one for UDP. TACACS+ requires one definition for port 49 on TCP.
The following ACL example restricts all hosts (on the interface to which you apply the ACL) from accessing a website at address 209.165.201.29. All other traffic is allowed.
firewall/Admin(config)# access-list ACL_IN extended deny tcp any host 209.165.201.29 eq wwwfirewall/Admin(config)# access-list ACL_IN extended permit ip any anyThe following ACLs allow all inside hosts to communicate with the outside network, but only specific outside hosts to access the inside network:
firewall/Admin(config)# access-list OUT extended permit ip any anyfirewall/Admin(config)# access-list IN extended permit ip host 209.168.200.3 anyfirewall/Admin(config)# access-list IN extended permit ip host 209.168.200.4 anyThe following examples illustrate ICMP ACLs. For details about configuring ICMP ACLs, see the "Configuring ACLs" section.
firewall/Admin(config)# access-list INBOUND extended permit icmp any any echofirewall/Admin(config)# access-list INBOUND extended permit icmp host 10.0.0.1 host 20.0.0.1 unreachable code range 0 3Inbound and Outbound ACLs: Example
Traffic flowing across an interface in the VFW application can be controlled in two ways:
•
•
To allow any traffic to enter the VFW application, you must attach an inbound permit ACL to an interface; otherwise, the VFW application automatically refuses all traffic that enters that interface. By default, traffic can exit the VFW application on any interface unless you restrict it using an outbound ACL, which adds restrictions to those already configured in the inbound ACL.
Note
You may want to use an outbound ACL to simplify your ACL configuration. For example, if you want to allow three inside networks on three different interfaces to access each other, you can create a simple inbound ACL that allows all traffic on each inside interface. (See Figure 9.)
Figure 9 Inbound ACLs
See the following commands for this example:
firewall/Admin(config)# access-list INSIDE extended permit ip any anyfirewall/Admin(config)# interface SALESfirewall/Admin(config-if)# access-group input INSIDEfirewall/Admin(config)# interface HRfirewall/Admin(config-if)# access-group input INSIDEfirewall/Admin(config)# interface ENGfirewall/Admin(config-if)# access-group input INSIDEThen, if you want to allow only certain hosts on the inside networks to access a web server on the outside network, you can create a more restrictive ACL that allows only the specified hosts and apply it to the outbound direction of the outside interface (see Figure 10). For information about NAT and IP addresses, see the "IP Addresses for ACLs with NAT: Example" section. The outbound ACL prevents any other hosts from reaching the outside network.
See the following commands for this example:
firewall/Admin(config)# access-list INSIDE extended permit ip any anyfirewall/Admin(config)# interface SALESfirewall/Admin(config-if)# access-group input INSIDEfirewall/Admin(config)# interface HRfirewall/Admin(config-if)# access-group input INSIDEfirewall/Admin(config)# interface ENGfirewall/Admin(config-if)# access-group input INSIDEfirewall/Admin(config)# access-list OUTSIDE extended permit tcp host 209.165.201.4 host 209.165.200.225 eq wwwfirewall/Admin(config)# access-list OUTSIDE extended permit tcp host 209.165.201.6 host 209.165.200.225 eq wwwfirewall/Admin(config)# access-list OUTSIDE extended permit tcp host 209.165.201.8 host 209.165.200.225 eq wwwfirewall/Admin(config)# interface interface_namefirewall/Admin(config-if)# access-group input INSIDEFigure 10 Outbound ACL
IP Addresses for ACLs with NAT: Example
When you use NAT, the IP addresses you specify for an ACL depend on the interface to which the ACL is attached. You need to use addresses that are valid on the network that is connected to the interface. This guideline applies for both inbound and outbound ACLs—the direction does not determine the address used, only the interface does.
For example, suppose that you want to apply an ACL to the inbound direction of the interface. You configure the VFW application to perform NAT on the inside source addresses when they access outside addresses. Because the ACL is applied to the inside interface, the source addresses are the original untranslated addresses. Because the outside addresses are not translated, the destination address used in the ACL is the real address (see Figure 11).
Figure 11 IP Addresses in ACLs: NAT Used for Source Addresses
See the following commands for this example:
firewall/Admin(config)# access-list INSIDE extended permit ip 10.1.1.0 255.255.255.0 host 209.165.200.225firewall/Admin(config)# interface interface_namefirewall/Admin(config-if)# access-group input INSIDEIf you want to allow an outside host to access an inside host, you can apply an inbound ACL on the outside interface. You need to specify the translated address of the inside host in the ACL, because that address is the address that can be used on the outside network. (See Figure 12.)
Figure 12 IP Addresses in ACLs: NAT Used for Destination Addresses
See the following commands for this example:
firewall/Admin(config)# access-list OUTSIDE extended permit ip host 209.165.200.225 host 209.165.201.5firewall/Admin(config)# interface interface_namefirewall/Admin(config-if)# access-group input OUTSIDEIf you perform NAT on both interfaces, then keep in mind the addresses that are visible to a given interface. In Figure 13, an outside server uses static NAT so that a translated address appears on the inside network.
Figure 13 IP Addresses in ACLs: NAT Used for Source and Destination Addresses
See the following commands for this example:
firewall/Admin(config)# access-list INSIDE extended permit ip 10.1.1.0 255.255.255.0 host 10.1.1.56firewall/Admin(config)# interface interface_namefirewall/Admin(config-if)# access-group input INSIDEFor an example of IP addresses used in outbound ACLs, see Figure 10.
Additional References
The following sections provide references related to access control lists.
Related Documents
Virtual firewall ACL command syntax
"Access Control List Commands on the Virtual Firewall" module in Cisco IOS XR Virtual Firewall Command Reference
Standards
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.
—
MIBs
—
To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
RFCs
No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature.
—
Technical Assistance
