1
00:00:11,050 --> 00:00:12,610
Now, this complicates things.

2
00:00:13,360 --> 00:00:21,070
We're told that we need to put the access list in the most efficient place on the router to, for instance,

3
00:00:21,490 --> 00:00:29,760
deny external hosts getting access to internal hosts, but being able to access the HTTP servers.

4
00:00:30,400 --> 00:00:32,900
So I'm going to place the access list here.

5
00:00:33,490 --> 00:00:37,960
It's also good to put your access list on the outside interface of your router.

6
00:00:38,350 --> 00:00:44,470
In other words, the interface facing the Internet so that you could, for example, block traffic to

7
00:00:44,470 --> 00:00:46,720
the router to protect the router.

8
00:00:47,020 --> 00:00:53,880
You want to place your access lists, especially your external access lists on the outside interface.

9
00:00:54,400 --> 00:01:00,700
In other words, you want to protect yourself from the Internet as far away from your internal network

10
00:01:00,700 --> 00:01:01,410
as you can.

11
00:01:01,780 --> 00:01:05,010
So we don't want to place the access list here or here.

12
00:01:05,290 --> 00:01:06,420
We want to put it here.

13
00:01:07,210 --> 00:01:14,110
In any way based on this criteria, you wouldn't be able to create one access list that meets all the

14
00:01:14,110 --> 00:01:14,980
criteria.

15
00:01:15,550 --> 00:01:19,360
If you try to bind it here or here, it's going to need to be here.

16
00:01:20,140 --> 00:01:26,470
That also creates another problem, because when this PC sends traffic to the Internet, it's going

17
00:01:26,470 --> 00:01:34,750
to have to pass to access lists, one going from left to right and one going from right to left for

18
00:01:34,750 --> 00:01:35,950
the return traffic.

19
00:01:36,550 --> 00:01:39,630
And that is what makes things more complicated.

20
00:01:40,150 --> 00:01:43,060
So we are told to use access list 101.

21
00:01:44,860 --> 00:01:53,800
So access list 101, we have to permit traffic so that any external device can access the internal servers

22
00:01:53,800 --> 00:02:00,130
using HTTP or HTTPS, so that requires TCP IP.

23
00:02:00,970 --> 00:02:07,810
The source will be any device going to 10.1.2.0.

24
00:02:09,710 --> 00:02:11,210
That's our service subnet.

25
00:02:13,750 --> 00:02:19,690
Over here, and we want to permit HTTP and HTTPS.

26
00:02:20,780 --> 00:02:23,510
So port 80 and port 443.

27
00:02:24,550 --> 00:02:34,000
So show access lists, these two access list entries are part of access list 101, notice the numbers

28
00:02:34,240 --> 00:02:40,690
automatically added to the access list, which would allow us to edit the access list if required.

29
00:02:41,080 --> 00:02:44,650
I showed you that in the previous access list lab.

30
00:02:45,340 --> 00:02:49,670
No external device can access subnet 10.1.2.0.

31
00:02:50,080 --> 00:02:55,750
We need to explicitly add this line, but that causes problems.

32
00:02:56,260 --> 00:03:02,140
Because this PC shouldn't be able to access, for instance, these PCs.

33
00:03:02,710 --> 00:03:06,520
But what happens if PC 1 wants to connect to Cisco.com?

34
00:03:07,880 --> 00:03:09,860
What about the return traffic?

35
00:03:10,910 --> 00:03:17,790
And when that PC connects to Cisco.com or Facebook.com, what does it do?

36
00:03:18,650 --> 00:03:20,640
It sends a DNS request.

37
00:03:20,900 --> 00:03:24,240
In other words, it needs the name to be resolved.

38
00:03:25,040 --> 00:03:33,230
So this is where it gets a little bit more complicated, because what we want to do is permit DNS replies

39
00:03:33,410 --> 00:03:38,490
from our DNS server with IP address 8.8.8.8.

40
00:03:39,260 --> 00:03:47,960
So we want to allow that server to reply back to DNS requests.

41
00:03:48,440 --> 00:03:57,890
So when the host sends the DNS request, it's going to go to Port 53 and the reply is going to come

42
00:03:57,890 --> 00:04:04,320
back with a source port of 53, going to a random port number on the PC.

43
00:04:05,150 --> 00:04:14,450
So we want to specify that the source port is going to be 53 and the destination will be any one in

44
00:04:14,450 --> 00:04:15,860
our internal network.

45
00:04:16,640 --> 00:04:19,250
Now, in this lab, I'm not using NAT addresses.

46
00:04:19,690 --> 00:04:22,019
We cover NAT in a separate part of the course.

47
00:04:22,430 --> 00:04:29,870
So for the moment, we just ignoring the requirement that you need to NAT RFC 1918 addresses

48
00:04:30,140 --> 00:04:31,250
onto the Internet.

49
00:04:32,780 --> 00:04:38,060
If you want me to add a combined NAT and access list lab, let me know I can do that.

50
00:04:38,270 --> 00:04:40,490
It just makes things a little bit more complicated.

51
00:04:41,440 --> 00:04:50,710
We also need to think about the return traffic of sessions to the servers, so when the PC sends HTTP

52
00:04:50,710 --> 00:04:56,410
traffic to the server, the server needs to be able to return that back to the PC.

53
00:04:56,920 --> 00:05:05,680
But we only want to allow TCP traffic from our servers in response to requests to the servers.

54
00:05:06,190 --> 00:05:13,530
Now, you could tie it down here by specifying port 80, 443 and so forth, but what about the PCs

55
00:05:13,540 --> 00:05:15,250
initiating other kinds of sessions.

56
00:05:15,280 --> 00:05:20,170
So what about FTP or TFTP or other kinds of sessions.

57
00:05:20,980 --> 00:05:24,450
So I'm not going to specify a source port here.

58
00:05:25,030 --> 00:05:33,430
I'm going to allow all returned traffic, but what I'm going to do is use the word established.

59
00:05:34,330 --> 00:05:38,260
Established means that the ACK BIT is set.

60
00:05:39,810 --> 00:05:47,370
If you think back to your TCP three way handshake, the first host, when it initiates a session, sets

61
00:05:47,370 --> 00:05:54,680
the SIN BIT but not the ACK BIT, the ACK BIT is only set on return traffic.

62
00:05:55,350 --> 00:06:00,750
So this is looking for an acknowledgment or ACK in the return traffic.

63
00:06:01,240 --> 00:06:08,160
Now, in the real world, you don't want to use this because hacking tools can spoof ACK very easily.

64
00:06:08,550 --> 00:06:15,360
But when configuring an access list like this, that is an option to use, in the real world

65
00:06:15,360 --> 00:06:21,540
we want to use stateful firewalls, which are a lot more powerful than standard and extended access

66
00:06:21,540 --> 00:06:21,960
lists.

67
00:06:22,380 --> 00:06:28,140
But here we are using an access list and that would accomplish what we need to accomplish.

68
00:06:29,130 --> 00:06:36,330
And then we want to deny as a lost step all traffic to our internal network.

69
00:06:38,010 --> 00:06:43,080
So deny IP any going to 10.1.2.0

70
00:06:44,900 --> 00:06:46,910
with subnet mask

71
00:06:48,440 --> 00:06:55,160
and then we want to bind that, but let's have a look at our access list first, there's our new access

72
00:06:55,160 --> 00:07:00,140
list 101 and we want to bind it to gigabit 001.

73
00:07:02,270 --> 00:07:08,930
So Interface Gigabit 001, IP Access Group, 101 inbound.

74
00:07:10,840 --> 00:07:12,100
So again, show run

75
00:07:14,770 --> 00:07:23,620
access list 100 is bound inbound on gigabit 000, access list 101 is bound inbound on gigabit

76
00:07:23,620 --> 00:07:24,820
001

77
00:07:27,180 --> 00:07:34,290
and that's what our access lists look like, it's fairly complicated, so let's test whether it actually

78
00:07:34,290 --> 00:07:34,860
works.