Configure and verify an ACLs to limit telnet and SSH access to the router
Exam: Cisco 200-120 - CCNA Cisco Certified Network Associate CCNA (803)
This chapter will discuss all that you need to know under the topic “Configure and verify an ACLs to limit telnet and SSH access to the router” from the point of view of the CCNA exam. We hope that this will help you to prepare better for the exam. This topic is crucial from the exam point of view.
As we have already mentioned before ACL or (access control list) is basically a list of permissions that can be attached to an object. We will now discuss in details how the ACLs can be configured. ACL is nothing but a set of rule that helps to specify a set of condition that the packet must fulfil in order to be accepted. The switch will first need to check if an ACL can apply to a packet. In order to do this packet must be checked against all the conditions that are applied by the ACL. The switch will accept packets and process them that full fill the conditions. It will deny the packets that do not match and will drop them. The ACL can be effectively used to protect the host and network. The ACL can be applied on IP addresses, VLAN and also on MAC.
The permit and deny command is used to set the rules on a ACL. The source and the destination of the traffics must be mentioned in the rule. We will discuss how ACL can be applied on SSH (secure shell protocol) and on telnet now. The SSH is also a protocol and it provides a secured remote access connection to the network device. The communication with the client is encrypted in the SSH. The WAAS device is the one that is used limit the SSH and the telnet. The WAAS device is kept in the customer’s premises and it is managed by the service provider. The WAE contains the definition of the WAAS. The ACL that are defined in the router will get more importance compared to the ACL that are defined in the WAE.
When you are in the ACL configuration mode you can use the commands as list, move and delete. These commands can be used to delete and display specific entries. They can also change the order of the entry. This will allow you to list the entries on the basis of how they must be evaluated. If you want to get back to the global configuration mode you must exit the ACL configuration mode. To create the entry you must use the “deny” and the “permit” keyword as we have already mentioned above. This holds good while you apply the ACL on the SSH and the telnet too.
In case of the WAAS (wide area application server) device the ACL will often deny all the entries. This is exactly why one permit entry must be included in order to create a valid access list. Once the ACL is created in a WAAS device the access list can be used in the access group using the access-group command. This will also determine how the access list is applied. The access list can be applied to a specific command too. If you want to create an extended ACL you must enter the ip access –list extended in the global configuration mode. In case of the WAAS the standard access list can be used too. This list will provide access to the TFTP server or to the SNMP server.
The different types of ACL that can be used by the WAAS devices are as follows:
- Interface ACL – this ACL is the one that controls the traffic on a telnet and a SSH protocol. In this case the ACL rule applies only to the traffic that is supposed to reach the WAE. The command ip-access group interface is applied for this interface ACL. In this chapter we will be discussing this ACL in more details.
- Some other ACLS that are used in WAAS devices are interception ACL, SNMP ACL, WCCP ACL and transaction log flows ACL.
To use the interface ACL the following steps must be followed:
- It must have an application layer proxy firewall. This will ensure that there are no ports exposed. The WAAS device has an outside address that can be accessed from the internet but the inside addresses are private. It is the inside interface that can limit the SSH and the telnet.
- The WAE that uses the WCCP will mostly be located in the subnet of the internet router. The router and the WAE must always have an IP ACL. The IP access list get more priority over the IP ACLs.
The command that is used to limit the SSH access is mentioned below. This will accept the web traffic but will limit the access using the SSH.
WAE(config)# ip access-list extended testextacl
WAE(config-ext-nacl)# permit tcp any any eq www
WAE(config-ext-nacl)# permit tcp host 10.1.1.5 any eq ssh
Some points that must be kept in mind when the ACL is used in the WAAS devices are:
- The name of the ACL devices must be unique.
- Each of the WAAS central manager device can manage upto 50 IP ACL And 500 conditions per device.
- If any empty ACL is set on a WAAS it will permit all the traffic.
- The IP ACL name must not be more than 30 characters in length and there should not be any spaces between the characters. If the name starts with a number it cannot contain any non numeric numbers.
- Some previously configured IP ACL Can also be associated with the SNMP and the WCCP.
The topic of “Configure and verify an ACLs to limit telnet and SSH access to the router” is a huge one but these are some aspects of the topic that you must know well from the exam point of view. We hope that with these notes you will definitely be able to do much better in the exams.
Related IT Guides
- Configure and verify ACLs in a network environment
- Configure and verify DHCP (IOS Router)
- Configure and verify initial switch configuration including remote access management
- Configure and verify interVLAN routing (Router on a stick)
- Configure and verify VLANs
- Describe the types, features, and applications of ACLs
- Identify and correct common network problems
- Select the appropriate media, cables, ports, and connectors to connect switches to other network devices and hosts
- Select the Components Required to Meet a Network Specification
- Verify network status and switch operation using basic utilities