CCNA Security / firewall section

[skk391]

hi guys,
I doing some studying for my ccna security exam. I have got to the firewall section and have a couple of questions relating to the real world.
Currently on a production network I have an ISA 2006 firewall on a network of 10.1.1.x /24

On the ISA I can group internal hosts together so that applying a rule become very simple.

I am hoping after passing my ccna security to be able to swap out the isa 2006 for a 2801 router and use the IOS set and access-lists to secure the internal network.

I was wondering how many lines can be added to one access-list? I understand that if the network was correctly subnetted then the task of permitting and denying users would be fairly easy, I could just permit/deny subnets with a single command.

But the network which I have inherited is flat and all host belong to the same subnet/ I don’t really want to start the change IP address on the host etc.

So to permit/deny host will I have to add a separate entry into an access-list for each host that say needs access to the Internet.

I guess what I am trying to ask is that if there is a command that will allow to group host together something like the interface range command on a switch, is there anything that would allow me to specify host from 10.1.1.50 to 10.1.1.110 for example?

Many thanks

 

[Dinkytoy]

When you are doing access lists you use wildcard masks to group ip addresses to minimise the entries, but there would still be a few for abnormal ranges but easy for a /24 (0.0.0.255).

I don't know if there is an easier way to do it via the web based tool thing, which I've conveniently forgotten the name of (doh!).

A quick google gives

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml

which looks useful for information I cba to type .

 

[burtsbees]

No---the only option is to subnet, like the Toy man has alluded to. This is one reason vlans are useful...

ACL's are the tip of the iceburg as far as protection goes. Wait until you get to ZBFW (zone based firewall)...

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[skk391]

thanks for the reply guys,

hi burtsbees, long time! yeah just got to the ZBFW section and had to take a step back and go over my access-list notes from my CCNA and little bit rusty I think!

I thought that they might be a way to group hosts together, but doesnt look like I wouldnt be able to do think without subnets.

So I take it that I will have to right an ACL for every host that need access to the web, and other ACL for hosts that only need access to specfic sites. then rely on the default deny all statement at the ACL to block host not allow to gain access to the net.

I need to have a good play around with ACL's and SDM to see if the IOS set will be a suitable move from the MS ISA. I just want to get away from MS, I hate it! plus sticking in the 2801 builds up my Cisco skills and stop me from getting rusty.

Any comments about configuring the router as a firewall would be very useful other than that thanks for the replies guys.

 

[Cluebird]

The number of ACE entries in a single ACL depends on the platforms. I seem to remember something like 2000 entries being allowed but I've never tested that.

As BB says, you need to bite the bullet and get some hierarchy going with VLANs and subnets. Your tools for controlling access at Layer 2 are much more limited than at Layer 3 and above.