-----------Time-based ACL and Debug ACLs------------------- Block telnet from Mickey to Pluto in one interval and ping in another interval. Mickey: #telnet 10.0.1.2 #ping 10.0.1.2 Pluto: Configure correct time first! (config)#time-range abs_time (config-time-range)#absolute start 11:30 4 November 2014 end 12:00 4 November 2014 (config)#time-range per_time (config-time-range)#periodic daily 12:00 to 14:00 (config)#ip access-list extended 101 (config-ext-nacl)#deny tcp host 10.0.0.2 host 10.0.1.2 eq telnet time-range abs_time (config-ext-nacl)#deny icmp host 10.0.0.2 host 10.0.1.2 time-range per_time (config-ext-nacl)#permit ip any any (config)#int s2/0 (config-if)#ip access-group 101 in #show time-range #show access-lists #debug ip packet Mickey: #telnet 10.0.1.2 -> blocked in the first interval #ping 10.0.1.2 -> blocked in the second interval Pluto: We can observe the packets that are denied or accepted (config)#int f1/0 (config-if)#no ip access-group 101 in #no debug ip packet -------------------------------------------------- ----------------TCP Intercept--------------------- Pluto: (config)#ip access-list extended tcp_inter (config-ext-nacl)#permit tcp any host 10.0.1.2 eq telnet (config-ext-nacl)#permit tcp any host 10.0.1.2 eq www (config-ext-nacl)#permit tcp any host 10.0.1.2 eq smtp (config-ext-nacl)#permit tcp any host 10.0.1.2 eq pop3 (config)#ip tcp intercept list tcp_inter (config)#ip tcp intercept mode intercept -> default (config)#ip tcp intercept drop-mode oldest -> default (config)#ip tcp intercept connection-timeout 1800 (config)#ip tcp intercept max-incomplete high 1500 (config)#ip tcp intercept max-incomplete low 1000 #debug ip tcp intercept Mickey: #telnet 10.0.1.2 Pluto: Observe debug messages - the 2 handshakes #show tcp intercept connections #show tcp intercept statistics #show access-lists -> see matches #no debug ip tcp intercept (config)#no ip tcp intercept list tcp_inter ----------------------------------------------- -----------------CBAC-------------------------- Pluto: (config)#ip access-list extended cbac_permit (config-ext-nacl)#permit ip any any (config)#ip access-list extended cbac_deny (config-ext-nacl)#deny ip any any (config)#int s2/0 (config-if)#ip access-group cbac_deny in (config)#int s2/1 (config-if)#ip access-group cbac_permit in (config)#no ip inspect alert-off (config)#ip inspect audit-trail (config)#ip inspect name fwrule tcp (config)#ip inspect name fwrule udp (config)#ip inspect name fwrule icmp (config)#ip inspect name fwrule telnet (config)#ip inspect name fwrule bittorrent (config)#ip inspect name fwrule pop3 (config)#ip inspect name fwrule smtp (config)#ip inspect name fwrule http (config)#ip inspect name fwrule https (config)#int s2/1 (config-if)#ip inspect fwrule in #show ip inspect config Mickey: #ping 10.0.1.2 -> it does not work #telnet 10.0.1.2 -> it does not work Minnie: #ping 10.0.0.2 -> it works #telnet 10.0.0.2 -> it works Pluto: See audit information #show ip inspect sessions #show ip inspect sessions detail #debug ip inspect tcp #debug ip inspect icmp Minnie: #ping 10.0.0.2 -> it works #telnet 10.0.0.2 -> it works Pluto: See debug information ------------------------------------------------