Embed Size (px)
Citation preview
CISCO CCNAExtended Access ListTo watch our Cisco CCNA Training Videos Please Check out the link below:www.asmed.com/c1
ASM Educational Center Inc. (ASM)Where Training, Technology & Service ConvergePhone: (301) 984-7400
CISCO CCNA- Extended Access List
CISCO CCNA- Extended Access List
In this Lab we will cover the concept of Extended ACL.
The Goal is that only Pc1=10.10.10.1 will not browse (80) and (FTP =21) on the web server=30.30.30.200
CISCO CCNA- Extended Access List
Solution:Pre step 1) I know this is Extended ACL why? Since I have both source and destinationStep 1) write your ACLr1#config taccess-list 110 deny TCP 10.10.10.1 0.0.0.0 30.30.30.200 0.0.0.0 eq 80access-list 110 deny TCP 10.10.10.1 0.0.0.0 30.30.30.200 0.0.0.0 eq 21access-list 110 permit IP any anyBlue: SourceRed: Destination
CISCO CCNA- Extended Access List
Now source can be a single IP address like above; or a networkFor ex: 10.10.10.0 0.0.0.255 (that can be source)
CISCO CCNA- Extended Access List
Now I will configure my ACL on R1
R1#R1#configConfiguring from terminal, memory, or network [terminal]?Enter configuration commands, one per line. End with CNTL/Z.R1(config)#R1(config)#R1(config)#R1(config)#acc
CISCO CCNA- Extended Access List
R1(config)#access-list ?<1-99> IP standard access list<100-199> IP extended access listR1(config)#access-list 110 ?deny Specify packets to rejectpermit Specify packets to forwardremark Access list entry commentR1(config)#access-list 110 denyR1(config)#access-list 110 deny ?
CISCO CCNA- Extended Access List
ahp Authentication Header Protocoleigrp Cisco’s EIGRP routing protocolesp Encapsulation Security Payloadgre Cisco’s GRE tunnelingicmp Internet Control Message Protocolip Any Internet Protocolospf OSPF routing protocoltcp Transmission Control Protocoludp User Datagram Protocol
CISCO CCNA- Extended Access List
R1(config)#access-list 110 deny tcp ?A.B.C.D Source addressany Any source hosthost A single source hostR1(config)#access-list 110 deny tcp 10.10.10.1 ?A.B.C.D Source wildcard bitsR1(config)#access-list 110 deny tcp 10.10.10.1 0.0.0.0 ?A.B.C.D Destination addressany Any destination host
CISCO CCNA- Extended Access List
eq Match only packets on a given port numbergt Match only packets with a greater port numberhost A single destination hostlt Match only packets with a lower port numberneq Match only packets not on a given port numberrange Match only packets in the range of port numbersR1(config)#access-list 110 deny tcp 10.10.10.1 0.0.0.0 30.30.30.200 ?A.B.C.D Destination wildcard bits
CISCO CCNA- Extended Access List
R1(config)#access-list 110 deny tcp 10.10.10.1 0.0.0.0 30.30.30.200 0.0.0.0 ?dscp Match packets with given dscp valueeq Match only packets on a given port numberestablished establishedgt Match only packets with a greater port numberlt Match only packets with a lower port numberneq Match only packets not on a given port numberprecedence Match packets with given precedence value
CISCO CCNA- Extended Access List
range Match only packets in the range of port numbers<cr>R1(config)#access-list 110 deny tcp 10.10.10.1 0.0.0.0 30.30.30.200 0.0.0.0 eq ?<0-65535> Port numberftp File Transfer Protocol (21)pop3 Post Office Protocol v3 (110)smtp Simple Mail Transport Protocol (25)telnet Telnet (23)www World Wide Web (HTTP, 80)R1(config)#access-list 110 deny tcp 10.10.10.1 0.0.0.0 30.30.30.200 0.0.0.0 eq wwwR1(config)#
CISCO CCNA- Extended Access List
Here is my show run access-list 110 deny tcp host 10.10.10.1 host 30.30.30.200 eq wwwHint:Single Ip address can be written in 10.10.10.1 0.0.0.0 or HOST 10.10.10.1Now I will do same ACL for FTP=21. Make sure do step by step with? Do not use up arrow key
CISCO CCNA- Extended Access List
R1#R1#config tEnter configuration commands, one per line. End with CNTL/Z.R1(config)#accR1(config)#access-list ?<1-99> IP standard access list<100-199> IP extended access list
CISCO CCNA- Extended Access List
R1(config)#access-list 110 ?deny Specify packets to rejectpermit Specify packets to forwardremark Access list entry commentR1(config)#access-list 110 deny ?ahp Authentication Header Protocoleigrp Cisco’s EIGRP routing protocolesp Encapsulation Security Payload
CISCO CCNA- Extended Access List
gre Cisco’s GRE tunnelingicmp Internet Control Message Protocolip Any Internet Protocolospf OSPF routing protocoltcp Transmission Control Protocoludp User Datagram ProtocolR1(config)#access-list 110 deny tcp ?A.B.C.D Source address
CISCO CCNA- Extended Access List
any Any source hosthost A single source hostR1(config)#access-list 110 deny tcp host ?A.B.C.D Source addressR1(config)#access-list 110 deny tcp host 10.10.10.1 ?A.B.C.D Destination addressany Any destination hosteq Match only packets on a given port number
CISCO CCNA- Extended Access List
gt Match only packets with a greater port numberhost A single destination hostlt Match only packets with a lower port numberneq Match only packets not on a given port numberrange Match only packets in the range of port numbersR1(config)#access-list 110 deny tcp host 10.10.10.1 host ?A.B.C.D Destination address
CISCO CCNA- Extended Access List
R1(config)#access-list 110 deny tcp host 10.10.10.1 host 30.30.30.200 ?dscp Match packets with given dscp valueeq Match only packets on a given port numberestablished establishedgt Match only packets with a greater port numberlt Match only packets with a lower port numberneq Match only packets not on a given port numberprecedence Match packets with given precedence valuerange Match only packets in the range of port numbers<cr>
CISCO CCNA- Extended Access List
R1(config)#access-list 110 deny tcp host 10.10.10.1 host 30.30.30.200 eq ?<0-65535> Port numberftp File Transfer Protocol (21)pop3 Post Office Protocol v3 (110)smtp Simple Mail Transport Protocol (25)telnet Telnet (23)www World Wide Web (HTTP, 80)R1(config)#access-list 110 deny tcp host 10.10.10.1 host 30.30.30.200 eq ftpR1(config)#
CISCO CCNA- Extended Access List
Now I will look at show run access-list 110 deny tcp host 10.10.10.1 host 30.30.30.200 eq wwwaccess-list 110 deny tcp host 10.10.10.1 host 30.30.30.200 eq ftpMake sure you give permit; remember there is an implicit deny at end of ACLR1#R1#R1#
CISCO CCNA- Extended Access List
R1#config tEnter configuration commands, one per line. End with CNTL/Z.R1(config)#accR1(config)#access-list 110 ?deny Specify packets to rejectpermit Specify packets to forwardremark Access list entry comment
CISCO CCNA- Extended Access List
R1(config)#access-list 110 permiR1(config)#access-list 110 permit ?ahp Authentication Header Protocoleigrp Cisco’s EIGRP routing protocolesp Encapsulation Security Payloadgre Cisco’s GRE tunnelingicmp Internet Control Message Protocolip Any Internet Protocol
CISCO CCNA- Extended Access List
ospf OSPF routing protocoltcp Transmission Control Protocoludp User Datagram ProtocolR1(config)#access-list 110 permit ip ?A.B.C.D Source addressany Any source hosthost A single source hostR1(config)#access-list 110 permit ip any ?
CISCO CCNA- Extended Access List
A.B.C.D Destination addressany Any destination hosthost A single destination hostR1(config)#access-list 110 permit ip any any ?dscp Match packets with given dscp valueprecedence Match packets with given precedence value<cr>R1(config)#access-list 110 permit ip any any
CISCO CCNA- Extended Access List
Here is my show run access-list 110 deny tcp host 10.10.10.1 host 30.30.30.200 eq wwwaccess-list 110 deny tcp host 10.10.10.1 host 30.30.30.200 eq ftpaccess-list 110 permit ip any any!
CISCO CCNA- Extended Access List
Now I will apply to s0/0R1#R1#config tEnter configuration commands, one per line. End with CNTL/Z.R1(config)#int s0/0R1(config-if)#ip accR1(config-if)#ip access-group ?<1-199> IP access list (standard or extended)
CISCO CCNA- Extended Access List
WORD Access-list nameR1(config-if)#ip access-group 110 ?in inbound packetsout outbound packetsR1(config-if)#ip access-group 110 outR1(config-if)#
CISCO CCNA- Extended Access List
Here is my show run interface Serial0/0ip address 20.20.20.9 255.255.255.252ip access-group 110 outclock rate 64000!!access-list 110 deny tcp host 10.10.10.1 host 30.30.30.200 eq wwwaccess-list 110 deny tcp host 10.10.10.1 host 30.30.30.200 eq ftpaccess-list 110 permit ip any any
CISCO CCNA- Extended Access List
Now I will go to PC1=10.10.10.1 make sure I cannot access web server
R1#show access-listsExtended IP access list 110deny tcp host 10.10.10.1 host 30.30.30.200 eq www (12 match(es))deny tcp host 10.10.10.1 host 30.30.30.200 eq ftppermit ip any any (7 match(es))R1#
CISCO CCNA- Extended Access List
As we see when I tried it; I cannot access from PC1 but i can go to web server from other PCAs we see in order to see where it is applied I do not use #show access-list I will use R1# show ip int s0/0R1#show ip int s0/0Serial0/0 is up, line protocol is up (connected)Internet address is 20.20.20.9/30
CISCO CCNA- Extended Access List
Broadcast address is 255.255.255.255Address determined by setup commandMTU is 1500Helper address is not setDirected broadcast forwarding is disabledOutgoing access list is 110Inbound access list is not set
ASM Educational Center Inc. (ASM)
Where Training, Technology & Service Converge
To watch our Cisco CCNA Video Trainings Please Check out the link below:www.asmed.com/c1Phone: (301) 984-7400
