Cisco CCNA 200-301 – ACLs – Access Control Lists Part 3

  1. Numbered ACLs Lab Demo

In this lecture you’ll learn how to configure access control lists with a lab demo. So here’s the lab I’ve got to open in GNS three here and I’ve got a couple of routers, r One and R two. I’ve got PC One and PC Two are in the 100 one subnet and PC Three is in 100 two. I’ve already configured the routing. So if I console onto PC One and let’s try pinging R Two at 100 two, so ping ten two from PC One works okay, I know for sure it’s going to work from PC Two as well because it’s in the same subnet, but let’s just do it anyway.

So paying ten from here as well and let’s check that everything is okay from our ten two subnet as well. So I’ll paying ten two, which is R two from there as well. Okay, so connectivity is all working just fine. Let’s have a look at the routing table on R One. So I’ll jump on there and do a show IP route and try to do it without a typo. And I’ve just got my connected and local routes on there and because R two is also on the ten o network at 1002, that’s why I’ve got connectivity everywhere.

Okay, looking back at the topology diagram and the scenario is that we are the network administrator and we’ve been given some security tasks to secure the network. So the first scenario is that PCs in maternal two network should not have any connectivity to R Two at 1002, but the PCs in the ten subnet, they should have connectivity to R Two. And also PC Three and ten two still should have connectivity to ten one as well. So usually when we configure an ACL to do security, we’ll secure it as close to the source as possible so that traffic isn’t going over any part of a network, but it doesn’t need to. But if we look at the scenario here, let’s see that we’ve been given a task that we have to configure a standard numbered access list to do that and it has to be on R One.

So we could do it inbound on Fast Ethernet 20 at the bottom here. With a standard ACL you can only specify the source address to be able to specify source and destination, but it’s going to that needs to be an extended or a named extended ACL. So what we want to do is we want to block traffic from ten two to R two. But we need to allow traffic from ten two to ten one so we can’t put the ACL inbound on that fast. 20 interface on R One, because if we blocked traffic from ten two, we’d be blocking it going to R Two, but we’d be blocking it to the 100 one subnet as well. So the only way that we can do this task using a numbered standard ACL is by putting it on that outside fast zero interface on R two. So if that’s not clear yet, let’s do it and then you’ll see what I mean.

So we want to block traffic from 100 two, allow traffic from 100 one. So let’s go onto the command line on R one. I’ll go to Global Config and I’ll make this access list one and I’m going to deny traffic from the ten dot O dot two dot O subnet. The World card mask is O dot O dot two five five because it’s a slash 24 and it’s a standard ACL, I can tell because it’s number one. So I can only specify the source address. So that’s all that I need to put in here. Now in all of your access list there’s always an implicit deny any at the bottom of the list, but I need to allow traffic from the ten dot O dot one network. So for that I’m going to do access list.

This is also list one and I’m going to permit 10010 and 25 again and that’s all that I need to do. Well, apart from actually applying the access list of course. So to do that, let’s look at the topology diagram again and I’m going to do on the outside interface fast zero. So back on the command line I go to interface fast zero and the command now is IP Access Group. It was group one and I’m doing it in the direction towards R two.

So that is in the outbound direction. Looking at the topology diagram again, if I wanted to control traffic going from the 100 two network to R two, I could either do it inbound on fast 20 as it comes into R One, or I can do it outbound on fast zero as it goes out of R One on its way to R two. But like we said earlier, you can’t do that in this particular scenario because if I blocked traffic coming from 100 20, coming in on fast 20, it wouldn’t just stop it getting it to R two, it would stop it getting to the ten network as well and I need to allow that.

So that’s my whole config. Let’s just have a look at it again. So I denied traffic from ten two, I permitted traffic from 100 one and I applied that outbound on the fast zero interface. So let’s check that it is working. So let’s go on to PC One first and check that PC one still has connectivity to the driver. So I’ll ping 100 two and that is all good PC One has.

So I know that PC Two does as well. PC Three should not have connectivity to 100 two. So let’s check that. Ping ten dot O dot O dot two and there we go. The ping fails. So my access list is working, but it should have connectivity to the PCs in the other subnet. So ping PC One at 100 10 and that is successful. So that is the first task completed. We used a numbered standard ACL to block traffic from the 100 two subnet to R two at 100 two, but allow all of our other traffic everywhere else. Okay, so that was a numbered standard ACL.

Next up, let’s have a look at a numbered extended ACL. And if I go back to the topology again, the scenario this time is going to be we’re going to permit telnet from PC One to R Two. Let’s say that PC One is our administrator workstation, and telnet is a way that you can remotely get onto the command line on a router. We’ll cover it in more detail in a later section. So we’re going to allow it from PC One.

But PC One is the only administrator workstation, so no other PC, no other subnet is allowed to telnet onto R Two. So let’s configure that. So I’ll go on to the command line on R One again, and in my ACL, I’m going to do an extended ACL which allows traffic from ten 10 to ten two when it’s telnet traffic but denies it from everywhere else and is going to allow all other traffic. So let’s go into our one to configure this. Let’s go down a few lines.

I’ll say access list, and it’s an extended ACL this time, so that starts with 100. I’ll use that for my number. And I’m going to permit traffic from host ten 0110, but I’m going to specify it’s telnet traffic. So I need to say that this is TCP, so I permit TCP, and I’m going to say from host 100 110, and it’s going to host R Two at 100 two and then equals the port is telnet. I could also have said equals 23. The router would take that command as well. So I’m allowing it from PC One. I don’t allow it from any other PC in that subnet. So I see accesslist 100 and I’m going to deny TCP from the 100 125 subnet going to host 1002 equals telnet. And you can see it’s important I get these in the right way. If I put that second command in first, I’d be blocking traffic from all hosts on the 100 one subnet, including PC One. So I need to make my more specific commands up at the top of the ACL, and then I want to allow all other traffic. I’m just controlling telnet here. So I need to also say access list 100 permit IPNE to allow all other traffic. And that overrides the implicit deny nene at the bottom of the ACL. The implicit deny nene is still down there at the bottom, but the router reads the permit IP neen first.

So this is going to allow all traffic apart from what I explicitly denied. Okay? So that’s my ACL configured, and importantly, we need to remember to apply it at the interface. It’s really easy to forget to do this so looking at the topology diagram and it’s always best practice to secure as close to the source as you can. So here we could put the ACL either inbound on this interface on the outside here, which is fast one slash on the router. Actually, let me make a note just to make that clear. So I’ll say this is fast 10 and that is the interface that we’re going to put this on. Let me try to clear that up a bit. Okay, that’s fine. Okay. So we’re going to put it on fast 10. Let me just clear that up a bit. Making a mess of my topology diagram here. Okay. So it’s going to go inbound there. I could also have put it outbound on fast zero, but I’ve already got an ACL configured on there. The ACL that I did earlier, my standard numbered. You can only have one ACL per interface, per direction.

So I’m going to put it on fast 10. So back on R one, I go into face fast 10 and it’s Ipaxis group 100. And it’s in this time because it’s coming in fast 10, going out fast zero. Okay, so that is my ACL configured. Let’s test it next. So if I go on to PC One, I should be able to tell net to 1002. Telnet has already been configured and there you go. I can see it’s working because I’m getting the password prompt, so I’m able to tell net onto R two from PC one. I should not be able to get on there from PC two. So let’s check that. I want to PC two and I’ll tell net to 1002.

And there we go, destination unreachable. That’s good. It’s because my ACL is blocking the traffic, but it should just be telnet traffic. I should be able to ping ten two and that’s working. So that is all good. Actually looking back at the topology diagram again, I didn’t need to specify anything about PC Three because I already had my first ACL blocking traffic going out to R Two from it. So it was getting blocked already. Okay. So that was a numbered standard and a numbered extended. I’ll do named ACL in the next lecture because I feel like this one’s gone on for a little while now. So go get yourself a cup of coffee if you want to. I’ll see you back here for named AC.

  1. Named ACLs Lab Demo

This lecture follows on from the last one where we had a look at our numbered ACLs both standard and extended with a lab demo. In this lecture we’re going to configure a named ACL. The scenario is that PC One here is my administrator. So I need to give, give them access to telnet to R Two at 100 two, but nobody else should have telnet access to the router. And PC Two is my network monitoring system and from there I need to be able to ping R Two to check that it is still up. And I don’t want anybody else to be able to ping R Two. I want to hide a little bit for security reasons. I’m going to be configuring this on R One again. If you remember from the last lecture we had a numbered standard ACL going outbound on Fast zero that was blocking traffic from the 100 two network going to R Two. So that HCL, I’ll leave it there. It’s already blocking all traffic including paying and telnet to R Two from the PCs. So I just need to control my access from the 100 one subnet. I want to allow telnet traffic from PC One. I want to allow ping traffic from PC Two going to R Two and block ping and telnet from everybody else apart from those individual hosts and allow all traffic.

Now I’ve already got an ACL configured inbound on Fast 10 from the last lab exercise. So let’s remove that first. So I’ll go on to R One and if I do a show run for Interface Fast 10, I can see there is my IP address group 100 in. So what I’ll do is a global config. I’ll go Interface Fast One slash zero and I’ll say no and then I will copy and paste that line to remove it. Now doing that just removes the ACL from the interface. The ACL is still there in the running config. I do a show run and scroll down a little. You’ll see, there’s my access list 100. So it’s still in the running config. It’s not doing anything right now because it’s not actually applied on an interface. Okay, so let’s do this configuration. So I’ll go to global configuration and I’m going to do a named access list here. So the syntax is very similar but a little bit different for a numbered access list. The command starts with just access list. For a named access list it’s IP Access list. So IP access List, like check the syntax. I need to see whether it’s a standard or extended ACL here I’m specifying who the source and destination is and report number. So I need to make this an extended ACL. The next thing I do is give it a name.

This is going to be applied inbound on Fast 10 interface so I’ll give it a descriptive name, fast 10 underscore in that way anybody that’s looking at the ACL later is going to see where this ACL is being applied just from the name of it. Okay, so I create the ACL and then you see the difference from a numbered ACL. It just takes me to the ACL sub commands here. And now I can put in my access control entries. So the first thing I wanted to do was permit TCP from the host 100 10, that is PC one, going to host 100 two, that is R two, and I’m going to allow telnet traffic, so equals telnet. I want to deny telnet from everybody else.

I’m already denying from the ten two subnet with my other ACL I’ve already configured. So here I’ll deny TCP from ten o onenetmasko 25 going to host ten or two equals telnet. Now I did it this way so I could show you configuring the subnet and a wild card mask. Another way I could have done it and which would probably actually be better in the real world, is permit TCP from any going to host 1002 equals telnet. Just in case later on I have another subnet behind the router on that side and I want to block it as well. You can do it either way, whichever is going to make more sense when you’re doing it in the real world. Okay, next one is the ping traffic. So I’m going to permit.

Now. This is not TCP or UDP or IP. Ping is part of the ICMP suite. So I’m going to permit ICMP. It’s coming from host ten, o 111. Now going to host 100 two. It’s my router, let’s check our options. And you’ll see there for paying it is echo. So I will permit echoes from 100 111 and then I’m going to deny from everybody else. So deny ICMP from the subnet ten dot o dot one dot o world card mask odor o dot o dot two five, five, going to host 1002 and echo again. Okay, so I’m allowing telnet from 100 110 PC one to R two, blocking it from everywhere else, and I’m allowing ping to R two from PC two at eleven and blocking it from everybody else. Now at this point, all it’s going to be allowed is just that telnet traffic from PC one and the ping traffic from PC two because of the implicit deny any any at the bottom of my ACL, I don’t want that here. I want to allow all other traffic. So I also need to permit and it’s all traffic, so it’s permit IP going from any going to any that’s my ACL done. As usual, the thing that’s easy to forget is to apply it to the interface, so I’ll remember to do that.

So it was interface Fast 10 ipaccessgroup and I named it scroll up to check. And here we go. Fast 10 underscore in. I’ll actually just copy and paste that in with a right click and then I can do it either inbound or outbound. Looking at our topology diagram on fast 10. The traffic is going from the PCs going to R Two. So it’s coming in on fast 10. It’s going out on fast zero. So I’m applying it on fast 10 here. So the direction is going to be in. Okay, that is my ACL done. Now we need to check it. So I will go on to PC one and PC One should be able to telnet to the router R Two at 100 two. And I’m getting the prompt. So that is all good. I’ll break out of there and I’ll try pinging ten two and this should fail. Great, it was unreachable. So that is all good. And then I’ll check it from PC two. And PC two should not be able to tell net to ten dot o dot o two.

That’s blocked, that’s good. But should be able to ping to ten dot o dot o dot two. Also from here I should be able to ping my other subnet. So let’s check where PC three was. It’s at 100 210. So let’s ping there from one of my PCs, ping ten 210. And this is where it was important that I remembered to do that permit IP nena at the bottom of the ACL. If I had not put that in, this ping would fail because I did. All other traffic is allowed, including this ping going to the other subnet. Okay, so that was my ACL configuration done. One last thing to show you is actually I need to be on R One for this. So let’s go into R One to see what’s going on with your ACLs.

You can do a show access list and there you can see all of my ACLs and you can see how many hits you’re getting on each of those different rules in the ACL as well. Also notice here that the access control entries, I’ve got an index number at the start that allows me to inject other entries in between them if I need to later. So they’re is my different HLS. I can see the configuration on them, I can see how many packets have hit each of the different entries. It’s all good. Okay, so that was our configuration for access control list. I’ll see you in the next lecture.