Cisco CCNA Extended Access List

Cisco CCNA-Extended access list

In this Lab we will cover the concept of Extended ACL , make sure read another blogs about Standard ACL .

The Goal is that only Pc1=10.10.10.1 will not browse (80) and (FTP =21) on the web server=30.30.30.200

 

Solution:

Pre step 1)  I know this is Extended ACL why? Since I have both source and destination

Step 1)  write your ACL

r1#config t

access-list  110 deny TCP 10.10.10.1 0.0.0.0 30.30.30.200 0.0.0.0 eq 80

access-list  110 deny TCP 10.10.10.1 0.0.0.0 30.30.30.200 0.0.0.0 eq 21

access-list  110 permit IP any any

Blue : Source

Red : Destination

Now source can be a single IP address like above; or a network

For ex: 10.10.10.0   0.0.0.255 (that can be source)

 

Now I will configure my ACL on R1

 

Receive our Cisco CCNA Packet Tracer!
Get our complete tutorial in PDF

R1#

R1#config

Configuring from terminal, memory, or network [terminal]?

Enter configuration commands, one per line.  End with CNTL/Z.

R1(config)#

R1(config)#

R1(config)#

R1(config)#acc

R1(config)#access-list ?

<1-99>     IP standard access list

<100-199>  IP extended access list

R1(config)#access-list 110 ?

deny    Specify packets to reject

permit  Specify packets to forward

remark  Access list entry comment

R1(config)#access-list 110 deny

R1(config)#access-list 110 deny ?

ahp    Authentication Header Protocol

eigrp  Cisco’s EIGRP routing protocol

esp    Encapsulation Security Payload

gre    Cisco’s GRE tunneling

icmp   Internet Control Message Protocol

ip     Any Internet Protocol

ospf   OSPF routing protocol

tcp    Transmission Control Protocol

udp    User Datagram Protocol

R1(config)#access-list 110 deny tcp ?

A.B.C.D  Source address

any      Any source host

host     A single source host

R1(config)#access-list 110 deny tcp 10.10.10.1 ?

A.B.C.D  Source wildcard bits

R1(config)#access-list 110 deny tcp 10.10.10.1 0.0.0.0 ?

A.B.C.D  Destination address

any      Any destination host

eq       Match only packets on a given port number

gt       Match only packets with a greater port number

host     A single destination host

lt       Match only packets with a lower port number

neq      Match only packets not on a given port number

range    Match only packets in the range of port numbers

R1(config)#access-list 110 deny tcp 10.10.10.1 0.0.0.0 30.30.30.200 ?

A.B.C.D  Destination wildcard bits

R1(config)#access-list 110 deny tcp 10.10.10.1 0.0.0.0 30.30.30.200 0.0.0.0 ?

dscp         Match packets with given dscp value

eq           Match only packets on a given port number

established  established

gt           Match only packets with a greater port number

lt           Match only packets with a lower port number

neq          Match only packets not on a given port number

precedence   Match packets with given precedence value

range        Match only packets in the range of port numbers

<cr>

R1(config)#access-list 110 deny tcp 10.10.10.1 0.0.0.0 30.30.30.200 0.0.0.0 eq ?

<0-65535>  Port number

ftp        File Transfer Protocol (21)

pop3       Post Office Protocol v3 (110)

smtp       Simple Mail Transport Protocol (25)

telnet     Telnet (23)

www        World Wide Web (HTTP, 80)

R1(config)#access-list 110 deny tcp 10.10.10.1 0.0.0.0 30.30.30.200 0.0.0.0 eq www

R1(config)#

 

—Here is my show run—

 

access-list 110 deny tcp host 10.10.10.1 host 30.30.30.200 eq www

HINT : single Ip address can be written in 10.10.10.1 0.0.0.0 or HOST 10.10.10.1

Now I will do same ACL for FTP=21. Make sure do step by step with? Do not use up arrow key

 

R1#

R1#config t

Enter configuration commands, one per line.  End with CNTL/Z.

R1(config)#acc

R1(config)#access-list ?

<1-99>     IP standard access list

<100-199>  IP extended access list

R1(config)#access-list 110 ?

deny    Specify packets to reject

permit  Specify packets to forward

remark  Access list entry comment

R1(config)#access-list 110 deny ?

ahp    Authentication Header Protocol

eigrp  Cisco’s EIGRP routing protocol

esp    Encapsulation Security Payload

gre    Cisco’s GRE tunneling

icmp   Internet Control Message Protocol

ip     Any Internet Protocol

ospf   OSPF routing protocol

tcp    Transmission Control Protocol

udp    User Datagram Protocol

R1(config)#access-list 110 deny tcp ?

A.B.C.D  Source address

any      Any source host

host     A single source host

R1(config)#access-list 110 deny tcp host ?

A.B.C.D  Source address

R1(config)#access-list 110 deny tcp host 10.10.10.1 ?

A.B.C.D  Destination address

any      Any destination host

eq       Match only packets on a given port number

gt       Match only packets with a greater port number

host     A single destination host

lt       Match only packets with a lower port number

neq      Match only packets not on a given port number

range    Match only packets in the range of port numbers

R1(config)#access-list 110 deny tcp host 10.10.10.1 host ?

A.B.C.D  Destination address

R1(config)#access-list 110 deny tcp host 10.10.10.1 host 30.30.30.200 ?

dscp         Match packets with given dscp value

eq           Match only packets on a given port number

established  established

gt           Match only packets with a greater port number

lt           Match only packets with a lower port number

neq          Match only packets not on a given port number

precedence   Match packets with given precedence value

range        Match only packets in the range of port numbers

<cr>

R1(config)#access-list 110 deny tcp host 10.10.10.1 host 30.30.30.200 eq ?

<0-65535>  Port number

ftp        File Transfer Protocol (21)

pop3       Post Office Protocol v3 (110)

smtp       Simple Mail Transport Protocol (25)

telnet     Telnet (23)

www        World Wide Web (HTTP, 80)

R1(config)#access-list 110 deny tcp host 10.10.10.1 host 30.30.30.200 eq ftp

R1(config)#

 

—Now I will look at show run—

 

access-list 110 deny tcp host 10.10.10.1 host 30.30.30.200 eq www

access-list 110 deny tcp host 10.10.10.1 host 30.30.30.200 eq ftp

Make sure you give permit; remember there is an implicit deny at end of ACL

R1#

R1#

R1#

R1#config t

Enter configuration commands, one per line.  End with CNTL/Z.

R1(config)#acc

R1(config)#access-list 110 ?

deny    Specify packets to reject

permit  Specify packets to forward

remark  Access list entry comment

R1(config)#access-list 110 permi

R1(config)#access-list 110 permit ?

ahp    Authentication Header Protocol

eigrp  Cisco’s EIGRP routing protocol

esp    Encapsulation Security Payload

gre    Cisco’s GRE tunneling

icmp   Internet Control Message Protocol

ip     Any Internet Protocol

ospf   OSPF routing protocol

tcp    Transmission Control Protocol

udp    User Datagram Protocol

R1(config)#access-list 110 permit ip ?

A.B.C.D  Source address

any      Any source host

host     A single source host

R1(config)#access-list 110 permit ip any ?

A.B.C.D  Destination address

any      Any destination host

host     A single destination host

R1(config)#access-list 110 permit ip any any ?

dscp        Match packets with given dscp value

precedence  Match packets with given precedence value

<cr>

R1(config)#access-list 110 permit ip any any

 

—Here is my show run—

 

access-list 110 deny tcp host 10.10.10.1 host 30.30.30.200 eq www

access-list 110 deny tcp host 10.10.10.1 host 30.30.30.200 eq ftp

access-list 110 permit ip any any

!

—Now I will apply to s0/0—

 

R1#

R1#config t

Enter configuration commands, one per line.  End with CNTL/Z.

R1(config)#int s0/0

R1(config-if)#ip acc

R1(config-if)#ip access-group ?

<1-199>  IP access list (standard or extended)

WORD     Access-list name

R1(config-if)#ip access-group 110 ?

in   inbound packets

out  outbound packets

R1(config-if)#ip access-group 110 out

R1(config-if)#

 

—Here is my show run—

 

interface Serial0/0

ip address 20.20.20.9 255.255.255.252

 ip access-group 110 out

clock rate 64000

!

!

access-list 110 deny tcp host 10.10.10.1 host 30.30.30.200 eq www

access-list 110 deny tcp host 10.10.10.1 host 30.30.30.200 eq ftp

access-list 110 permit ip any any

 

—Now I will go to PC1=10.10.10.1 make sure I cannot access web server—

 

R1#show access-lists

Extended IP access list 110

deny tcp host 10.10.10.1 host 30.30.30.200 eq www (12 match(es))

deny tcp host 10.10.10.1 host 30.30.30.200 eq ftp

permit ip any any (7 match(es))

R1#

 

as we see when I tried it ; I cannot access from PC1 but i can go to web server from other PC

—as we see in order to see where it is applied I do not use #show access-list—

 

I will use R1# show  ip int s0/0

 

R1#show ip int s0/0

Serial0/0 is up, line protocol is up (connected)

Internet address is 20.20.20.9/30

Broadcast address is 255.255.255.255

Address determined by setup command

MTU is 1500

Helper address is not set

Directed broadcast forwarding is disabled

Outgoing access list is 110

Inbound  access list is not set

 

 

 

 

[bs_icon name=”glyphicon glyphicon-expand”] Watch the video and you will be able to understand Extended Access List much better and Please subscribe to our YouTube Channel.


Want more information on how to become Cisco CCNA Certified? Learn more!
Join our Cisco CCNA facebook study group!

 


Also published on Medium.

Exit mobile version