11 1: Cisco Access List Assignment - ItsMmmike/NET-330_Tech-Journal GitHub Wiki

Cisco Access List Assignment

Purpose:

In this lab, we use a guided Packet Tracer Activity to learn how to configure standard and extended named ACLs to better control and restrict network traffic on a given Cisco Router.

Materials:

  • Cisco Packet Tracer
  • Packet Tracer Activity Starter File

Objective:

  • For this activity, we are to complete the ACL configuration for Routers 2 and 3 (*as shown in the provided network below)

image

  • Additionally, the completed Activity Results should look similar to below:

image

===

Working Notes/Documentation:

General ACL Configuration Info

  • To create a new ACL, enter global Config Mode' then use the ip access-list` command to create the necessary Access Control Lists (*See sections below for ACL Types)
  • To assign the ACL, enter Interface Config Mode then run the ip access-group command apply the selected Access Control List (**You must also specify whether the rule applies to traffic entering IN or leaving OUT a given interface)

Other ACL Notes

  • There are two ACL Rule Types: Standard and Extended
    • Standard - Applies to Source IP OR Network ONLY (Layer 3)
    • Extended - Can Apply to Source AND Destination IP + Network, also work for TCP Ports (Layers 3 + 4)
  • Rules apply in order from top to bottom (also if you need reorder, you must delete and recreate the ACL as the order cannot be changed when the list is created)
  • There is also a hidden "Deny All" rule applied to each ACL list --> if this is not desired, you must apply a "permit any" rule to the end of your list if necessary

Configuring Standard ACLs on a Cisco Router

# Creating a New Standard ACL
ena
conf t
ip access-list standard <ACL-Name-Goes-Here>

## Examples Rules
deny host 10.0.1.1
deny 10.0.17.0 0.0.0.255 # --> Note that ACL Rules use *subnet-wildcard notation
permit any # Overrides the default "Deny All" Rule --> Allows all other net traffic to pass through
exit

#Apply to interface
ena
conf t
int <Interface-Name-Here>
ip access-group <ACL-Name-Goes-Here> <in/out>

Configuring Extended ACLs on a Cisco Router

# Creating a New Extended ACL
ena
conf t
ip access-list extended <ACL-Name_2-Goes-Here>

## Examples Rules
deny tcp host 10.0.1.1 host 10.0.1.2 eq 80 # Denies TCP/80 Traffic from source ip to destination ip
deny tcp 10.0.17.0 0.0.0.255 10.0.1.0 0.0.0.255 eq 23 # Denies TCP/23 Traffic from source net to destination net
deny ip 10.0.30.0 0.0.0.255 host 192.168.1.1 # Denies IP traffic from source network to specified host IP address
permit ip any any # Overrides the default "Deny All" Rule --> Allows IP traffic from any source to any destination
exit

#Apply to interface
ena
conf t
int <Interface-Name-Here>
ip access-group <ACL-Name_2-Goes-Here> <in/out>

===

Deliverables:

Bonus Deliverable 1:

image

image

Screenshots of the configuration used to deny network access from the ISP Net from reaching the File Server (192.168.20.210)

image

Screenshot of the ISP Router (200.200.200.2) being unable to ping to the File Server (192.168.20.210)

Bonus Deliverables 2 + 3:

image

image

Screenshots of the configuration used to allow Mail and Web Access to the Mail (192.168.20.200) and Web (192.168.20.201) Servers respectively

image

Screenshot of PC1 successfully able to connect to the Mail Server using telnet on TCP port 25 + successful pings to the File Server

image

Screenshot of PC1 successfully able to connect to the Web Server via HTTP on TCP port 80

⚠️ **GitHub.com Fallback** ⚠️