In this lab we completed several challenges to practice using standard and extended named access lists.

Notes

Challenge 1

Explanation from the challenge: "Standard ACLs can filter traffic based on source IP address only. A typical best practice is to configure a standard ACL as close to the destination as possible. In this task, you are configuring a standard ACL. The ACL is designed to block traffic from the 192.168.11.0/24 network from accessing any local networks on R3. This ACL will be applied inbound on the R3 serial interface. Remember that every ACL has an implicit “deny all” that causes all traffic that has not matched a statement in the ACL to be blocked. For this reason, add the permit any statement to the end of the ACL."

The following code was run on Router 3 to complete this challenge:

enable

! Ran the above, then ran this (as the above needs password!)
conf t
ip access-list standard STND-1
deny 192.168.11.0 0.0.0.255
permit any
interface Serial0/0/0
ip access-group STND-1 in

Challenge 2

Explanation from the challenge: "When greater granularity is required, you should use an extended ACL. Extended ACLs can filter traffic based on more than just source address. Extended ACLs can filter on protocol, source, and destination IP addresses, and source and destination port numbers.

An additional policy for this network states that devices from the 192.168.10.0/24 LAN are only permitted to reach internal networks. Computers on this LAN are not permitted to access the Internet. Therefore, these users must be blocked from reaching the IP address 200.200.200.1. Because this requirement needs to enforce both source and destination, an extended ACL is needed.

In this task, you are configuring an extended ACL on Rr that blocks traffic originating from any device on the 192.168.10.0/24 network to access the 200.200.200.1 host (the simulated ISP). This ACL will be applied outbound on the R2 Serial 0/0/0 interface. A typical best practice for applying extended ACLs is to place them as close to the source as possible."

The following code was run on Router 2 to complete this challenge:

enable

! Ran the above, then ran this (as the above needs password!)
conf t
ip access-list extended EXTEND-1
deny ip 192.168.10.0 0.0.0.255 200.200.200.1 0.0.0.0
permit ip any any
interface Serial0/0/0
ip access-group EXTEND-1 out

Bonus Challenge 1 & 2

Explanation from the challenge 1: "Configure only Mail access to the Mail Server (192.168.20.200)"

Explanation from the challenge 2: "Configure only Web access to the Web Server (192.168.20.201)"

The following code was run on Router 1 to complete these challenges:

enable

! Ran the above, then ran this (as the above needs password!)
conf t
!- Configure the network to deny all access from the ISP to the File Server (192.168.20.210). Allow access from any other device.
ip access-list extended MAIL-WEB
permit tcp any 192.168.20.200 0.0.0.0 eq 25
!- Configure only Web access to the Web Server (192.168.20.201)
permit tcp any 192.168.20.201 0.0.0.0 eq 80
!- Apply ACL
interface fa 0/0
ip access-group MAIL-WEB out

Explanations

Explanation of commands run, everything in {} should be replace by what it is asking for. (basic enable and conf t are not explained here, look at Dedicated Page for Packet Tracer):

• ip access-list {TYPE} {NAME} = Create an access list with a certain type, standard or extended, and name
• For standard lists ONLY:
• • permit/deny {IP_ADDRESS} {WILDCARD_MASK} = permit or deny a certain IP with a subnet mask (reversed for wildcard mask, sub 255 from each octet)
• • permit any = for deny lists, make sure that a hidden deny is nullified
• For extended lists ONLY:
• • permit/deny {protocol} {SOURCE_IP} {WILDCARD_MASK} {SOURCE_IP} {WILDCARD_MASK} eq {PORT} = permit or deny a certain source IP (can be "any") with subnet mask, the destination IP (can be "any") with subnet mask and a port
• • permit ip any any = for deny lists, make sure that a hidden deny is nullified
• ip access-group {NAME} in/out = apply the access-list to a interface either being inbound (is the router receiving the packets through this interface?) or outbound (is the router sending the packets through this interface?)

(NOTE: Need to remake access-lists again if messed up, recommended to write down first then put into packet tracer. Also, only 1 ACL for inbound and 1 for outbound!)