Configure and Verify Standard Access Lists: Interconnecting Cisco Networking Devices (ICND1 v3.0)

Interconnecting Cisco Networking Devices (ICND1 v3.
0)
Configure and Verify Standard Access Lists
Introduction
Exercise 1 - Configuring Standard and Extended Access Lists
Exercise 2 - Configuring Named Access Lists
Exercise 3 - Configuring Access-Lists to Restrict Remote Access
Summary
Introduction
The Configure and verify standard Access Lists module provides you with the
instructions and Cisco hardware to develop your hands on skills in creating and
applying access lists to routed interfaces. This module includes exercises that
will cover the following topics:
Configuring standard and extended access lists

Configure named access-lists
Configuring access-lists to restrict remote access
Lab Diagram
During your session you will have access to the following lab configuration.
Depending on the exercises you may or may not use all of the devices, but they
are shown here in the layout to get an overall understanding of the topology of
the lab.
Connecting to your Lab
In this module you will be working on the following equipment to carry out the
steps defined in each exercise.
NYEDGE1
NYEDGE2
NYCORE1
NYACCESS1
PLABCSCO01
To start, simply choose a device and click Power on. In some cases, the devices
may power on automatically.
For further information and technical support, please see our Help and
Support page.
Copyright Notice
This document and its content is copyright of Practice-IT - © Practice-IT 2014. All rights
reserved. Any redistribution or reproduction of part or all of the contents in any form is
prohibited other than the following:
1. You may print or download to a local hard disk extracts for your personal and non-
commercial use only.
2. You may copy the content to individual third parties for their personal use, but only if you
acknowledge the website as the source of the material. You may not, except with our express
written permission, distribute or commercially exploit the content. Nor may you transmit it or
store it in any other website or other form of electronic retrieval system.
Exercise 1 - Configuring standard and extended

access lists
In this exercise you will configure access control lists or ACLs to control traffic
flows through the network.
Diagram
Use this diagram to help you understand the tasks in this exercise:
Creating standard access-lists
There are two types of access lists, standard and extended. These access lists
can be referred to either by a name or a number, depending on how you
configure them.
The difference between the two types of access lists is the granularity of the
filtering that each provides. For example, a standard access list will only filter
based on source address or network. This can be seen in the result of the
context sensitive help below:
NYEDGE1(config)#access-list 1 permit ?
Hostname or A.B.C.D Address to match
any Any source host
host A single host address
NYEDGE1(config)#access-list 1 permit 192.168.16.0
0.0.0.255 ?
log Log matches against this entry
smartlog Smartlog matches against this entry
In the above output, the ? shows the options you have available at two different
points, before a network address is entered you can see that you can enter the
source address details. Once you have entered those, you only have logging
options.
In this section, you will create a standard access list on NYEDGE1.
Step 1
This access list will match a single device on the network, specifically, the
PLABCSCO01 server. Create a numbered access that matches the address of the
server which is 192.168.16.10 and chose the action deny:
NYEDGE1#configure terminal
Enter configuration commands, one per line. End
with CNTL/Z.
NYEDGE1(config)#access-list 10 deny host
192.168.16.10
NYEDGE1(config)#exit
NYEDGE1#
When configuring an access list to refer to only one host, you have two
options. Either you use the host keyword as you have done above, or by
including the IP address and a wildcard mask which indicates a host. The
resulting command would be access-list 80 deny 192.168.16.10 0.0.0.0. Both
commands would give the same result.
Step 2
To view the access lists you created use the following command:
NYEDGE1#show access-lists
Standard IP access list 10
10 deny 192.168.16.10
Standard IP access list NAT
10 permit 192.168.16.0, wildcard bits 0.0.0.255
NYEDGE1#
This command displays all of the access lists configured on the router.
The NAT access list has been preconfigured to enable NAT to function. This
will be used later on in this lab.
Step 3
As there is an implicit deny at the end of each access list, you will need to
include a permit statement, otherwise, everything will be blocked. With the
following command you will allow all other traffic:
with CNTL/Z.
NYEDGE1(config)#access-list 10 permit any
NYEDGE1(config)#
Step 4
At this point the access list has just been defined. It has not been applied
anywhere, so filtering is not yet taking place. You must bind this access list to an
interface.
Careful consideration needs to be taken when applying access lists. Should it be

placed as close as possible or as far away as possible from the source? In what
direction should it be applied? For example should you put place the access list
on interface GigabitEthernet 0/0 or 0/1 and in what direction?
In this step you will place the access list on GigabitEthernet 0/1 in an outbound
direction:
NYEDGE1(config)#interface gigabitethernet 0/1

NYEDGE1(config-if)#ip access-group 10 out
NYEDGE1(config-if)#exit
NYEDGE1#
To help you understand directions, imagine yourself sitting on top of the

router and a marble is the traffic, if the marble is coming towards you then it
is inbound, if the marble is rolling away from you then it is outbound.
Step 5
If PLABCSCO01 is not powered on, power it on now. From PLABCSCO01 ping
www.practice-labs.com:
Figure 1.1 Configuring Access Lists: Pinging the web server on the
Internet from the PLABCSCO01 server.
The pings are successful.
Step 6
Observe the access list hits, using the show access-lists command:
10 deny 192.168.16.10
20 permit any (4 matches)
NYEDGE1#
You can see from the above output that there were four matches on the permit
any line and no matches on the deny 192.168.16.10 line of the access list.
Examining the configuration once again, you may realize that something is
wrong. If the PLABCSCO01 server has an IP address of 192.168.16.10, then the
pings should be denied and not permitted. Why is the incorrect line being
matched?
Step 7
The placement of the access list is very important. Because NAT is operating on
this router, the source address of the server is being translated. When the
packet in question is exiting the GigabitEthernet 0/1 interface on which the
access list was applied, it no longer has 192.168.16.10 as a source address. It has
been translated by NAT. Therefore you must either change the access list
placement and direction to GigabitEthernet 0/0 inbound, or you must modify
the access list to match the translated IP address.
The best choice would be to change the placement and direction. Remove the
access list from the GigabitEthernet 0/1 interface and place it on 0/0 in an
inbound direction:
with CNTL/Z.
NYEDGE1(config-if)#no ip access-group 10 out
NYEDGE1(config-if)#ip access-group 10 in
NYEDGE1#
Step 8
Retry the ping from PLABCSCO01 once more:
Figure 1.2 Configuring Access Lists: Pinging the web server on the
Internet from PLABCSCO01 once more.
Step 9
Return to the NYEDGE1 router and view the access list again:
10 deny 192.168.16.10 (8 matches)
20 permit any (19 matches)
Standard IP access list NAT
10 permit 192.168.16.0, wildcard bits 0.0.0.255
(1 match)
NYEDGE1#
You now see that there are matches on the deny line of the access list, meaning
the access list denied the pings you sent.
Step 10
Before continuing on to the next exercise, remove the access-group you applied
to GigabitEthernet 0/0:
with CNTL/Z.
NYEDGE1(config-if)#no ip access-group 10 in
NYEDGE1#
You have completed the creation of standard access lists. Leave your devices in
their current states and continue on to the next section.
Create an extended access-list
In this section, you will create an extended access list. The benefits of extended
access lists are that you can be much more granular in what you want to permit
and deny.
You will now configure an access list that permits FTP but denies ICMP on
NYEDGE1.
Step 1
Configure access-list 110 allowing FTP:
with CNTL/Z.
NYEDGE1(config)#access-list 110 permit tcp host
192.168.16.10 any eq ftp
NYEDGE1(config)#access-list 110 permit tcp host
192.168.16.10 any eq ftp-data
NYEDGE1(config)#
You must create two access list entries because FTP uses two ports: 20 for
data and 21 for control information. For well-known ports, keywords can be
used instead of the port numbers.
Step 2
Next within the same access list, deny ICMP specifically to www.practice-labs
.com which corresponds to an IP address of 172.15.0.10, remembering that
ICMP is a protocol:
NYEDGE1(config)#access-list 110 deny icmp host

192.168.16.10 host 172.15.0.10
NYEDGE1#
Step 3
Examine your access list now and remember that there is an implicit deny at
the end of the list:
NYEDGE1#show access-lists 110

Extended IP access list 110
10 permit tcp host 192.168.16.10 any eq ftp
20 permit tcp host 192.168.16.10 any eq ftp-data
30 deny icmp host 192.168.16.10 host 172.15.0.10
NYEDGE1#
Step 4
Apply the access list to interface GigabitEthernet 0/0 inbound:
with CNTL/Z.
NYEDGE1(config)#interface GigabitEthernet 0/0
NYEDGE1(config-if)#ip access-group 110 in
NYEDGE1(config)#
You can only have one access-group per interface per direction. The above
command will replace any other inbound access-group that may have been
configured on this interface.
Step 5
Next, test the configuration using PLABCSCO01. First try a ping to
www.practice-labs.com then try and use FTP from within the command
prompt. To connect using FTP, issue the following command:
C:\tools>ftp www.practice-labs.com
When prompted for username, enter anonymous and an empty password.

Figure 1.3 Configuring Access Lists: Attempting to ping and FTP into the
web server from PLABCSCO01.
In the screenshot above you can see that the ping fails, however the FTP
connection is successful.
Step 6
Finally, review the access list hits once more:
NYEDGE1#show access-lists 110

Extended IP access list 110
10 permit tcp host 192.168.16.10 any eq ftp (21
matches)
20 permit tcp host 192.168.16.10 any eq ftp-data
30 deny icmp host 192.168.16.10 host 172.15.0.10
(10 matches)
NYEDGE1#
No matches have been registered on line 20 of the access list because no file
transfers have been initiated. Port 21 which corresponds to the ftp-data
keyword, is used for the actual transfer of files in FTP.
Step 7
Before continuing on to the next exercise, remove the access-group you applied
to GigabitEthernet 0/0:
with CNTL/Z.
NYEDGE1(config-if)#no ip access-group 110 in
NYEDGE1#
Make sure that you have successfully performed this step. Otherwise, the
rest of the lab will not function correctly.
Leave the devices powered on and continue to the next exercise.
Exercise 2 - Configuring named access lists

In the previous exercise you configured standard and extended numbered
access lists. In this exercise you will create the same access lists but this time
they will be named.
Diagram
Use this diagram to help you understand the tasks in this exercise:
Configuring a named access-list
Step 1
Create a named extended access list called permit-ftp allowing FTP from
192.168.16.10 to 172.15.0.10. In the same access list, block ICMP:
with CNTL/Z.
NYEDGE1(config)#ip access-list extended permit-ftp
NYEDGE1(config-ext-nacl)#permit tcp host
192.168.16.10 host 172.15.0.10 eq ftp
NYEDGE1(config-ext-nacl)#deny icmp host
192.168.16.10 any
NYEDGE1(config-ext-nacl)#exit
NYEDGE1#
One of the major differences between numbered and named access lists is
that named access lists bring you into an access list configuration mode
where you can input all of your configuration parameters. This is denoted by
the NYEDGE1(config-ext-nacl)# prompt.
Step 2
View the access list:
NYEDGE1#show ip access-lists permit-ftp

Extended IP access list permit-ftp
10 permit tcp host 192.168.16.10 host
172.15.0.10 eq ftp
20 deny icmp host 192.168.16.10 any
NYEDGE1#
Take a closer look at the above access list. You didn’t include the line which
permits the ftp-data port.
Step 3
One of the advantages of using named access lists is that you can insert entries
into any position of the access list, assuming there is a line number free where
you want to insert the new entry. Line numbers by default are assigned in 10s
for this purpose.
The new line should be placed in between existing access list entries numbers
10 and 20. Put the ftp-data line in at number 15 allowing you to add still more
entries above and below this point in the future:
with CNTL/Z.
NYEDGE1(config)#ip access-list extended permit-ftp
NYEDGE1(config-ext-nacl)#15 permit tcp host
192.168.16.10 host 172.15.0.10 eq ftp-data
NYEDGE1(config-ext-nacl)#exit
NYEDGE1#
Step 5
View the access list once more:

172.15.0.10 eq ftp
172.15.0.10 eq ftp-data
NYEDGE1#
The new entry has been inserted successfully.
Step 6
Apply the named access list to the interface:
with CNTL/Z.
NYEDGE1(config)#interface gigabitEthernet 0/0
NYEDGE1(config-if)#ip access-group permit-ftp in
NYEDGE1#
Step 7
Test your configuration using the PLABCSCO01 server. You can ping either the
domain name www.practice-labs.com or the corresponding IP address of
172.15.0.10:
Figure 2.1 Configuring Named Access Lists: Attempting to ping and FTP
into the web server from PLABCSCO01.
Step 8
When troubleshooting connections through your access list, sometimes it’s
helpful to reset the match counters. In this step, you will clear the counters.
First, display the access list information with the following command:

172.15.0.10 eq ftp (21 matches)
172.15.0.10 eq ftp-data
20 deny icmp host 192.168.16.10 any (12 matches)
NYEDGE1#
Next, issue the following command to clear the counters
NYEDGE1# clear ip access-list counters

NYEDGE1#
Note that this command clears the counters for all access lists. To specify the
specific access list for which you want to clear counters, use the clear ip
access-list counters XX command where XX is either the access list
number or access list name.
You can check to see that the counters have been reset:

172.15.0.10 eq ftp
172.15.0.10 eq ftp-data
NYEDGE1#
Step 9
Before finishing off this exercise, it’s important to be able to see what access lists
are being applied to an interface. Here are two approaches you can use:
First you can view the running configuration of the interface in question:
NYEDGE1#show run interface gigabitethernet 0/0

Building configuration...
Current configuration : 172 bytes
!
interface GigabitEthernet0/0
ip address 192.168.16.1 255.255.255.0
ip access-group permit-ftp in
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
end
You can also use the show ip interface command, this shows which inbound
and outbound access lists are set:
NYEDGE1#show ip interface gigabitEthernet 0/0

GigabitEthernet0/0 is up, line protocol is up
Internet address is 192.168.16.1/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is permit-ftp
!<-- Output omitted -->
Leave the devices powered on and in their current states and continue to the
next exercise.
Exercise 3 - Configuring access-lists to restrict

remote access
In the previous exercises you created access lists that block network traffic
flowing in or out of a router interface. What if you wanted to restrict which IP
addresses could actually access your router remotely?
In this exercise you will use your knowledge of access lists to restrict access to
NYEDGE2.
Configure remote access
Step 1
First, to prove that access to the router will be blocked, you must first configure
a password so that when you use PLABCSCO01 to access the router remotely
you can actually login. You will configure a password of cisco .
with CNTL/Z.
NYEDGE2(config)#line vty 0 15
NYEDGE2(config-line)#password cisco
NYEDGE2(config-line)#login
NYEDGE2(config-line)#exit
NYEDGE2(config)#
Step 2
Next, create a named standard access list called permit-remote allowing
192.168.16.10, and denying anything else. Add the log keyword to the deny any
entry in order to log all denied attempts:
NYEDGE2(config)#ip access-list standard permit-

remote
NYEDGE2(config-std-nacl)#permit host 192.168.16.10
NYEDGE2(config-std-nacl)#deny any log
NYEDGE2(config-std-nacl)#exit
NYEDGE2(config)#
Step 3
Next apply this access list to the VTY lines. This application differs slightly from
the way you applied the access lists to interfaces. On the VTY lines you must use
the access-class command. Remember that the VTY lines are essentially virtual
connection points where remote connections via Telnet or SSH can be
established:
NYEDGE2(config)#line vty 0 15
NYEDGE2(config-line)#access-class permit-remote in
NYEDGE2(config-line)#exit
NYEDGE2(config)#
Step 4
To confirm your configuration, use PLABCSCO01 to Telnet to the router. Open
Putty on the desktop, ensure the protocol is set to Telnet and the Host name
(or IP address): field is set to the NYEDGE2 GigabitEthernet 0/0 address of
192.168.16.2:
Figure 3.1 Applying ACLs to VTY Lines: Attempting to connect remotely
to NYEDGE2 from PLABCSCO01.
Click Open.
You should be prompted for a password. Enter cisco :

Figure 3.2 Applying ACLs to VTY Lines: The connection via Telnet is
successful.
You should now be logged in:

Figure 3.3 Applying ACLs to VTY Lines: The user executive mode
prompt is displayed.
Step 5
Observe the access-list counters on NYEDGE2:
NYEDGE2#show access-list
Standard IP access list permit-remote
10 permit 192.168.16.10 (6 matches)
20 deny any log
NYEDGE2#
Now try and telnet from NYEDGE1:

NYEDGE1#telnet 192.168.16.2
Trying 192.168.16.2 ...
% Connection timed out; remote host not responding
NYEDGE1#
It may take up to a minute before the connection times out. Be patient.
Because you configured a deny log at the end of the access list, if you have a
look at the console of NYEDGE2 you should see syslog messages similar to the
following:
Aug 12 11:02:49: %SEC-6-IPACCESSLOGNP: list permit-

remote denied 0 192.168.16.1 -> 0.0.0.0, 1 packet
As you can see, access lists have many uses and securing access to your devices
is very important and should be done on all your networking equipment,
especially any devices that are exposed to the Internet or any insecure
environment.
Summary
In this module you achieved the following activities:
You configured standard and extended numbered access-lists

You applied these access lists to an interface and saw how important it is to
get the correct placement for your access list, and to understand what else
is happening on the router (in this case the NAT configuration)
You verified that your access list was operational, and saw access list
counters change
You configured a named access list and saw how you can insert entries
between existing entries
You learned how to view where access lists are being applied, and how to
clear access list counters.
You learned how to use access lists to restrict remote access to a Cisco
device

Configure and Verify Standard Access Lists: Interconnecting Cisco Networking Devices (ICND1 v3.0)

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Configure and Verify Standard Access Lists: Interconnecting Cisco Networking Devices (ICND1 v3.0)

Uploaded by

Copyright:

Available Formats

Interconnecting Cisco Networking Devices (ICND1 v3.

Conﬁgure and Verify Standard Access Lists

Conﬁguring standard and extended access lists

Exercise 1 - Conﬁguring standard and extended

In this section, you will create a standard access list on NYEDGE1.

Careful consideration needs to be taken when applying access lists. Should it be

NYEDGE1(config)#interface gigabitethernet 0/1

To help you understand directions, imagine yourself sitting on top of the

The pings are successful.

Create an extended access-list

NYEDGE1(config)#access-list 110 deny icmp host

NYEDGE1#show access-lists 110

When prompted for username, enter anonymous and an empty password.

NYEDGE1#show access-lists 110

Leave the devices powered on and continue to the next exercise.

Exercise 2 - Conﬁguring named access lists

NYEDGE1#show ip access-lists permit-ftp

NYEDGE1#show ip access-lists permit-ftp

The new entry has been inserted successfully.

NYEDGE1#show ip access-lists permit-ftp

Next, issue the following command to clear the counters

NYEDGE1# clear ip access-list counters

NYEDGE1#show ip access-lists permit-ftp

NYEDGE1#show run interface gigabitethernet 0/0

NYEDGE1#show ip interface gigabitEthernet 0/0

Exercise 3 - Conﬁguring access-lists to restrict

Conﬁgure remote access

NYEDGE2(config)#ip access-list standard permit-

You should be prompted for a password. Enter cisco :

You should now be logged in:

Now try and telnet from NYEDGE1:

It may take up to a minute before the connection times out. Be patient.

Aug 12 11:02:49: %SEC-6-IPACCESSLOGNP: list permit-

You conﬁgured standard and extended numbered access-lists

You might also like