Professional Documents
Culture Documents
0)
Introduction
Exercise 1 - Configuring Standard and Extended Access Lists
Exercise 2 - Configuring Named Access Lists
Exercise 3 - Configuring Access-Lists to Restrict Remote Access
Summary
Introduction
The Configure and verify standard Access Lists module provides you with the
instructions and Cisco hardware to develop your hands on skills in creating and
applying access lists to routed interfaces. This module includes exercises that
will cover the following topics:
Lab Diagram
During your session you will have access to the following lab configuration.
Depending on the exercises you may or may not use all of the devices, but they
are shown here in the layout to get an overall understanding of the topology of
the lab.
Connecting to your Lab
In this module you will be working on the following equipment to carry out the
steps defined in each exercise.
NYEDGE1
NYEDGE2
NYCORE1
NYACCESS1
PLABCSCO01
To start, simply choose a device and click Power on. In some cases, the devices
may power on automatically.
For further information and technical support, please see our Help and
Support page.
Copyright Notice
This document and its content is copyright of Practice-IT - © Practice-IT 2014. All rights
reserved. Any redistribution or reproduction of part or all of the contents in any form is
prohibited other than the following:
1. You may print or download to a local hard disk extracts for your personal and non-
commercial use only.
2. You may copy the content to individual third parties for their personal use, but only if you
acknowledge the website as the source of the material. You may not, except with our express
written permission, distribute or commercially exploit the content. Nor may you transmit it or
store it in any other website or other form of electronic retrieval system.
Diagram
Use this diagram to help you understand the tasks in this exercise:
Creating standard access-lists
There are two types of access lists, standard and extended. These access lists
can be referred to either by a name or a number, depending on how you
configure them.
The difference between the two types of access lists is the granularity of the
filtering that each provides. For example, a standard access list will only filter
based on source address or network. This can be seen in the result of the
context sensitive help below:
NYEDGE1(config)#access-list 1 permit ?
Hostname or A.B.C.D Address to match
any Any source host
host A single host address
NYEDGE1(config)#access-list 1 permit 192.168.16.0
0.0.0.255 ?
log Log matches against this entry
smartlog Smartlog matches against this entry
In the above output, the ? shows the options you have available at two different
points, before a network address is entered you can see that you can enter the
source address details. Once you have entered those, you only have logging
options.
Step 1
This access list will match a single device on the network, specifically, the
PLABCSCO01 server. Create a numbered access that matches the address of the
server which is 192.168.16.10 and chose the action deny:
NYEDGE1#configure terminal
Enter configuration commands, one per line. End
with CNTL/Z.
NYEDGE1(config)#access-list 10 deny host
192.168.16.10
NYEDGE1(config)#exit
NYEDGE1#
When configuring an access list to refer to only one host, you have two
options. Either you use the host keyword as you have done above, or by
including the IP address and a wildcard mask which indicates a host. The
resulting command would be access-list 80 deny 192.168.16.10 0.0.0.0. Both
commands would give the same result.
Step 2
To view the access lists you created use the following command:
NYEDGE1#show access-lists
Standard IP access list 10
10 deny 192.168.16.10
Standard IP access list NAT
10 permit 192.168.16.0, wildcard bits 0.0.0.255
NYEDGE1#
This command displays all of the access lists configured on the router.
The NAT access list has been preconfigured to enable NAT to function. This
will be used later on in this lab.
Step 3
As there is an implicit deny at the end of each access list, you will need to
include a permit statement, otherwise, everything will be blocked. With the
following command you will allow all other traffic:
NYEDGE1#configure terminal
Enter configuration commands, one per line. End
with CNTL/Z.
NYEDGE1(config)#access-list 10 permit any
NYEDGE1(config)#
Step 4
At this point the access list has just been defined. It has not been applied
anywhere, so filtering is not yet taking place. You must bind this access list to an
interface.
In this step you will place the access list on GigabitEthernet 0/1 in an outbound
direction:
Step 5
If PLABCSCO01 is not powered on, power it on now. From PLABCSCO01 ping
www.practice-labs.com:
Figure 1.1 Configuring Access Lists: Pinging the web server on the
Internet from the PLABCSCO01 server.
Step 6
Observe the access list hits, using the show access-lists command:
NYEDGE1#show access-lists
Standard IP access list 10
10 deny 192.168.16.10
20 permit any (4 matches)
NYEDGE1#
You can see from the above output that there were four matches on the permit
any line and no matches on the deny 192.168.16.10 line of the access list.
Examining the configuration once again, you may realize that something is
wrong. If the PLABCSCO01 server has an IP address of 192.168.16.10, then the
pings should be denied and not permitted. Why is the incorrect line being
matched?
Step 7
The placement of the access list is very important. Because NAT is operating on
this router, the source address of the server is being translated. When the
packet in question is exiting the GigabitEthernet 0/1 interface on which the
access list was applied, it no longer has 192.168.16.10 as a source address. It has
been translated by NAT. Therefore you must either change the access list
placement and direction to GigabitEthernet 0/0 inbound, or you must modify
the access list to match the translated IP address.
The best choice would be to change the placement and direction. Remove the
access list from the GigabitEthernet 0/1 interface and place it on 0/0 in an
inbound direction:
NYEDGE1#configure terminal
Enter configuration commands, one per line. End
with CNTL/Z.
NYEDGE1(config)#interface gigabitethernet 0/1
NYEDGE1(config-if)#no ip access-group 10 out
NYEDGE1(config-if)#exit
NYEDGE1(config)#interface gigabitethernet 0/0
NYEDGE1(config-if)#ip access-group 10 in
NYEDGE1(config-if)#exit
NYEDGE1(config)#exit
NYEDGE1#
Step 8
Retry the ping from PLABCSCO01 once more:
Figure 1.2 Configuring Access Lists: Pinging the web server on the
Internet from PLABCSCO01 once more.
Step 9
Return to the NYEDGE1 router and view the access list again:
NYEDGE1#show access-lists
Standard IP access list 10
10 deny 192.168.16.10 (8 matches)
20 permit any (19 matches)
Standard IP access list NAT
10 permit 192.168.16.0, wildcard bits 0.0.0.255
(1 match)
NYEDGE1#
You now see that there are matches on the deny line of the access list, meaning
the access list denied the pings you sent.
Step 10
Before continuing on to the next exercise, remove the access-group you applied
to GigabitEthernet 0/0:
NYEDGE1#configure terminal
Enter configuration commands, one per line. End
with CNTL/Z.
NYEDGE1(config)#interface gigabitethernet 0/0
NYEDGE1(config-if)#no ip access-group 10 in
NYEDGE1(config-if)#exit
NYEDGE1(config)#exit
NYEDGE1#
You have completed the creation of standard access lists. Leave your devices in
their current states and continue on to the next section.
In this section, you will create an extended access list. The benefits of extended
access lists are that you can be much more granular in what you want to permit
and deny.
You will now configure an access list that permits FTP but denies ICMP on
NYEDGE1.
Step 1
Configure access-list 110 allowing FTP:
NYEDGE1#configure terminal
Enter configuration commands, one per line. End
with CNTL/Z.
NYEDGE1(config)#access-list 110 permit tcp host
192.168.16.10 any eq ftp
NYEDGE1(config)#access-list 110 permit tcp host
192.168.16.10 any eq ftp-data
NYEDGE1(config)#
You must create two access list entries because FTP uses two ports: 20 for
data and 21 for control information. For well-known ports, keywords can be
used instead of the port numbers.
Step 2
Next within the same access list, deny ICMP specifically to www.practice-labs
.com which corresponds to an IP address of 172.15.0.10, remembering that
ICMP is a protocol:
Step 3
Examine your access list now and remember that there is an implicit deny at
the end of the list:
NYEDGE1#configure terminal
Enter configuration commands, one per line. End
with CNTL/Z.
NYEDGE1(config)#interface GigabitEthernet 0/0
NYEDGE1(config-if)#ip access-group 110 in
NYEDGE1(config-if)#exit
NYEDGE1(config)#
You can only have one access-group per interface per direction. The above
command will replace any other inbound access-group that may have been
configured on this interface.
Step 5
Next, test the configuration using PLABCSCO01. First try a ping to
www.practice-labs.com then try and use FTP from within the command
prompt. To connect using FTP, issue the following command:
C:\tools>ftp www.practice-labs.com
In the screenshot above you can see that the ping fails, however the FTP
connection is successful.
Step 6
Finally, review the access list hits once more:
Step 7
Before continuing on to the next exercise, remove the access-group you applied
to GigabitEthernet 0/0:
NYEDGE1#configure terminal
Enter configuration commands, one per line. End
with CNTL/Z.
NYEDGE1(config)#interface gigabitethernet 0/0
NYEDGE1(config-if)#no ip access-group 110 in
NYEDGE1(config-if)#exit
NYEDGE1(config)#exit
NYEDGE1#
Make sure that you have successfully performed this step. Otherwise, the
rest of the lab will not function correctly.
Diagram
Use this diagram to help you understand the tasks in this exercise:
Configuring a named access-list
Step 1
Create a named extended access list called permit-ftp allowing FTP from
192.168.16.10 to 172.15.0.10. In the same access list, block ICMP:
NYEDGE1#configure terminal
Enter configuration commands, one per line. End
with CNTL/Z.
NYEDGE1(config)#ip access-list extended permit-ftp
NYEDGE1(config-ext-nacl)#permit tcp host
192.168.16.10 host 172.15.0.10 eq ftp
NYEDGE1(config-ext-nacl)#deny icmp host
192.168.16.10 any
NYEDGE1(config-ext-nacl)#exit
NYEDGE1(config)#exit
NYEDGE1#
One of the major differences between numbered and named access lists is
that named access lists bring you into an access list configuration mode
where you can input all of your configuration parameters. This is denoted by
the NYEDGE1(config-ext-nacl)# prompt.
Step 2
View the access list:
Take a closer look at the above access list. You didn’t include the line which
permits the ftp-data port.
Step 3
One of the advantages of using named access lists is that you can insert entries
into any position of the access list, assuming there is a line number free where
you want to insert the new entry. Line numbers by default are assigned in 10s
for this purpose.
The new line should be placed in between existing access list entries numbers
10 and 20. Put the ftp-data line in at number 15 allowing you to add still more
entries above and below this point in the future:
NYEDGE1#configure terminal
Enter configuration commands, one per line. End
with CNTL/Z.
NYEDGE1(config)#ip access-list extended permit-ftp
NYEDGE1(config-ext-nacl)#15 permit tcp host
192.168.16.10 host 172.15.0.10 eq ftp-data
NYEDGE1(config-ext-nacl)#exit
NYEDGE1(config)#exit
NYEDGE1#
Step 5
View the access list once more:
Step 6
Apply the named access list to the interface:
NYEDGE1#configure terminal
Enter configuration commands, one per line. End
with CNTL/Z.
NYEDGE1(config)#interface gigabitEthernet 0/0
NYEDGE1(config-if)#ip access-group permit-ftp in
NYEDGE1(config-if)#exit
NYEDGE1(config)#exit
NYEDGE1#
Step 7
Test your configuration using the PLABCSCO01 server. You can ping either the
domain name www.practice-labs.com or the corresponding IP address of
172.15.0.10:
Figure 2.1 Configuring Named Access Lists: Attempting to ping and FTP
into the web server from PLABCSCO01.
Step 8
When troubleshooting connections through your access list, sometimes it’s
helpful to reset the match counters. In this step, you will clear the counters.
First, display the access list information with the following command:
Note that this command clears the counters for all access lists. To specify the
specific access list for which you want to clear counters, use the clear ip
access-list counters XX command where XX is either the access list
number or access list name.
You can check to see that the counters have been reset:
Step 9
Before finishing off this exercise, it’s important to be able to see what access lists
are being applied to an interface. Here are two approaches you can use:
First you can view the running configuration of the interface in question:
You can also use the show ip interface command, this shows which inbound
and outbound access lists are set:
Leave the devices powered on and in their current states and continue to the
next exercise.
In this exercise you will use your knowledge of access lists to restrict access to
NYEDGE2.
Step 1
First, to prove that access to the router will be blocked, you must first configure
a password so that when you use PLABCSCO01 to access the router remotely
you can actually login. You will configure a password of cisco .
NYEDGE2#configure terminal
Enter configuration commands, one per line. End
with CNTL/Z.
NYEDGE2(config)#line vty 0 15
NYEDGE2(config-line)#password cisco
NYEDGE2(config-line)#login
NYEDGE2(config-line)#exit
NYEDGE2(config)#
Step 2
Next, create a named standard access list called permit-remote allowing
192.168.16.10, and denying anything else. Add the log keyword to the deny any
entry in order to log all denied attempts:
Step 3
Next apply this access list to the VTY lines. This application differs slightly from
the way you applied the access lists to interfaces. On the VTY lines you must use
the access-class command. Remember that the VTY lines are essentially virtual
connection points where remote connections via Telnet or SSH can be
established:
NYEDGE2(config)#line vty 0 15
NYEDGE2(config-line)#access-class permit-remote in
NYEDGE2(config-line)#exit
NYEDGE2(config)#
Step 4
To confirm your configuration, use PLABCSCO01 to Telnet to the router. Open
Putty on the desktop, ensure the protocol is set to Telnet and the Host name
(or IP address): field is set to the NYEDGE2 GigabitEthernet 0/0 address of
192.168.16.2:
Figure 3.1 Applying ACLs to VTY Lines: Attempting to connect remotely
to NYEDGE2 from PLABCSCO01.
Click Open.
Step 5
Observe the access-list counters on NYEDGE2:
NYEDGE2#show access-list
Standard IP access list permit-remote
10 permit 192.168.16.10 (6 matches)
20 deny any log
NYEDGE2#
Because you configured a deny log at the end of the access list, if you have a
look at the console of NYEDGE2 you should see syslog messages similar to the
following:
As you can see, access lists have many uses and securing access to your devices
is very important and should be done on all your networking equipment,
especially any devices that are exposed to the Internet or any insecure
environment.
Summary
In this module you achieved the following activities: