Scribd Logo
Upload

Welcome to Scribd!

  • Extended Access-List Example On Cisco Router

    Uploaded by

    sam perera
    3 views9 pages

    Original Title

    8. Extended Access-List example on Cisco Router

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    3 views9 pages

    Extended Access-List Example On Cisco Router

    Uploaded by

    sam perera

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 9

    Extended Access-List example on Cisco Router | NetworkLessons.com https://networklessons.com/cisco/ccna-routing-switching/extended-acc...

    [source] + [ source port] to [destination] + [destination port]

    Robocop(config)#access-list 100 ?
    deny Specify packets to reject
    dynamic Specify a DYNAMIC list of PERMITs or DENYs
    permit Specify packets to forward
    remark Access list entry comment

    1 of 9 8.7.2016 12:05
    Extended Access-List example on Cisco Router | NetworkLessons.com https://networklessons.com/cisco/ccna-routing-switching/extended-acc...

    Robocop(config)#access-list 100 permit ?


    <0-255> An IP protocol number
    ahp Authentication Header Protocol
    eigrp Cisco's EIGRP routing protocol
    esp Encapsulation Security Payload
    gre Cisco's GRE tunneling
    icmp Internet Control Message Protocol
    igmp Internet Gateway Message Protocol
    ip Any Internet Protocol
    ipinip IP in IP tunneling
    nos KA9Q NOS compatible IP over IP tunneling
    ospf OSPF routing protocol
    pcp Payload Compression Protocol
    pim Protocol Independent Multicast
    tcp Transmission Control Protocol
    udp User Datagram Protocol

    Robocop(config)#access-list 100 permit tcp ?


    A.B.C.D Source address
    any Any source host
    host A single source host

    Robocop(config)#access-list 100 permit tcp 1.1.1.0 0.0.0.255 ?


    2 of 9 8.7.2016 12:05
    Extended Access-List example on Cisco Router | NetworkLessons.com https://networklessons.com/cisco/ccna-routing-switching/extended-acc...

    Robocop(config)#access-list 100 permit tcp 1.1.1.0 0.0.0.255 ?


    A.B.C.D Destination address
    any Any destination host
    eq Match only packets on a given port number
    gt Match only packets with a greater port number
    host A single destination host
    lt Match only packets with a lower port number
    neq Match only packets not on a given port number
    range Match only packets in the range of port numbers

    Robocop(config)#access-list 100 permit tcp 1.1.1.0 0.0.0.255 host


    2.2.2.2 ?
    ack Match on the ACK bit
    dscp Match packets with given dscp value
    eq Match only packets on a given port number
    established Match established connections
    fin Match on the FIN bit
    fragments Check non-initial fragments
    gt Match only packets with a greater port number
    log Log matches against this entry
    log-input Log matches against this entry, including input
    interface
    lt Match only packets with a lower port number
    neq Match only packets not on a given port number
    precedence Match packets with given precedence value
    psh Match on the PSH bit
    range Match only packets in the range of port numbers
    rst Match on the RST bit
    syn Match on the SYN bit
    time-range Specify a time-range
    tos Match packets with given TOS value
    urg Match on the URG bit
    <cr>

    3 of 9 8.7.2016 12:05
    Extended Access-List example on Cisco Router | NetworkLessons.com https://networklessons.com/cisco/ccna-routing-switching/extended-acc...

    Robocop(config)#access-list 100 permit tcp 1.1.1.0 0.0.0.255 host


    2.2.2.2 eq 80

    Robocop(config)#access-list 100 deny ip any any log

    Robocop(config)#interface fastEthernet 0/0


    Robocop(config-if)#ip access-group 100 in

    Robocop(config)#ip http server

    ED209#telnet 2.2.2.2 80
    Trying 2.2.2.2, 80 ...
    % Destination unreachable; gateway or host down

    Robocop# %SEC-6-IPACCESSLOGP: list 100 denied tcp


    192.168.12.1(55419) -> 2.2.2.2(80), 1 packet

    4 of 9 8.7.2016 12:05
    Extended Access-List example on Cisco Router | NetworkLessons.com https://networklessons.com/cisco/ccna-routing-switching/extended-acc...

    192.168.12.1(55419) -> 2.2.2.2(80), 1 packet

    Robocop#show access-lists
    Extended IP access list 100
    10 permit tcp 1.1.1.0 0.0.0.255 host 2.2.2.2 eq www
    20 deny ip any any log (1 match)

    ED209#telnet 2.2.2.2 80 /source-interface loopback 0


    Trying 2.2.2.2, 80 ... Open

    Robocop(config)#ip access-list extended 100

    Robocop(config-ext-nacl)#

    Robocop(config-ext-nacl)#?

    5 of 9
    Ext Access List configuration commands: 8.7.2016 12:05
    Extended Access-List example on Cisco Router | NetworkLessons.com https://networklessons.com/cisco/ccna-routing-switching/extended-acc...

    Robocop(config-ext-nacl)#?
    Ext Access List configuration commands:
    <1-2147483647> Sequence Number
    default Set a command to its defaults
    deny Specify packets to reject
    dynamic Specify a DYNAMIC list of PERMITs or DENYs
    evaluate Evaluate an access list
    exit Exit from access-list configuration mode
    no Negate a command or set its defaults
    permit Specify packets to forward
    remark Access list entry comment

    Robocop(config-ext-nacl)#do show access-list 100


    Extended IP access list 100
    10 permit tcp 1.1.1.0 0.0.0.255 host 2.2.2.2 eq www (21 matches)
    20 deny ip any any log (1 match)

    Robocop(config-ext-nacl)#no 20

    Robocop(config-ext-nacl)#do show access-list 100


    Extended IP access list 100
    10 permit tcp 1.1.1.0 0.0.0.255 host 2.2.2.2 eq www (21 matches)

    ED209(config)#ip access-list extended DROPICMP


    ED209(config-ext-nacl)#deny icmp host 192.168.12.2 1.1.1.0 0.0.0.255
    ED209(config-ext-nacl)#deny icmp host 2.2.2.2 1.1.1.0 0.0.0.255
    6 of 9 8.7.2016 12:05
    Extended Access-List example on Cisco Router | NetworkLessons.com https://networklessons.com/cisco/ccna-routing-switching/extended-acc...

    ( g ) y p
    ED209(config-ext-nacl)#deny icmp host 2.2.2.2 1.1.1.0 0.0.0.255
    ED209(config-ext-nacl)#permit ip any any
    ED209(config-ext-nacl)#exit

    ED209(config)#interface fastEthernet 0/0


    ED209(config-if)#ip access-group DROPICMP in

    Robocop#ping 1.1.1.1

    Type escape sequence to abort.


    Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
    .....
    Success rate is 0 percent (0/5)

    ED209#show access-lists
    Extended IP access list DROPICMP
    10 deny icmp host 192.168.12.2 1.1.1.0 0.0.0.255 (15 matches)
    20 deny icmp host 2.2.2.2 1.1.1.0 0.0.0.255
    30 permit ip any any

    Robocop#ping 1.1.1.1 source loopback 0

    Type escape sequence to abort.


    Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
    Packet sent with a source address of 2.2.2.2
    .....
    Success rate is 0 percent (0/5)

    ED209#show access-lists
    7 of 9 8.7.2016 12:05
    Extended Access-List example on Cisco Router | NetworkLessons.com https://networklessons.com/cisco/ccna-routing-switching/extended-acc...

    ED209#show access-lists
    Extended IP access list DROPICMP
    10 deny icmp host 192.168.12.2 1.1.1.0 0.0.0.255 (15 matches)
    20 deny icmp host 2.2.2.2 1.1.1.0 0.0.0.255 (15 matches)
    30 permit ip any any

    Robocop#telnet 1.1.1.1
    Trying 1.1.1.1 ...

    ED209#show access-lists
    Extended IP access list DROPICMP
    10 deny icmp host 192.168.12.2 1.1.1.0 0.0.0.255 (27 matches)
    20 deny icmp host 2.2.2.2 1.1.1.0 0.0.0.255 (18 matches)
    30 permit ip any any (12 matches)

    hostname ED209
    !
    interface FastEthernet0/0
    ip address 192.168.12.1 255.255.255.0
    ip access-group DROPICMP in
    !
    interface Loopback0
    ip address 1.1.1.1 255.255.255.0
    8 of 9 8.7.2016 12:05
    Extended Access-List example on Cisco Router | NetworkLessons.com https://networklessons.com/cisco/ccna-routing-switching/extended-acc...

    interface Loopback0
    ip address 1.1.1.1 255.255.255.0
    !
    ip access-list extended DROPICMP
    deny icmp host 192.168.12.2 1.1.1.0 0.0.0.255
    deny icmp host 2.2.2.2 1.1.1.0 0.0.0.255
    permit ip any any
    !
    end

    hostname Robocop
    !
    interface FastEthernet0/0
    ip address 192.168.12.2 255.255.255.0
    ip access-group 100 in
    !
    interface Loopback0
    ip address 2.2.2.1 255.255.255.0
    !
    access-list 100 permit tcp 1.1.1.0 0.0.0.255 host 2.2.2.2 eq 80
    access-list 100 deny ip any any log
    !
    ip http server
    !
    end

    9 of 9 8.7.2016 12:05

    You might also like