Monday, April 5, 2010


In extended access-lists, you can specify specific protocols. The most common ones are IP (all IP protocols), TCP, UDP and ICMP. TCP and UDP allows specification of port. ICMP is commonly used to specify the blocking of pings.

Now we'll need to make an extended access-list to prevent Host A from accessing R2's WAN link (the entire link). Remember that extended access-lists are to be placed nearest to the source. We want to deny from accessing

Even though Host A is on the same switch connected to R2, Host A needs to go through R1 before it can go into R2. So the access-list is to be put in R1:
access-list 100 deny ip host
access-list 100 permit ip any any

Next, apply the access-list in F0/1.20 inwards:
in f0/1.20
ip access-g 100 in

Finally we'll need to deny Host B from accessing www.google.com. To do this we'll need to squeeze in one more entry into the list. This is because you can only apply one ACL per direction per interface. We'll remove the list first, then add in the entry:
no access-l 100
access-list 100 deny ip host
access-list 100 deny tcp host host www.google.com eq www
access-list 100 permit ip any any

Using the host keyword allows automatic resolution of the IP. We have not set up NAT yet, so it won't be able to access that site in the first place, but this is the way to do it and we would test it when we have NAT set up.

Now, notice that we had to actually remove the whole access-list before retyping the whole thing. Wouldn't it be good if we can actually slip some entries into the access-list without deleting the whole thing? Well, recently, that's a possibility! It's done with the named access-list. Let's redo the extended list with the named access-list. To do this, type:
ip access-l ext EXTLIST
deny ip host
permit ip any any

Now if you actually do a "show access-l", you'll see an output like this:
Extended IP access list 100
    10 deny ip host
    20 permit ip any any
Now, you if you actually want to insert an entry between the two, just type:
15 deny tcp host host www.google.com eq www

The you can also remove a line. For example, to remove line 10:
no 10

Now I'll walk you through with the creation of a simple established access list. To do this, create a list as shown:
ip access-l ext ESTABLISHED
permit tcp any any established

Now, you would have to apply this list to the internet interface inbound:
in f0/0
ip access-g ESTABLISHED in

This would require an internal host to establish a connection to an outside host before an outside host can come back in.

No comments :

Post a Comment