In extended access-lists, you can specify specific protocols. The most common ones are IP (all IP protocols), TCP, UDP and ICMP. TCP and UDP allows specification of port. ICMP is commonly used to specify the blocking of pings.
Now we'll need to make an extended access-list to prevent Host A from accessing R2's WAN link (the entire link). Remember that extended access-lists are to be placed nearest to the source. We want to deny 192.169.20.20 from accessing 192.169.2.1.
Even though Host A is on the same switch connected to R2, Host A needs to go through R1 before it can go into R2. So the access-list is to be put in R1:
access-list 100 deny ip host 192.169.20.20 192.169.2.0 0.0.0.255
access-list 100 permit ip any anyNext, apply the access-list in F0/1.20 inwards:
in f0/1.20
ip access-g 100 inFinally we'll need to deny Host B from accessing www.google.com. To do this we'll need to squeeze in one more entry into the list. This is because you can only apply one ACL per direction per interface. We'll remove the list first, then add in the entry:
no access-l 100
access-list 100 deny ip host 192.169.20.20 192.169.2.0 0.0.0.255
access-list 100 deny tcp host 192.169.20.20 host www.google.com eq www
access-list 100 permit ip any anyUsing the host keyword allows automatic resolution of the IP. We have not set up NAT yet, so it won't be able to access that site in the first place, but this is the way to do it and we would test it when we have NAT set up.
Now, notice that we had to actually remove the whole access-list before retyping the whole thing. Wouldn't it be good if we can actually slip some entries into the access-list without deleting the whole thing? Well, recently, that's a possibility! It's done with the named access-list. Let's redo the extended list with the named access-list. To do this, type:
ip access-l ext EXTLIST
deny ip host 192.169.20.20 192.169.2.0 0.0.0.255
permit ip any anyNow if you actually do a "show access-l", you'll see an output like this:
Extended IP access list 100
10 deny ip host 192.169.20.20 192.169.2.0 0.0.0.255
20 permit ip any any
Now, you if you actually want to insert an entry between the two, just type:15 deny tcp host 192.169.20.20 host www.google.com eq wwwThe you can also remove a line. For example, to remove line 10:
no 10Now I'll walk you through with the creation of a simple established access list. To do this, create a list as shown:
ip access-l ext ESTABLISHED
permit tcp any any establishedNow, you would have to apply this list to the internet interface inbound:
in f0/0
ip access-g ESTABLISHED inThis would require an internal host to establish a connection to an outside host before an outside host can come back in.
No comments :
Post a Comment