Here,we are going to see how to configure single extended access list for multiple networks using packet tracer and gns3.

Step 1:Create topology like this,

Step 2:Assign ip address to all interfaces and pc like i have given in a topology.

Router R1 Configuration,

R1(config)#interface fastethernet 0/0
R1(config-if)#ip address
R1(config-if)#no shutdown

R1(config)#interface serial 2/0
R1(config-if)#ip address
R1(config-if)#clock rate 64000
R1(config-if)#encapsulation ppp
R1(config-if)#no shutdown

R1(config)#router rip

Router R2 Configuration,

R2(config)#int ser 2/0
R2(config-if)#ip address
R2(config-if)#encapsulation ppp
R2(config-if)#no shutdown

R2(config)#interface fastethernet 0/0
R2(config-if)#ip address
R2(config-if)#no shutdown

R2(config)#interface fastethernet 1/0
R2(config-if)#ip address
R2(config-if)#no shutdown

R2(config)#router rip

Step 3:Now, I am going to do a access list configuration to block access for entire network to and permit to ftp in sever( all other host in access to ftp should be blocked.All other services should be allowed to

         1)Block access for to
         2)Permit to ftp sevice in server and deny all other host to ftp.
         3)Allow all other service to all host in

Step 4:we have to choose right interface to bind this access list to work for both network,Here in R2 interface fastethernet 1/0 is common for both network that uses to communicate with server.I am going to choose interface fastethernet1/0 in R2.Configure accesslist in R2 and bind in fa1/0.

In R2,Global config mode,

R2(config)#access-list 100 deny ip
R2(config)#access-list 100 permit tcp eq ftp
R2(config)#access-list 100 deny tcp eq ftp
access-list 100 permit ip any any

    Here,First line will deny access for network to
Second line permits to ftp
Third line deny access for all host in network to ftp
Fourth line will permit any source host to any destination.

Now bind this access list to interface fastethernet 1/0 in R2,

R2(config)#interface fastethernet 1/0
R2(config-if)#ip access-group 100 out

Router filter packets that goes out of the interface fast ethernet2/0 that matches access list 100.Now i am going to check hosts whether access list working properly.I got,

Now,Check access list binding by giving this command.

R2#show ip interface fastethernet 1/0
FastEthernet1/0 is up, line protocol is up (connected)
  Internet address is
  Broadcast address is
  Address determined by setup command
  MTU is 1500
  Helper address is not set
  Directed broadcast forwarding is disabled
  Outgoing access list is 100
  Inbound  access list is not set
  Proxy ARP is enabled
  Security level is default
  Split horizon is enabled
  ICMP redirects are always sent
  ICMP unreachables are always sent
  ICMP mask replies are never sent
  IP fast switching is disabled
  IP fast switching on the same interface is disabled
  IP Flow switching is disabled
  IP Fast switching turbo vector
  IP multicast fast switching is disabled
  IP multicast distributed fast switching is disabled
  Router Discovery is disabled
  IP output packet accounting is disabled
  IP access violation accounting is disabled
  TCP/IP header compression is disabled
  RTP/IP header compression is disabled
  Probe proxy name replies are disabled
  Policy routing is disabled
  Network address translation is disabled
  WCCP Redirect outbound is disabled
  WCCP Redirect exclude is disabled
  BGP Policy Mapping is disabled

R2#show access-list 100
Extended IP access list 100
    deny ip
    permit tcp host host eq ftp
    deny tcp host eq ftp (12 match(es))
    permit ip any any (9 match(es))

R2#show access-lists 

Post a Comment