0
Here,we are going to see how to configure single extended access list for multiple networks using packet tracer and gns3.



Step 1:Create topology like this,





Step 2:Assign ip address to all interfaces and pc like i have given in a topology.




Router R1 Configuration,


R1(config)#interface fastethernet 0/0
R1(config-if)#ip address 192.168.1.1 255.255.255.0
R1(config-if)#no shutdown


R1(config-if)#exit
R1(config)#interface serial 2/0
R1(config-if)#ip address 192.168.2.1 255.255.255.0
R1(config-if)#clock rate 64000
R1(config-if)#encapsulation ppp
R1(config-if)#no shutdown


R1(config)#router rip
R1(config-router)#network 192.168.1.0
R1(config-router)#network 192.168.2.0
R1(config-router)#exit



Router R2 Configuration,


R2(config)#int ser 2/0
R2(config-if)#ip address 192.168.2.2 255.255.255.0
R2(config-if)#encapsulation ppp
R2(config-if)#no shutdown
R2(config-if)#exit



R2(config)#interface fastethernet 0/0
R2(config-if)#ip address 192.168.3.1 255.255.255.0
R2(config-if)#no shutdown



R2(config-if)#exit
R2(config)#interface fastethernet 1/0
R2(config-if)#ip address 192.168.4.1 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#exit


R2(config)#router rip
R2(config-router)#network 192.168.2.0
R2(config-router)#network 192.168.3.0
R2(config-router)#network 192.168.4.0
R2(config-router)#exit




Step 3:Now, I am going to do a access list configuration to block access for entire network 192.168.1.0 to 192.168.4.0 and permit 192.168.3.2 to ftp in sever(192.168.4.2) all other host in 192.168.3.0 access to ftp should be blocked.All other services should be allowed to 192.168.3.0.



         1)Block access for 192.168.1.0 to 192.168.4.0.
         2)Permit 192.168.3.2 to ftp sevice in server and deny all other host to ftp.
         3)Allow all other service to all host in 192.168.3.0.


Step 4:we have to choose right interface to bind this access list to work for both network,Here in R2 interface fastethernet 1/0 is common for both network that uses to communicate with server.I am going to choose interface fastethernet1/0 in R2.Configure accesslist in R2 and bind in fa1/0.



In R2,Global config mode,


R2(config)#access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
R2(config)#access-list 100 permit tcp 192.168.3.2 0.0.0.0 192.168.4.2 0.0.0.0 eq ftp
R2(config)#access-list 100 deny tcp 192.168.3.0 0.0.0.255 192.168.4.2 0.0.0.0 eq ftp
access-list 100 permit ip any any



    Here,First line will deny access for network 192.168.1.0 to 192.168.4.0
Second line permits 192.168.3.2 to 192.168.4.2 ftp
Third line deny access for all host in network 192.168.3.0 to ftp
Fourth line will permit any source host to any destination.

Now bind this access list to interface fastethernet 1/0 in R2,




R2(config)#interface fastethernet 1/0
R2(config-if)#ip access-group 100 out
R2(config-if)#exit



Router filter packets that goes out of the interface fast ethernet2/0 that matches access list 100.Now i am going to check hosts whether access list working properly.I got,







Now,Check access list binding by giving this command.


R2#show ip interface fastethernet 1/0
FastEthernet1/0 is up, line protocol is up (connected)
  Internet address is 192.168.4.1/24
  Broadcast address is 255.255.255.255
  Address determined by setup command
  MTU is 1500
  Helper address is not set
  Directed broadcast forwarding is disabled
  Outgoing access list is 100
  Inbound  access list is not set
  Proxy ARP is enabled
  Security level is default
  Split horizon is enabled
  ICMP redirects are always sent
  ICMP unreachables are always sent
  ICMP mask replies are never sent
  IP fast switching is disabled
  IP fast switching on the same interface is disabled
  IP Flow switching is disabled
  IP Fast switching turbo vector
  IP multicast fast switching is disabled
  IP multicast distributed fast switching is disabled
  Router Discovery is disabled
  IP output packet accounting is disabled
  IP access violation accounting is disabled
  TCP/IP header compression is disabled
  RTP/IP header compression is disabled
  Probe proxy name replies are disabled
  Policy routing is disabled
  Network address translation is disabled
  WCCP Redirect outbound is disabled
  WCCP Redirect exclude is disabled
  BGP Policy Mapping is disabled


R2#show access-list 100
Extended IP access list 100
    deny ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
    permit tcp host 192.168.3.2 host 192.168.4.2 eq ftp
    deny tcp 192.168.3.0 0.0.0.255 host 192.168.4.2 eq ftp (12 match(es))
    permit ip any any (9 match(es))


R2#show access-lists 






Post a Comment

 
Top