Here,we are going to see how to configure single extended access list for multiple networks using packet tracer and gns3.
Step 1:Create topology like this,
Step 2:Assign ip address to all interfaces and pc like i have given in a topology.
Router R1 Configuration,
R1(config)#interface fastethernet 0/0
R1(config-if)#ip address 192.168.1.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#interface serial 2/0
R1(config-if)#ip address 192.168.2.1 255.255.255.0
R1(config-if)#clock rate 64000
R1(config-if)#encapsulation ppp
R1(config-if)#no shutdown
R1(config)#router rip
R1(config-router)#network 192.168.1.0
R1(config-router)#network 192.168.2.0
R1(config-router)#exit
Router R2 Configuration,
R2(config)#int ser 2/0
R2(config-if)#ip address 192.168.2.2 255.255.255.0
R2(config-if)#encapsulation ppp
R2(config-if)#no shutdown
R2(config-if)#exit
R2(config)#interface fastethernet 0/0
R2(config-if)#ip address 192.168.3.1 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#exit
R2(config)#interface fastethernet 1/0
R2(config-if)#ip address 192.168.4.1 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#exit
R2(config)#router rip
R2(config-router)#network 192.168.2.0
R2(config-router)#network 192.168.3.0
R2(config-router)#network 192.168.4.0
R2(config-router)#exit
Step 3:Now, I am going to do a access list configuration to block access for entire network 192.168.1.0 to 192.168.4.0 and permit 192.168.3.2 to ftp in sever(192.168.4.2) all other host in 192.168.3.0 access to ftp should be blocked.All other services should be allowed to 192.168.3.0.
1)Block access for 192.168.1.0 to 192.168.4.0.
2)Permit 192.168.3.2 to ftp sevice in server and deny all other host to ftp.
3)Allow all other service to all host in 192.168.3.0.
Step 4:we have to choose right interface to bind this access list to work for both network,Here in R2 interface fastethernet 1/0 is common for both network that uses to communicate with server.I am going to choose interface fastethernet1/0 in R2.Configure accesslist in R2 and bind in fa1/0.
In R2,Global config mode,
R2(config)#access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
R2(config)#access-list 100 permit tcp 192.168.3.2 0.0.0.0 192.168.4.2 0.0.0.0 eq ftp
R2(config)#access-list 100 deny tcp 192.168.3.0 0.0.0.255 192.168.4.2 0.0.0.0 eq ftp
access-list 100 permit ip any any
Here,First line will deny access for network 192.168.1.0 to 192.168.4.0
Second line permits 192.168.3.2 to 192.168.4.2 ftp
Third line deny access for all host in network 192.168.3.0 to ftp
Fourth line will permit any source host to any destination.
Now bind this access list to interface fastethernet 1/0 in R2,
R2(config)#interface fastethernet 1/0
R2(config-if)#ip access-group 100 out
R2(config-if)#exit
Router filter packets that goes out of the interface fast ethernet2/0 that matches access list 100.Now i am going to check hosts whether access list working properly.I got,
Now,Check access list binding by giving this command.
R2#show ip interface fastethernet 1/0
FastEthernet1/0 is up, line protocol is up (connected)
Internet address is 192.168.4.1/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is 100
Inbound access list is not set
Proxy ARP is enabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is disabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP Fast switching turbo vector
IP multicast fast switching is disabled
IP multicast distributed fast switching is disabled
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Probe proxy name replies are disabled
Policy routing is disabled
Network address translation is disabled
WCCP Redirect outbound is disabled
WCCP Redirect exclude is disabled
BGP Policy Mapping is disabled
R2#show access-list 100
Extended IP access list 100
deny ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
permit tcp host 192.168.3.2 host 192.168.4.2 eq ftp
deny tcp 192.168.3.0 0.0.0.255 host 192.168.4.2 eq ftp (12 match(es))
permit ip any any (9 match(es))
R2#show access-lists
Step 1:Create topology like this,
Step 2:Assign ip address to all interfaces and pc like i have given in a topology.
Router R1 Configuration,
R1(config)#interface fastethernet 0/0
R1(config-if)#ip address 192.168.1.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#interface serial 2/0
R1(config-if)#ip address 192.168.2.1 255.255.255.0
R1(config-if)#clock rate 64000
R1(config-if)#encapsulation ppp
R1(config-if)#no shutdown
R1(config)#router rip
R1(config-router)#network 192.168.1.0
R1(config-router)#network 192.168.2.0
R1(config-router)#exit
Router R2 Configuration,
R2(config)#int ser 2/0
R2(config-if)#ip address 192.168.2.2 255.255.255.0
R2(config-if)#encapsulation ppp
R2(config-if)#no shutdown
R2(config-if)#exit
R2(config)#interface fastethernet 0/0
R2(config-if)#ip address 192.168.3.1 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#exit
R2(config)#interface fastethernet 1/0
R2(config-if)#ip address 192.168.4.1 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#exit
R2(config)#router rip
R2(config-router)#network 192.168.2.0
R2(config-router)#network 192.168.3.0
R2(config-router)#network 192.168.4.0
R2(config-router)#exit
Step 3:Now, I am going to do a access list configuration to block access for entire network 192.168.1.0 to 192.168.4.0 and permit 192.168.3.2 to ftp in sever(192.168.4.2) all other host in 192.168.3.0 access to ftp should be blocked.All other services should be allowed to 192.168.3.0.
1)Block access for 192.168.1.0 to 192.168.4.0.
2)Permit 192.168.3.2 to ftp sevice in server and deny all other host to ftp.
3)Allow all other service to all host in 192.168.3.0.
Step 4:we have to choose right interface to bind this access list to work for both network,Here in R2 interface fastethernet 1/0 is common for both network that uses to communicate with server.I am going to choose interface fastethernet1/0 in R2.Configure accesslist in R2 and bind in fa1/0.
In R2,Global config mode,
R2(config)#access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
R2(config)#access-list 100 permit tcp 192.168.3.2 0.0.0.0 192.168.4.2 0.0.0.0 eq ftp
R2(config)#access-list 100 deny tcp 192.168.3.0 0.0.0.255 192.168.4.2 0.0.0.0 eq ftp
access-list 100 permit ip any any
Here,First line will deny access for network 192.168.1.0 to 192.168.4.0
Second line permits 192.168.3.2 to 192.168.4.2 ftp
Third line deny access for all host in network 192.168.3.0 to ftp
Fourth line will permit any source host to any destination.
Now bind this access list to interface fastethernet 1/0 in R2,
R2(config)#interface fastethernet 1/0
R2(config-if)#ip access-group 100 out
R2(config-if)#exit
Router filter packets that goes out of the interface fast ethernet2/0 that matches access list 100.Now i am going to check hosts whether access list working properly.I got,
Now,Check access list binding by giving this command.
R2#show ip interface fastethernet 1/0
FastEthernet1/0 is up, line protocol is up (connected)
Internet address is 192.168.4.1/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is 100
Inbound access list is not set
Proxy ARP is enabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is disabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP Fast switching turbo vector
IP multicast fast switching is disabled
IP multicast distributed fast switching is disabled
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Probe proxy name replies are disabled
Policy routing is disabled
Network address translation is disabled
WCCP Redirect outbound is disabled
WCCP Redirect exclude is disabled
BGP Policy Mapping is disabled
R2#show access-list 100
Extended IP access list 100
deny ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
permit tcp host 192.168.3.2 host 192.168.4.2 eq ftp
deny tcp 192.168.3.0 0.0.0.255 host 192.168.4.2 eq ftp (12 match(es))
permit ip any any (9 match(es))
R2#show access-lists
wow! very helpful!
ReplyDelete