Tasks:
Configure ACLs as follows:
1) Restrict traffic internally using Router1 as follows:
- Use access list number 100
- Inside PC1 can only access the HTTP server 1 using HTTP on subnet 10.1.1.0/24
- Inside PC2 can only access the HTTP server 2 using HTTPS on subnet 10.1.1.0/24
- No other PCs or servers on subnet 10.1.2.0/24 can access subnet 10.1.1.0/24 (Explicitly add this line. This is normally done to log the traffic with the word log, but PT does not support logging)
- Hosts on subnet 10.1.2.0/24 can access any other network
- Bind the access list in the most efficient place on Router1
2) Verification:
- Verify that Inside PC1 can access the internal HTTP server 1 using HTTP, but not ping HTTP server 2
- Verify that Inside PC2 can access the internal HTTP server 2 using HTTPS, but not ping HTTP server 1
- Verify that both inside PC1 and PC2 can browse to cisco.com and facebook.com
Download Solved Lab
Solution:
Here is a basic format for the extended access-list
(config) access-list NUMBER permit|deny IP_PROTOCOL SOURCE_ADDRESS WILDCARD_MASK [PROTOCOL_INFORMATION] DESTINATION_ADDRESS WILDCARD_MASK PROTOCOL_INFORMATION
PC 1 is assigned IP Address 10.1.2.101 and Server 1 is assigned IP Address 10.1.1.100 so we need to allow traffic between these two hosts. Next we will need to allow traffic from PC2 with IP Address 10.1.2.102 to Server 2 with IP Address 10.1.1.101. Then we need to deny any other traffic to local servers at 10.1.2.0/24 and allow access to any other servers.Router1>en
Router1#config t
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#access-list 100 permit tcp host 10.1.2.101 host 10.1.1.100 eq www
Router1(config)#access-list 100 deny ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255
Router1#
%SYS-5-CONFIG_I: Configured from console by console
Router1#show access-lists
Extended IP access list 100
10 permit tcp host 10.1.2.101 host 10.1.1.100 eq www
20 permit tcp host 10.1.2.102 host 10.1.1.101 eq 443
30 deny ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255
40 permit ip 10.1.2.0 0.0.0.255 any
Router1(config-ext-nacl)#
Router1(config-if)#ip access-group 100 in
Router1(config-if)#end
Router1#
%SYS-5-CONFIG_I: Configured from console by console
Router1#
Router1#show access-lists
Extended IP access list 100
10 permit tcp host 10.1.2.101 host 10.1.1.100 eq www (5 match(es))
20 permit tcp host 10.1.2.102 host 10.1.1.101 eq 443
30 deny ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255 (105 match(es))
40 permit ip 10.1.2.0 0.0.0.255 any
Router1#
We see that sub access list 10 has 5 matches and default deny has 105 matches. It means that access-list is successfully applied at the interface and is working.