CISCO Lab # 8: Implement Access Control List (ACL) in CISCO Router

 

Tasks:

Configure ACLs as follows:
1) Restrict traffic internally using Router1 as follows:
- Use access list number 100
- Inside PC1 can only access the HTTP server 1 using HTTP on subnet 10.1.1.0/24
- Inside PC2 can only access the HTTP server 2 using HTTPS on subnet 10.1.1.0/24
- No other PCs or servers on subnet 10.1.2.0/24 can access subnet 10.1.1.0/24 (Explicitly add this line. This is normally done to log the traffic with the word log, but PT does not support logging)
- Hosts on subnet 10.1.2.0/24 can access any other network
- Bind the access list in the most efficient place on Router1

2) Verification:
- Verify that Inside PC1 can access the internal HTTP server 1 using HTTP, but not ping HTTP server 2
- Verify that Inside PC2 can access the internal HTTP server 2 using HTTPS, but not ping HTTP server 1
- Verify that both inside PC1 and PC2 can browse to cisco.com and facebook.com

Download Solved Lab

Solution:

Here is a basic format for the extended access-list

(config) access-list NUMBER permit|deny IP_PROTOCOL SOURCE_ADDRESS WILDCARD_MASK [PROTOCOL_INFORMATION] DESTINATION_ADDRESS WILDCARD_MASK PROTOCOL_INFORMATION
PC 1 is assigned IP Address 10.1.2.101 and Server 1 is assigned IP Address 10.1.1.100 so we need to allow traffic between these two hosts. Next we will need to allow traffic from PC2 with IP Address 10.1.2.102 to Server 2 with IP Address 10.1.1.101. Then we need to deny any other traffic to local servers at 10.1.2.0/24 and allow access to any other servers.
 
Router1>
Router1>en
Router1#config t
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#access-list 100 permit tcp host 10.1.2.101 host 10.1.1.100 eq www
Router1(config)#access-list 100 permit tcp host 10.1.2.102 host 10.1.1.101 eq 443
Router1(config)#access-list 100 deny ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255
Router1(config)#access-list 100 permit ip 10.1.2.0 0.0.0.255 any
Router1(config)#exit
Router1#
%SYS-5-CONFIG_I: Configured from console by console
Router1#show access-lists
Extended IP access list 100
    10 permit tcp host 10.1.2.101 host 10.1.1.100 eq www
    20 permit tcp host 10.1.2.102 host 10.1.1.101 eq 443
    30 deny ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255
    40 permit ip 10.1.2.0 0.0.0.255 any


To edit the access list we can go to ip access-list extended 100 and add or remove a sub access list
 
Router1(config)#ip access-list extended 100
Router1(config-ext-nacl)#
 
Next we need to bind this access list to an interface for inbound traffic

Router1(config)#interface gigabitEthernet 0/0/0

Router1(config-if)#ip access-group 100 in

Router1(config-if)#end

Router1#

%SYS-5-CONFIG_I: Configured from console by console

Router1#



To save from locking remote access we can issue command reload 10 so that the router restarts in 10 minutes and we are able to access the router again if we lost the connection remotely

Router1#reload 10

We can verify if the access list is working by showing the status of the access list

Router1#show access-lists
Extended IP access list 100
10 permit tcp host 10.1.2.101 host 10.1.1.100 eq www (5 match(es))
20 permit tcp host 10.1.2.102 host 10.1.1.101 eq 443
30 deny ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255 (105 match(es))
40 permit ip 10.1.2.0 0.0.0.255 any
Router1#

We see that sub access list 10 has 5 matches and default deny has 105 matches. It means that access-list is successfully applied at the interface and is working.

#buttons=(Accept !) #days=(20)

Our website uses cookies to enhance your experience. Learn More
Accept !