ACL practice

Screenshot_2018-11-23_06-32-17

Download lab here.

Beginning with the above topology using only 3 ACLS:

  1. Allow access from green to red
  2. Block access from outside to red
  3. Allow outside to green (NAT subnet)*

*Due to multiple layers of NAT in my home network outside users will not be able to see the internal network subnets therefore won’t be able to access it.

Using standard ACLS (numbered):

Standard ACLS can only match on source address.

Rule 1

On R2:

access-list 1 permit 10.0.101.0 0.0.0.255 log
!
interface GigabitEthernet3/0
 ip address 10.0.100.1 255.255.255.0
 ip access-group 1 out
 ip ospf 1 area 0
 negotiation auto
!

Rule 2

Covered by Rule 1

Rule 3

On R3:

access-list 1 permit 192.168.122.0 0.0.0.255 log
!
interface GigabitEthernet3/0
 ip address 10.0.101.1 255.255.255.0
 ip access-group 1 out
 ip ospf 1 area 0
 negotiation auto
!

Using named ACLS:

Rule 1:

ip access-list extended RULE1
 permit ip 10.0.101.0 0.0.0.255 10.0.100.0 0.0.0.255 log
interface GigabitEthernet3/0
 ip address 10.0.100.1 255.255.255.0
 ip access-group RULE1 out
 ip ospf 1 area 0
 negotiation auto
!


Rule 2:

Covered by rule 1 (deny any at the end of the ACL).

Rule 3:

ip access-list extended RULE3
 permit ip 192.168.122.0 0.0.0.255 10.0.101.0 0.0.0.255 log

interface GigabitEthernet3/0
 ip address 10.0.101.1 255.255.255.0
 ip access-group RULE3 out
 ip ospf 1 area 0
 negotiation auto
!

 

Using extended ACLS:

To configure extended ACLS use the either:

access-list <100-199> | <2000-2699>

or

ip access-list extended <100-199> | <2000-2699>
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s