NAT/PAT5.3 CONFIGURATION AND EXPLAINATION EXTENDED ACL WITH LAB
# Allow access to a range of contiguous IP addresses
Side_A(config-if)# access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255Side_A(config-if)# access-list 101 permit any any
Side_A(config-if)# exit
Side_A(config)# interface fastethernet S 0/0
Side_A(config-if)# ip access-group 101 in
Side_A(config-if)# exit
# Permit the access of tcp traffic from 192.168.1.2 host to 192.168.2.2 host
Side_A(config-if)# access-list 101 permit tcp host 192.168.1.2 host 192.168.2.2Side_A(config-if)# access-list 101 permit any any
Side_A(config-if)# exit
# Permit the access of udp traffic from 192.168.1.2 host to 192.168.2.2 host
Side_A(config-if)# access-list 101 permit udp host 192.168.1.2 host 192.168.2.2Side_A(config-if)# access-list 101 permit any any
Side_A(config-if)# exit
# Permit the access of ip traffic from 192.168.1.0 network to 192.168.2.0 network
Side_A(config-if)# access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255Side_A(config-if)# access-list 101 permit any any
Side_A(config-if)# exit
# Deny the access of icmp traffic from any to any network but permit
Side_A(config-if)# access-list 101deny icmp any anySide_A(config-if)# access-list 101 permit ip any any
Side_A(config-if)# exit
# Permit the access of telnet traffic from 192.168.1.2 host to 192.168.2.2 host
Side_A(config-if)# access-list 101 permit tcp host 192.168.1.2 host 192.168.2.2 eq ?telnet (22)
bgp Border Gateway Protocol (179)
chargen Character generator (19)
cmd Remote commands (rcmd, 514)
Side_A(config-if)# access-list 101 permit tcp host 192.168.1.2 host 192.168.2.2 eq telnet
Side_A(config-if)# access-list 101 permit any any
Side_A(config-if)# exit
# Permit the access of www traffic from 192.168.1.2 host to 192.168.2.2 host
Side_A(config-if)# access-list 101 permit tcp host 192.168.1.2 host 192.168.2.2 eq wwwSide_A(config-if)# access-list 101 permit any any
Side_A(config-if)# exit
5.4 CONFIGURATION AND EXPLAINATION NUMBERED ACL WITH LAB
# Permit the IP traffic from 192.168.1.2 host to 192.168.3.2 host
Side_A# configuration terminalSide_A(config)# ip access-list extended test
Side_A(config-ext-nacl)# permit ip host 192.168.1.2 host 192.168.3.2
Side_A(config-ext-nacl)# exit
Side_A(config)# interface fastethernet S 0/0
Side_A(config-if)# ip access-group out
Side_A(config-if)# exit
# Permit the www traffic from 192.168.1.2 host to 192.168.3.2 host
Side_A(config)# ip access-list extended testSide_A(config-ext-nacl)# permit tcp host 192.168.1.2 host 192.168.3.2 eq www
Side_A(config-ext-nacl)# exit
# Permit the icmp traffic from any to any network
Side_A(config)# ip access-list extended testSide_A(config-ext-nacl)# permit icmp any any
Side_A(config-ext-nacl)# exit
# Permit the dns traffic from 192.168.1.2 host to 192.168.3.0 network
Side_A(config)# ip access-list extended testSide_A(config-ext-nacl)# permit udp host 192.168.1.2 192.168.3.0 0.0.0.255 eq dns
Side_A(config-ext-nacl)# exit
# Any deletion are removed from the ACL and any additions are made to the end of the ACL
Side_A(config)# ip access-list extended test# ACL entry deleted
Side_A(config-ext-nacl)#no permit tcp host 192.168.1.2 host 192.168.3.2 eq wwwSide_A(config-ext-nacl)# exit
# ACL entry added
Side_A(config-ext-nacl)#permit gre host 192.168.1.2 host 192.168.3.2Side_A(config-ext-nacl)# exit
# Add the entry for the acl list 101 with the sequence number 5
Side_A(config)# ip access-list extended 101Side_A(config-ext-nacl)#5 deny tcp any any eq telnet
Side_A(config-ext-nacl)# exit
# How do I remove an ACL from an interface
interfaceinterface
# Disable fast switching on the interface involved. You only see the first packet if fast switching is no disabled
interfaceinterface
# Restart caching
interfaceinterface
# Named acl in order to block all traffic except the telnet connection from 10.10.10.1 to host 192.168.3.2
Side_A# configuration terminalSide_A(config)# interface fastethernet S 0/0
Side_A(config-if)# ip address 10.10.10.1 255.0.0.0
Side_A(config-if)# ip access-group in_to_out in
Side_A(config)# ip access-list extended in_to_out
Side_A(config-ext-nacl)# permit tcp 10.10.10.1 host 192.168.3.2 eq telnet
Side_A(config-ext-nacl)# exit
# Permit of ICMP outbound and inbound traffic, while only permitting TCP traffic that has intiated from inside other traffic is denied
Side_A# configuration terminalSide_A(config)# ip reflexive-list timeout 120
Side_A(config)# interface fastethernet S 0/0
Side_A(config-if)# ip address 10.10.10.1 255.0.0.0
Side_A(config-if)# ip access-group inboundfilters in
Side_A(config-if)# ip access-group outboundfilters out
Side_A(config-if)# ip access-list extended inboundfilters
Side_A(config-if)# permit icmp 10.10.10.0 0.255.255.255 192.168.3.0 0.0.0.255
Side_A(config-if)# permit tcp 10.10.10.0 0.255.255.255 192.168.3.0 0.0.0.255 reflect tcptraffic
Side_A(config-if)# evaluate tcptraffic
Side_A(config--if)# exit
# Time-based acl-list time range: A telnet connection is permitted from the inside to outside network on Monday, Wednesday and Friday during business hours
Side_A# configuration terminalSide_A(config)# interface fastethernet S 0/0
Side_A(config-if)# ip address 10.10.10.1 255.0.0.0
Side_A(config-if)#ip access-group 101 in
Side_A(config-if)# access-list 101 permit tcp 10.10.10.0 0.255.255.255 192.168.3.0 0.0.0.255 eq telnet time-range EVERYOTHERDAY
Side_A(config)# time-range EVERYOTHERDAY
Side_A(config-if)# periodic Monday Wednesday Friday 8:00 to 17:00
Side_A(config--if)# exit
# This is basic terms for lock and key
I) Ten-minute is the idle timeout : -Side_A(config)# username test auto command access-enable host timeout 10
Side_A(config)# interface fastethernet S 0/0
Side_A(config-if)# ip address 10.10.10.1 255.0.0.0
Side_A(config-if)#ip access-group 101 in
Side_A(config-if)# access-list 101 permit tcp any host 10.10.10.0 eq telnet
Side_A(config-if)# exit
II) 15 minutes is the absolute timeout : -
Side_A(config)# access-list 101 dynamic testlist timeout 15 permit ip 10.10.10.0 0.255.255.255 192.168.3.0 0.0.0.255
Side_A(config)# line vty 0 4
Side_A(config-line)# login local
Side_A(config-line)# exit
# Context-based acl-list: Normally block the return traffic other than ICMP without CBAC opening holes for the return traffic
ip inspect name myfw ftp timeout 3600ip inspect name myfw http timeout 3600
ip inspect name myfw tcp timeout 3600
ip inspect name myfw udp timeout 3600
ip inspect name myfw tftp timeout 3600
Side_A# configuration terminal
Side_A(config)# interface fastethernet S 0/0
Side_A(config-if)# ip address 10.10.10.1 255.0.0.0
Side_A(config-if)#ip access-group 101 in
Side_A(config-if)#ip inspect myfw out
Side_A(config-if)# access-list 101 permit icmp any 192.168.3.2 0.0.0.255
Side_A(config-if)# access-list 101 deny icmp any 192.168.3.2 0.0.0.255
Side_A(config--if)# exit
# Debug traffic-based: The debug ip packet command only for packets between the hosts 192.168.1.2 to host 192.168.3.2
Side_A# configuration terminalSide_A(config)# access-list 199 permit tcp host 192.168.1.2 host 192.168.3.2
Side_A(config)# access-list 199 permit tcp host 192.168.3.2 host 192.168.1.2
Side_A(config)# end
Side_A# debug ip packet 199 detail (IP packet debugging is on detailed for access list 199)
Troubleshooting:
Q. Which command to show the acl-list ?
Switch #show access-lists
Q. Which command to show IP’s acl-list ?
Switch #show ip access-lists
Be updated into yourself and improve lives through DIT
0 Comments