Thursday, 9 January 2014

Access-list(ACL)


Q-1 Allow all host ping to B except A.









R1(config)#ip access-list extended ICMP-ALLOW
R1(comfig-ext-nacl)#deny icmp host 192.168.1.100 host 192.168.2.100 echo
R1(comfig-ext-nacl)#permit ip any any

R1(config)#int f1/0
R1(config-if)#ip access-group ICMP-ALLOW in

Q-2 Allow telnet A to B , deny any telnet to B.

SW2(config)#ip access-list extended YYY
SW2(config-ext-nacl)#permit tcp host 192.168.1.100 host 192.168.2.100 eq 23
SW2(config-ext-nacl)#deny tcp any host 192.168.2.100 eq 23
SW2(config-ext-nacl)#permit ip any any
SW2(config-ext-nacl)#end

SW2(config)#int vlan 2
SW2(config-if)#ip access-group YYY out
SW2(comfit-if)#end

SW2#sh access-lists
Extended IP access list YYY
    10 permit tcp host 192.168.1.100 host 192.168.2.100 eq telnet (59 matches)
    20 deny tcp any host 192.168.2.100 eq telnet (2 matches)
    30 permit ip any any

SW2#sh run int vlan 2
Building configuration...

Current configuration : 86 bytes
!
interface Vlan2
 ip address 192.168.2.1 255.255.255.0
 ip access-group YYY out
end

PC_A(config)#line vty 0 4
PC_A(config-line)#password cisco
PC_A(config-line)#end

Q-3 Allow only B , C to browse to D.

SW2(config)#ip access-list extended YYY
SW2(config-ext-nacl)#permit tcp host 192.168.1.101 host 192.168.2.101 eq 80
SW2(config-ext-nacl)#deny tcp any host 192.168.2.101 eq 80
SW2(config-ext-nacl)#end


SW2(config)#ip access-list extended YYY
SW2(config-ext-nacl)#no 30 permit ip any any
SW2(config-ext-nacl)#70 permit ip any any
SW2(config-ext-nacl)#end

Extended IP access list YYY
    10 permit tcp host 192.168.1.100 host 192.168.2.100 eq telnet (59 matches)
    20 deny tcp any host 192.168.2.100 eq telnet (2 matches]
    40 permit tcp host 192.168.1.101 host 192.168.2.101 eq www
    50 deny tcp any host 192.168.2.101 eq www
    70 permit ip any any


Q-4 Allow A , D to telnet C any any telnet to C.

R1(config)#ip access-list extended ZZZ
R1(config-ext-nacl)#permit tcp host 192.168.2.101 host 192.168.1.101 eq 23
R1(config-ext-nacl)#deny tcp any host 192.168.1.101 eq 23
R1(config-ext-nacl)#permit ip any any
R1(config-ext-nacl)#end

R1(config)#int f1/0
R1(config-if)#ip access-group ZZZ out
R1(config-if)#end

PC_C#conf t
PC_C(config)#line vty 0 4
PC_C(config-line)#password cisco
PC_C(config-line)#end

PC_A#telnet 192.168.1.101
Trying 192.168.1.101 ... Open
User Access Verification
Password:
PC_C>exit
[Connection to 192.168.1.101 closed by foreign host]
PC_A#

PC_D#telnet 192.168.1.101
Trying 192.168.1.101 ... Open
User Access Verification
Password:
PC_C>exit
[Connection to 192.168.1.101 closed by foreign host]
PC_D#

PC_B>telnet 192.168.1.101
Trying 192.168.1.101 ...
% Destination unreachable; gateway or host down

Q-5 Allow only C to access network 192.168.2.0/24 port 8192 tcp

SW2(config)#ip access-list extended XXX
SW2 (config-ext-nacl)#permit tcp host 192.168.1.101 192.168.2.0 0.0.0.255 eq 8192       
SW2 (config-ext-nacl)#deny tcp any 192.168.2.0 0.0.0.255 eq 8192
SW2 (config-ext-nacl)#end

SW2#conf t
SW2 (config)#int vlan 2
SW2 (config-if)#ip access-group XXX out
SW2 (config-if)#end

PC_C>en
PC_C#telnet 192.168.2.100 8192
Trying 192.168.2.100, 8192 ...
% Connection timed out; remote host not responding

SW2#sh run int vlan 2                   
Building configuration...

Current configuration : 86 bytes
!
interface Vlan2
 ip address 192.168.2.1 255.255.255.0
 ip access-group XXX out
end

SW2#sh access-lists
Extended IP access list XXX
    10 permit tcp host 192.168.1.101 192.168.2.0 0.0.0.255 eq 8192
    20 deny tcp any 192.168.2.0 0.0.0.255 eq 8192
Extended IP access list YYY
    10 permit tcp host 192.168.1.100 host 192.168.2.100 eq telnet
    20 deny tcp any host 192.168.2.100 eq telnet
    40 permit tcp host 192.168.1.101 host 192.168.2.101 eq www
    50 deny tcp any host 192.168.2.101 eq www
    70 permit ip any any

R1#sh run int f1/0
Building configuration...

Current configuration : 144 bytes
!
interface FastEthernet1/0
 ip address 192.168.1.1 255.255.255.0
 ip access-group ZZZ out
 speed 100
 full-duplex
end

R1#sh access-lists
Extended IP access list ICMP-ALLOW
    10 deny icmp host 192.168.1.100 host 192.168.2.100 echo
    20 permit ip any any (97 matches)
Extended IP access list ZZZ
    10 permit tcp host 192.168.2.101 host 192.168.1.101 eq telnet (31 matches)
    20 deny tcp any host 192.168.1.101 eq telnet (2 matches)
    30 permit ip any any
Posted by at
Labels: