You are on page 1of 4

Ing.

Adriana Collaguazo

CCNA IV Acceso a Tecnologas WAN

Laboratorio Escrito Tema: Listas de Control de Acceso Estndar y Extendida


In this section, you will complete two labs. To complete these labs, you will need at least three routers. Lab 1.1: Standard IP Access Lists Lab 1.2: Extended IP Access Lists All of the labs will use the following diagram for configuring the routers.

Lab 1.1: Standard IP Access Lists In this lab, you will allow only packets from Host_B from network 172.16.30.0 to enter network 172.16.10.0. 1. Go to Lab_A and enter global configuration mode by typing config t. 2. From global configuration mode, type access-list ? to get a list of all the different access lists available. 3. Choose an access-list number that will allow you to create an IP standard access list. This is a number between 1 and 99 or 1300 and 1399. 4. Choose to permit host 172.16.30.2, which is Host_Bs address: Lab_A(config)#access-list 10 permit 172.16.30.2 ? A.B.C.D Wildcard bits <cr> To specify only host 172.16.30.2, use the wildcards 0.0.0.0: Lab_A(config)#access-list 10 permit 172.16.30.2 0.0.0.0 5. Now that the access list is created, you must apply it to an interface to make it work: Lab_A(config)#int f0/0 Lab_A(config-if)#ip access-group 10 out

Ing. Adriana Collaguazo

CCNA IV Acceso a Tecnologas WAN

6. Verify your access list with the following commands: Lab_A#sh access-list Standard IP access list 10 permit 172.16.30.2 Lab_A#sh run [output cut] interface FastEthernet0/0 ip address 172.16.10.1 255.255.255.0 ip access-group 10 out 7. Test your access list by pinging from Host_B (172.16.30.2) to Host_A (172.16.10.2). 8. Ping from Lab_B and Lab_C to Host_A (172.16.10.2); this should fail if your access list is correct. Lab 1.2: Extended IP Access Lists In this lab, you will use an extended IP access list to stop host 172.16.10.2 from creating a Telnet session to router Lab_B (172.16.20.2). However, the host still should be able to ping the Lab_B router. IP extended lists should be placed close to the source, so add the extended list on router Lab_A. 1. Remove any access lists on Lab_A and add an extended list to Lab_A. 2. Choose a number to create an extended IP list. The IP extended lists use 100199 or 20002699. 3. Use a deny statement. (Youll add a permit statement in step 7 to allow other traffic to still work.) Lab_A(config)#access-list 110 deny ? <0-255> An IP protocol number ahp Authentication Header Protocol eigrp Cisco's EIGRP routing protocol esp Encapsulation Security Payload gre Cisco's GRE tunneling icmp Internet Control Message Protocol igmp Internet Gateway Message Protocol igrp Cisco's IGRP routing protocol ip Any Internet Protocol ipinip IP in IP tunneling nos KA9Q NOS compatible IP over IP tunneling ospf OSPF routing protocol pcp Payload Compression Protocol tcp Transmission Control Protocol udp User Datagram Protocol 4. Since you are going to deny Telnet, you must choose TCP as a Transport layer protocol: Lab_A(config)#access-list 110 deny tcp ? A.B.C.D Source address

Ing. Adriana Collaguazo

CCNA IV Acceso a Tecnologas WAN

any Any source host host A single source host 5. Add the source IP address you want to filter on, then add the destination host IP address. Use the host command instead of wildcard bits. Lab_A(config)#access-list 110 deny tcp host 172.16.10.2 host 172.16.20.2 ? ack Match on the ACK bit eq Match only packets on a given port number established Match established connections fin Match on the FIN bit fragments Check fragments gt Match only packets with a greater port number log Log matches against this entry log-input Log matches against this entry, including input interface lt Match only packets with a lower port number neq Match only packets not on a given port number precedence Match packets with given precedence value psh Match on the PSH bit range Match only packets in the range of port numbers rst Match on the RST bit syn Match on the SYN bit tos Match packets with given TOS value urg Match on the URG bit <cr> 6. At this point, you can add the eq telnet command to filter host 172.16.10.2 from telnetting to 172.16.20.2. The log command can also be used at the end of the command so that whenever the access-list line is hit, a log will be generated on the console. Lab_A(config)#access-list 110 deny tcp host 172.16.10.2 host 172.16.20.2 eq telnet log 7. It is important to add this line next to create a permit statement. (Remember that 0.0.0.0 255.255.255.255 is the same as the any command.) Lab_A(config)#access-list 110 permit ip any 0.0.0.0 255.255.255.255

Ing. Adriana Collaguazo

CCNA IV Acceso a Tecnologas WAN

You must create a permit statement; if you just add a deny statement, nothing will be permitted at all. Please see the sections earlier in this chapter for more detailed information on the permit command. 8. Apply the access list to the FastEthernet0/0 on Lab_A to stop the Telnet traffic as soon as it hits the first router interface. Lab_A(config)#int f0/0 Lab_A(config-if)#ip access-group 110 in Lab_A(config-if)#^Z 9. Try telnetting from host 172.16.10.2 to Lab_A using the destination IP address of 172.16.20.2. The following messages should be generated on Lab_As console; however, the ping command should work: From host 172.16.10.2: C:\>telnet 172.16.20.2 On Lab_As console, this should appear as follows: 01:11:48: %SEC-6-IPACCESSLOGP: list 110 denied tcp 172.16.10.2(1030) -> 172.16.20.2(23), 1 packet 01:13:04: %SEC-6-IPACCESSLOGP: list 110 denied tcp 172.16.10.2(1030) -> 172.16.20.2(23), 3 packets