ACL practice

Screenshot_2018-11-23_06-32-17
Download lab here.
Beginning with the above topology using only 3 ACLS:

  1. Allow access from green to red
  2. Block access from outside to red
  3. Allow outside to green (NAT subnet)*

*Due to multiple layers of NAT in my home network outside users will not be able to see the internal network subnets therefore won’t be able to access it.

Using standard ACLS (numbered):

Standard ACLS can only match on source address.
Rule 1
On R2:

access-list 1 permit 10.0.101.0 0.0.0.255 log
!
interface GigabitEthernet3/0
 ip address 10.0.100.1 255.255.255.0
 ip access-group 1 out
 ip ospf 1 area 0
 negotiation auto
!

Rule 2
Covered by Rule 1
Rule 3
On R3:

access-list 1 permit 192.168.122.0 0.0.0.255 log
!
interface GigabitEthernet3/0
 ip address 10.0.101.1 255.255.255.0
 ip access-group 1 out
 ip ospf 1 area 0
 negotiation auto
!

Using named ACLS:

Rule 1:

ip access-list extended RULE1
 permit ip 10.0.101.0 0.0.0.255 10.0.100.0 0.0.0.255 log
interface GigabitEthernet3/0
 ip address 10.0.100.1 255.255.255.0
 ip access-group RULE1 out
 ip ospf 1 area 0
 negotiation auto
!

Rule 2:
Covered by rule 1 (deny any at the end of the ACL).
Rule 3:

ip access-list extended RULE3
 permit ip 192.168.122.0 0.0.0.255 10.0.101.0 0.0.0.255 log
interface GigabitEthernet3/0
 ip address 10.0.101.1 255.255.255.0
 ip access-group RULE3 out
 ip ospf 1 area 0
 negotiation auto
!

 

Using extended ACLS:

To configure extended ACLS use the either:

access-list <100-199> | <2000-2699>

or

ip access-list extended <100-199> | <2000-2699>

Leave a comment

Your email address will not be published. Required fields are marked *