Addressing Table

Objectives

Part 1: Configure, Apply and Verify an Extended Numbered ACL

Part 2: Reflection Questions

Background / Scenario

In this scenario, devices on one LAN are allowed to remotely access devices in another LAN using the Telnet protocol. Besides ICMP, all traffic from other networks is denied.

Part 1: Configure, Apply and Verify an Extended Numbered ACL
Configure, apply and verify an ACL to satisfy the following policy:

· Telnet traffic from devices on the 10.101.117.32/28 network is allowed to devices on the 10.101.117.0/27 networks.
· ICMP traffic is allowed from any source to any destination
· All other traffic to 10.101.117.0/27 is blocked.
Step 1: Configure the extended ACL.

a. From the appropriate configuration mode on RTA, use the last valid extended access list number to configure the ACL. Use the following steps to construct the first ACL statement:

1) The last extended list number is 199.

2) The protocol is TCP.

3) The source network is 10.101.117.32.

4) The wildcard can be determined by subtracting 255.255.255.240 from 255.255.255.255.

How to calculate wildcard

255.255.255.255
-
255.255.255.240
------------------
 0 . 0 . 0. 15

5) The destination network is 10.101.117.0.

6) The wildcard can be determined by subtracting 255.255.255.224 from 255.255.255.255.

How to calculate wildcard

255.255.255.255
-
255.255.255.224
------------------
 0 . 0 . 0. 31

7) The protocol is Telnet.

RTA(config)#access-list 199 permit tcp 10.101.117.32 0.0.0.15 10.101.117.0 0.0.0.31 eq telnet

b. ICMP is allowed, and a second ACL statement is needed. Use the same access list number to permit all ICMP traffic, regardless of the source or destination address. What is the second ACL statement? (Hint: Use the any keywords)

RTA(config)#access-list 199 permit icmp any any

c. All other IP traffic is denied, by default.

Step 2: Apply the extended ACL.

RTA(config)#int gi0/2
RTA(config-if)#ip access-group 199 out

The general rule is to place extended ACLs close to the source. However, since access list 199 affects traffic originating from both networks 10.101.117.48/29 and 10.101.117.32/28, the best placement for this ACL might be on interface Gigabit Ethernet 0/2 in the outbound direction. What is the command to apply ACL 199 to the Gigabit Ethernet 0/2 interface?

Step 3: Verify the extended ACL implementation.

a. Ping from PCB to all of the other IP addresses in the network. If the pings are unsuccessful, verify the IP addresses before continuing.

b. Telnet from PCB to SWC. The password is cisco.

c. Exit the Telnet service of the SWC.

d. Ping from PCA to all of the other IP addresses in the network. If the pings are unsuccessful, verify the IP addresses before continuing.

e. Telnet from PCA to SWC. The access list causes the router to reject the connection.

f. Telnet from PCA to SWB. The access list is placed on G0/2 and does not affect this connection.

g. After logging into SWB, do not log out. Telnet to SWC.

Ping from LAN PCA to any LAN
Telnet from LAN PCB to SWC LAN

By Admin

9 thoughts on “Configuring Extended ACLs – Scenario 2”
  1. Nice post. I learn something totally new and challenging on websites I stumbleupon on a daily basis.
    It will always be useful to read articles from other writers and use a little something from their web
    sites.

  2. A fascinating discussion is definitely worth comment.

    There’s no doubt that that you should publish more
    on this issue, it might not be a taboo subject but generally
    people don’t speak about such subjects. To the next!
    All the best!!

  3. I was recommended this blog by my cousin. I am not sure whether this post is written by him as nobody else know such detailed about my difficulty.
    You’re amazing! Thanks!

  4. I’ve been surfing online greater than three
    hours these days, but I by no means found any attention-grabbing article like yours.
    It is lovely worth sufficient for me. Personally, if all site owners and bloggers made excellent content
    material as you did, the internet will be a lot more useful
    than ever before.

  5. My brother suggested I would possibly like this blog.
    He used to be totally right. This put up truly made my
    day. You cann’t imagine simply how much time I had spent for this information! Thank
    you!

  6. We are a group of volunteers and opening a new scheme in our community.

    Your site provided us with valuable info to work on. You have done a formidable
    job and our whole community will be thankful to you.

  7. When I originally commented I clicked the “Notify me when new comments are added”
    checkbox and now each time a comment is added I get four emails with the same comment.

    Is there any way you can remove me from that service?

    Thanks a lot!

  8. Hi there I am so delighted I found your weblog, I really found you by accident, while
    I was researching on Bing for something else, Anyhow I am here now
    and would just like to say kudos for a remarkable post and a
    all round interesting blog (I also love the
    theme/design), I don’t have time to go through it all at the minute but I have saved
    it and also added in your RSS feeds, so when I have time
    I will be back to read a great deal more, Please do keep up the excellent jo.

Comments are closed.