Configuring ACLs

In this section, we will learn how to configure both standard and extended ACLs. The topology
diagram shown below, shows the lab we will be using in our configuration. Part 1 of this section
will focus on standard access lists and part 2 will focus on extended ACLs.

In the topology shown below, there are three routers and 6 LANs. The task is to configure ACLs
according to the requirements and security policies in the organization.

The IP addressing scheme is shown in the table below for all the devices in the network.
In this scenario, we are supposed to use both standard and extended ACLs.

Ensure that all devices can communicate on the network before we proceed.

Standard ACL configuration.

The first scenario requires that we configure standard ACLs to limit traffic based on the
following policies.

1. Hosts on network 192.168.1.0/26 should not be able to access the HTTPS server located
on network 192.168.3.0/30 but they can access all other networks.
2. Only hosts on network 192.168.30.0/24 should be able to access network
172.16.2.128/25.
3. Hosts on 192.168.1.128/26 should only be able to access the 192.168.1.0/26 network.
4. PC D located on network 172.16.2.131/25 should not be able to access PC E.
Configuration commands
The “access-list global” configuration command defines a standard ACL with a number in the
range of 1 to 99.

1. The full syntax of the standard ACL command is as follows:

1. The full syntax of the standard ACL command to filter a specific host is as follows:

Or

1. The command to permit all addresses is:

1. The fourth command is used to apply the access lists to the appropriate interfaces.
As we mentioned earlier, there are two places we can apply ACLs, either inbound or outbound.
This command is issued in the interface configuration mode as shown below.
Task 1. Hosts on network 192.168.1.0/26 should not be able to access the HTTPS server located
on network 192.168.3.0/30 but they can access all other networks.

The standard ACL should block traffic from this network to 192.168.3.0 only, all other traffic
should be allowed. Taking into consideration the rules of configuring ACLs, we will configure
this ACL as close to the HTTPS server as possible, this means that the ACLs will be applied on
the outbound interface to the HTTPS server which is fa0/0 on R3.

The first command will block the traffic from 192.168.1.0/26 from accessing the HTTPS server
and it will be configured on R3, this is shown below.

The second command is supposed to allow all other networks to access this network, since
applying this ACL without a permit access-list would block all traffic due to the implicit deny
all.

The third and final step on step 1, is to apply this access list to the outbound interface, which is
Fa0/0 on R3 with the outwards direction as shown below.

When this command is executed, traffic from network 192.168.1.0/26 will not be able to access
the HTTPS server on 192.168.3.0/30 network but all other hosts in the network will be able to.

Task 2. Only hosts on network 192.168.30.0/24 should be able to access network

172.16.2.128/25.

The standard ACL should be able to allow traffic from 192.168.30.0/24 only to access the
172.16.2.128/25.

The only command needed is a permit ACL to allow the specified traffic to access
172.16.2.128/25 network, this should be configured on R2 and applied outbound to the fa0/1
interface. The implicit deny all will deny all other traffic from accessing this network. The
commands needed to achieve this are shown below.
When these commands are executed, traffic from 192.168.30.0/24 will be allowed to access the
172.16.2.128/25 network, while all other traffic will be blocked.

Task 3. Hosts on 192.168.1.128/26 should only be able to access the 192.168.1.0/26 network.

This task means that traffic on the 192.168.1.128/26 network should be restricted to R1, this
means blocking this traffic from going past this router.

We can use a deny statement to deny this traffic from accessing other networks as well as a
permit statement for all other traffic. This ACLs can be applied to outbound serial interfaces on
R1, only.

The commands needed to accomplish this are shown below:

Deny traffic from 192.168.1.128/25 from accessing networks beyond R1.

Permit all other traffic to networks beyond R1.

Apply the configuration to the serial interfaces on R1.

This will limit access of users on 192.168.1.128/25 to 192.168.1.0/26 only, users in the
192.168.1.0/26 network will be able to access networks that are beyond R1.

Task 4. PC D located on network 172.16.2.128/25 should not be able to access PC E .

This configuration is aimed at limiting access of only 1 host. To do this, we need to apply this
access list on R3, we will block PC D with the ip address 172.16.2.131 from accessing PC A
192.168.30.2. in doing so, we should not break any configuration policy. i.e. we should follow
the intentions of task 2.

To accomplish this, we will use the command to deny this host from accessing PC E while
allowing PC C which will be executed on R3 using the commands shown below.

Deny PC D from accessing PC E

Allow all other hosts on network 172.16.2.128/25 to access network 192.168.30.0/24 while
making sure that no policy is broken.

Applying the access list to the interface.

NOTE: to be effective at configuring ACLs, you should make it a habit to write down the
commands that will be used in a sequential order on a program such as notepad before
executing them on the routers. This is to ensure that the commands you have used are
correct.

The use of the wildcard mask is essential in ACLs and a MUST. If you have forgotten this
concepts, review the chapters that discuss the use of wildcard masks.