Objective
Configure an Extended Access Control List (ACL) to permit or deny specific types of traffic (like HTTP, ICMP, Telnet) between sources and destinations based on IP addresses and ports.
Lab Topology
| Device | Interface | IP Address | Subnet Mask | Description |
|---|---|---|---|---|
| R1 | GigabitEthernet0/0 |
192.168.10.1 |
255.255.255.0 |
LAN Network (Source) |
| R1 | GigabitEthernet0/1 |
10.0.0.1 |
255.255.255.0 |
Server Network (Destination) |
| LAN PC1 | NIC |
192.168.10.10 |
255.255.255.0 |
Inside Host trying to reach Server |
| Web/ICMP Server | NIC |
10.0.0.10 |
255.255.255.0 |
Target Server (HTTP & ICMP blocked) |
Task 1 - Basic Configuration
Apply hostname and disable DNS lookup on the router.
Router> enable Router# configure terminal Router(config)# hostname R1 R1(config)# no ip domain-lookup
Task 2 - Interface IP Addressing
Configure the interfaces leading to the LAN (Source) and Server (Destination).
R1(config)# interface GigabitEthernet0/0 R1(config-if)# description "LAN Network" R1(config-if)# ip address 192.168.10.1 255.255.255.0 R1(config-if)# no shutdown R1(config-if)# exit R1(config)# interface GigabitEthernet0/1 R1(config-if)# description "Server Network" R1(config-if)# ip address 10.0.0.1 255.255.255.0 R1(config-if)# no shutdown R1(config-if)# exit
Task 3 - Configure Extended ACL
Create an Extended ACL to deny HTTP and Ping (ICMP) from the LAN to the Server (10.0.0.10), but permit everything else.
R1(config)# ip access-list extended BLOCK_WEB_PING R1(config-ext-nacl)# deny tcp 192.168.10.0 0.0.0.255 host 10.0.0.10 eq 80 R1(config-ext-nacl)# deny icmp 192.168.10.0 0.0.0.255 host 10.0.0.10 echo R1(config-ext-nacl)# permit ip any any R1(config-ext-nacl)# exit
Task 4 - Apply Extended ACL to Interface
Apply the Extended ACL inbound on the LAN interface (closest to the source).
R1(config)# interface GigabitEthernet0/0 R1(config-if)# ip access-group BLOCK_WEB_PING in R1(config-if)# exit
Task 5 - Verification Commands
Check the configured access lists and verify if it has been applied to the correct interface.
R1# show ip access-lists Extended IP access list BLOCK_WEB_PING 10 deny tcp 192.168.10.0 0.0.0.255 host 10.0.0.10 eq www 20 deny icmp 192.168.10.0 0.0.0.255 host 10.0.0.10 echo 30 permit ip any any R1# show ip interface gigabitethernet 0/0 ... Outgoing access list is not set Inbound access list is BLOCK_WEB_PING ...