Level 2: Network Security

Extended Numbered ACLs Lab

Configuring and Applying Extended Numbered ACLs Inbound

Objective

The objective of this lab exercise is for you to learn and understand how to create and apply extended numbered Access Control Lists. Configuring and applying extended ACLs is a fundamental skill. Extended ACLs filter based on source and destination address, as well as Layer 4 protocols TCP and UDP. Extended ACLs should be applied as close to the source as possible.

Lab Topology

Numbered ACL Topology
Device Interface IP Address Subnet Mask Description
R1 GigabitEthernet0/0 172.16.1.1 255.255.255.192 Link to R3
R3 GigabitEthernet0/0 172.16.1.2 255.255.255.192 Link to R1
R3 Loopback10 10.10.10.3 255.255.255.128 (/25) Network 10.10.10.0
R3 Loopback20 10.20.20.3 255.255.255.240 (/28) Network 10.20.20.0
R3 Loopback30 10.30.30.3 255.255.255.248 (/29) Network 10.30.30.0

Task 1 - Basic Initialization

Configure the hostnames on routers R1 and R3 as illustrated in the topology.

Router> enable
Router# configure terminal
Router(config)# hostname R1

Router> enable
Router# configure terminal
Router(config)# hostname R3

Task 2 - Interface Configurations

Configure the IP addresses on the GigabitEthernet interfaces of R1 and R3.

R1(config)# interface gigabitEthernet 0/0
R1(config-if)# ip address 172.16.1.1 255.255.255.192
R1(config-if)# no shutdown
R1(config-if)# exit

R3(config)# interface gigabitEthernet 0/0
R3(config-if)# ip address 172.16.1.2 255.255.255.192
R3(config-if)# no shutdown
R3(config-if)# exit

Task 3 - Routing and Loopbacks

Configure a static default route on R1 pointing to R3 over the GigabitEthernet connection. Also configure a static default route on R3 pointing to R1 via the connection. Configure the Loopback interfaces on R3.

R1(config)# ip route 0.0.0.0 0.0.0.0 gigabitEthernet 0/0 172.16.1.2

R3(config)# ip route 0.0.0.0 0.0.0.0 gigabitEthernet 0/0 172.16.1.1

R3(config)# interface loopback 10
R3(config-if)# ip address 10.10.10.3 255.255.255.128
R3(config-if)# exit
R3(config)# interface loopback 20
R3(config-if)# ip address 10.20.20.3 255.255.255.240
R3(config-if)# exit
R3(config)# interface loopback 30
R3(config-if)# ip address 10.30.30.3 255.255.255.248
R3(config-if)# exit

Task 4 - Testing Base Connectivity

To test connectivity, ping R1 from R3's physical interface and from the various Loopbacks.

R3# ping 172.16.1.1
R3# ping 172.16.1.1 source loopback 10
R3# ping 172.16.1.1 source loopback 20
R3# ping 172.16.1.1 source loopback 30

Task 5 - Telnet Access & Passwords

Configure both R1 and R3 to allow Telnet connections using CISCO as the password, and an enable secret of CISCO.

R1(config)# enable secret CISCO
R1(config)# line vty 0 4
R1(config-line)# password CISCO
R1(config-line)# login
R1(config-line)# exit

R3(config)# enable secret CISCO
R3(config)# line vty 0 4
R3(config-line)# password CISCO
R3(config-line)# login
R3(config-line)# exit

Task 6 - Configure Numbered Extended ACL

Configure a numbered extended ACL (150) on R1 to allow Telnet from R3 Loopback10 and Loopback30. Explicitly deny Telnet from R3 Loopback20 but allow Ping traffic. Apply this ACL inbound on R1 Gi0/0.

R1(config)# access-list 150 remark 'Allow Telnet For R3 Loopback10'
R1(config)# access-list 150 permit tcp 10.10.10.0 0.0.0.127 any eq telnet
R1(config)# access-list 150 remark 'Deny Telnet For R3 Loopback20'
R1(config)# access-list 150 deny tcp 10.20.20.0 0.0.0.15 any eq telnet
R1(config)# access-list 150 remark 'Allow Telnet For R3 Loopback30'
R1(config)# access-list 150 permit tcp 10.30.30.0 0.0.0.7 any eq telnet
R1(config)# access-list 150 remark 'Allow PING For R3 Loopback20'
R1(config)# access-list 150 permit icmp 10.20.20.0 0.0.0.15 any echo

R1(config)# interface gigabitEthernet 0/0
R1(config-if)# ip access-group 150 in
R1(config-if)# exit

Task 7 - Verification

Telnet and Ping to R1 from the various R3 loopback interfaces to verify your ACL is performing correctly.

Tip: Extended ACLs map common port numbers to standard keyword aliases. When you checked the ACL, you might notice that '23' was replaced with 'telnet'. 
R1# show ip access-lists 150
Extended IP access list 150
    10 permit tcp 10.10.10.0 0.0.0.127 any eq telnet
    20 deny tcp 10.20.20.0 0.0.0.15 any eq telnet
    30 permit tcp 10.30.30.0 0.0.0.7 any eq telnet
    40 permit icmp 10.20.20.0 0.0.0.15 any echo
    
R3# telnet 172.16.1.1 /source-interface loopback 10 ! (Successful)
R3# telnet 172.16.1.1 /source-interface loopback 20 ! (Unreachable - Admin Prohibited)
R3# telnet 172.16.1.1 /source-interface loopback 30 ! (Successful)

R3# ping 172.16.1.1 source loopback 20 ! (Successful due to permit icmp)
Back to ACL Labs