Objectives

This challenge involves the configuration of an extended ACL. The objectives of this challenge are to:

  • Define an extended ACL.
  • Define a host to be allowed.
  • Define a host to be denied.
  • Define a network to be allowed.
  • Define a network to be denied.
  • Permit everything else.
  • Apply ACL onto E0.

    • Sample

    > en
# config t
(config)# access-list 105 permit tcp host 208.89.101.4 host 41.153.91.2 eq ftp
(config)# access-list 105 deny tcp host 197.119.92.8 host 144.98.220.6 eq ftp
(config)# access-list 105 permit tcp 100.120.83.0 0.255.255.255 71.252.23.0 0.255.255.255 eq ftp
(config)# access-list 105 deny tcp 35.208.170.0 0.255.255.255 184.124.8.0 0.255.255.255 eq ftp
(config)# access-list 105 permit tcp any any
(config)# int e0
(config-if)# ip access-group 105 in

    Example

    > en
# config t
(config)# access-list 105 ?
  deny     Specify packets to reject
  dynamic  Specify a DYNAMIC list of PERMITs or DENYs
  permit   Specify packets to forward
  remark   Access list entry comment
(config)# access-list 105 permit ?
  <0-255>  An IP protocol number
  ahp      Authentication Header Protocol
  eigrp    Cisco's EIGRP routing protocol
  esp      Encapsulation Security Payload
  gre      Cisco's GRE tunneling
  icmp     Internet Control Message Protocol
  igmp     Internet Gateway Message Protocol
  igrp     Cisco's IGRP routing protocol
  ip       Any Internet Protocol
  ipinip   IP in IP tunneling
  nos      KA9Q NOS compatible IP over IP tunneling
  ospf     OSPF routing protocol
  pcp      Payload Compression Protocol
  pim      Protocol Independent Multicast
  tcp      Transmission Control Protocol
  udp      User Datagram Protocol

(config)# access-list 105 permit tcp host 208.89.101.4 host 41.153.91.2 eq ftp
(config)# access-list 105 deny tcp host 197.119.92.8 host 144.98.220.6 eq ftp
(config)# access-list 105 permit tcp 100.120.83.0 0.255.255.255 71.252.23.0 0.255.255.255 eq ftp
(config)# access-list 105 deny tcp 35.208.170.0 0.255.255.255 184.124.8.0 0.255.255.255 eq ftp
(config)# access-list 105 ?
  deny     Specify packets to reject
  dynamic  Specify a DYNAMIC list of PERMITs or DENYs
  permit   Specify packets to forward
  remark   Access list entry comment
(config)# access-list 105 permit tcp 
  A.B.C.D  Source address
  any      Any source host
  host     A single source host
(config)# access-list 105 permit tcp any ?
  A.B.C.D  Destination address
  any      Any destination host
  eq       Match only packets on a given port number
  gt       Match only packets with a greater port number
  host     A single destination host
  lt       Match only packets with a lower port number
  neq      Match only packets not on a given port number
  range    Match only packets in the range of port numbers
(config)# access-list 105 permit tcp any any
(config)# int e0
(config-if)# ip access-group 105 in