00:00:00 - Configuring access lists. I've always found the best way to
00:00:05 - learn access lists and to get familiar with the syntax is to
00:00:08 - do them again and again and again. It's kind of like subnetting.
00:00:11 - The more you practice, the better you get at it. So that's how I've structured
00:00:15 - this configuring access lists video. I'd like to walk through
00:00:18 - four separate scenarios with you that take the concepts that
00:00:21 - we've learned in the previous video and apply them in practical
00:00:25 - scenarios. Now looking at these scenarios, they don't make much
00:00:28 - sense right here, but this is going to be what I'm testing on
00:00:31 - and in each one of those scenarios, as we construct a new access list
00:00:35 - for each one of those requirements.
00:00:39 - So if you're ready, I'm ready. Let's get going.
00:00:41 - All right. Here is our configuration landscape. You can see the
00:00:45 - four scenarios spelled out on the bottom of the network diagram.
00:00:49 - But before we even get into those scenarios and start working through each
00:00:52 - one of them and setting up the configuration, I'd like to talk
00:00:55 - a little bit about access lists generalities. How do you
00:00:59 - configure access lists in general? You can see our scenarios are saying
00:01:03 - use a standard access list or an extended access list. But before
00:01:06 - we even accomplish those objectives let's talk about just how
00:01:09 - to use access lists. What I'd like to do is take us to a router
00:01:12 - and that will allow us to see this configuration and I'll just
00:01:16 - walk through some -- some samples. And then we'll do the real deal.
00:01:19 - We'll go through these scenarios one by one. So let me bring up the router connection
00:01:22 - and put it in the middle of the screen here.
00:01:26 - Just get things cleared off. You can see we're on router 3 right
00:01:30 - now to start things off. And this will just be, you know, a nice generic place
00:01:33 - to go. To set up access lists, we're going to go into global
00:01:37 - configuration mode and use the command access list. Now if you haven't
00:01:42 - gotten used to the context sensitive help -- the question mark as
00:01:44 - of yet, now's a good time. Access lists will almost need you
00:01:49 - to use that going through there because very few people remember
00:01:52 - all the pieces off the top of their head. Now you can see all these
00:01:55 - lists. I type in access lists and it says okay type in a number one through
00:01:59 - 99 if you would like to create a standard access list.
00:02:03 - If you would like to create an extended, go ahead and type in number 100
00:02:06 - through 199 and that will configure one of those.
00:02:09 - Now you can see as we go through this list, there's plenty of other
00:02:11 - ones like IPX address access list; MAC address access list. You
00:02:15 - can permit or deny based on MAC address. But a lot of these
00:02:18 - protocols we just don't use any more like IPX or DECnet.
00:02:22 - So we're gonna stick to IP access lists. Now you can see right here, we've
00:02:27 - got the standard and extended, but notice right here
00:02:33 - and right here is an IP access list for standard and
00:02:38 - extended in an expanded range. So what they're saying is if
00:02:41 - you run out of lists, meaning you've -- you've exceeded 99 lists;
00:02:46 - number one, I'll tell you, you've created way too many access lists
00:02:49 - if that's the case. But CISCO says we'll let you do it. Here
00:02:52 - is a 700 or so more access lists that you can create
00:02:56 - using that expanded range for each one of them. So let's start
00:02:59 - off with the standard extended access list. I'm just going to say
00:03:03 - access list 1. I could type in any number from one to
00:03:06 - 99 and it would work just fine. I'm just using one
00:03:09 - because I like it. So I hit the question mark and it says okay
00:03:13 - is this going to deny or permit?
00:03:17 - Or would you like to leave a remark in this access list? So
00:03:20 - we'll say this -- this first entry is going to be a deny entry.
00:03:25 - Remark by the way just leaves comments so you can see what
00:03:28 - the access list is about. So I'll type in deny; hit a question mark and
00:03:31 - it says would you like to match
00:03:34 - a host name if you're using DNS; very few people do that or
00:03:38 - IP address. Would you like to match any or a single host?
00:03:42 - So this is our big option. Let's say that I would like to deny
00:03:46 - we haven't talked about our scenarios yet, but I want to deny
00:03:48 - the host 192.168.5.100
00:03:53 - -- just -- just a nice random IP address. I'll do space question
00:03:58 - mark and now it's asking me what are your wild card bits?
00:04:03 - Ahh, wild card bits, where did we see that the before? OSPF.
00:04:08 - The open shortest path first routing protocol, we had to type
00:04:12 - in the wild card mask to type in what networks we would like
00:04:15 - to advertise. And now they're back to haunt us. Wild card bits
00:04:19 - are going to designate what is significant about there? Meaning,
00:04:22 - do you want to match that exact IP address? If so, go in and put
00:04:26 - zero, zero, zero, zero. Meaning, look at and you remember the wild
00:04:30 - card bits, zero means look at these -- look at 192. Look at 168.
00:04:34 - Look at 5. Look at 100. When that IP address comes
00:04:38 - through, identify it exactly and if that's it deny it.
00:04:42 - Now I can also go here and make it a little more broad. I can
00:04:45 - say 220.127.116.11 -- well, I wouldn't put 5 0, but
00:04:50 - if I did this what that says is deny everything starting
00:04:55 - with 192. Look at that first octet; 168. So everything
00:04:59 - starting with 192.168 and then I don't
00:05:02 - care; I don't care, is what those means. What -- watch what happens.
00:05:06 - I'm going to hit enter and then I'm gonna type in show access list using the
00:05:11 - do command, so I can do it from global config mode. Look at what
00:05:14 - it did. It said it deny 192.168 -- ahh,
00:05:19 - zero zero. You catching that? It zoned out, it wiped out my
00:05:24 - 5.100 because it said I don't care what those
00:05:27 - are. You put 255s'. Now if I were to
00:05:31 - go back up there and do no access list 1 deny, you know, remove
00:05:34 - that and try it again and then I put, you know, 0.0 right there
00:05:40 - and then do my show access list. Now it's just saying specifically
00:05:44 - that host is there. The wild card bits disappear because if
00:05:48 - you notice it says you could put a return key after the
00:05:52 - 192.168.5.100 and it would assume
00:05:55 - you're talking about that specific IP address. This wild card
00:05:58 - mask of all zeros is optional. Matter of fact, let me hit the up arrow
00:06:02 - and put in a no in front of that; wipe that out. I could type in access
00:06:06 - list 1 deny and check this out I could say host 192.168.5.100.
00:06:12 - And now when I hit question mark
00:06:15 - it doesn't even give me the option for a wild card mask because I've
00:06:19 - specified just that host. So what I've showed you there was essentially
00:06:24 - two ways to accomplish the same thing -- three ways to accomplish
00:06:27 - the same thing of denying a specific IP address. So
00:06:30 - that's -- that's essentially our line one of the access list.
00:06:35 - Now I'm going go in there, I'm going to say access list 1; it's the same list
00:06:41 - permit 192.168.5.0 with a wild
00:06:47 - card mask of 0.0.0.0.255. Now let's do a show
00:06:53 - access list --
00:06:57 - if we could type. Now right here you can see first entry or what
00:07:03 - the router is calling sequence ten and we'll talk about those
00:07:06 - numbers in just a moment. First entry says deny 192.168.5.100;
00:07:09 - second line says permit everybody else
00:07:14 - that starts with 192.168.5.
00:07:17 - So that's how we create a standard access list is we just identify
00:07:21 - the source IP addresses we want to permit or deny. Now remember,
00:07:25 - think back to the rules we talked about in the previous videos.
00:07:29 - At the bottom of this access list is an implicit, invisible
00:07:34 - deny. Meaning, if you are not something that starts with
00:07:39 - 18.104.22.168, you will be denied. You'll be
00:07:43 - prevented from accessing whatever this access list is preventing you
00:07:46 - from accessing.
00:07:49 - Speaking of that, let's apply this. Creating access lists
00:07:53 - you could do all day long. But they won't actually go
00:07:57 - into effect until you apply them. So you've seen the access list command.
00:08:01 - Here's how you apply.
00:08:02 - Go back to that network diagram and we're on router 3.
00:08:05 - We need to identify what direction we want to apply from.
00:08:09 - Let's say that we want to protect router 3 from receiving
00:08:14 - messages from that host that we denied 192.168.5.100,
00:08:18 - right? So I -- I can apply
00:08:21 - inbound on serial 0/0. Remember, hold out your arms
00:08:25 - just like I talked about in the previous video, identify your direction
00:08:28 - as things are coming in that serial interface; that's where
00:08:32 - I want to deny that specific host. So that's where we need
00:08:36 - to apply it, serial 0/0. So let's jump into interface
00:08:40 - serial 0/0 and here's the apply command -- IP access
00:08:46 - - group.
00:08:50 - I don't know; I know you're thinking I thought it would be access list. I don't know
00:08:53 - why they chose access group but they did. Access group applies
00:08:57 - it and it says what access lists number would you like to apply?
00:09:01 - And you think well I configured access list 1 so let's apply that.
00:09:04 - I'll put access group 1; question mark, inbound or outbound. Well, we identified
00:09:10 - on that network diagram we would like to filter it as it comes
00:09:13 - into our router. So
00:09:17 - I'll put in; question mark. And it says go ahead and press return. So now I have
00:09:21 - applied that on router 3. It is allowing -- let me do a show I --
00:09:26 - or hang on -- let me put do -- do show access list.
00:09:30 - It is allowing anything with 192.168.5.0
00:09:34 - to come in or that -- that five subnet to come in. And this host,
00:09:38 - that specific host will be denied. Also, the implicit deny catches
00:09:42 - everything that does not start with 192.168.5.0.
00:09:45 - You see a message come up across the screen --
00:09:49 - look at this, neighbor 192.168.2.1 is down; the hold
00:09:53 - time or the dead timer expired.
00:09:55 - You want to know what just happened? We just severed connectivity to router 3.
00:09:59 - The neighbor, 192.168.2.1 is speaking
00:10:02 - of router 2. It just says I lost my connectivity to router 2. The reason
00:10:07 - why is because router 2 was coming in and -- and EIGRP was
00:10:11 - sending hello packets sourced with the IP address 192.168.2.1.
00:10:15 - Well, according to our access list, the implicit
00:10:20 - deny is killing anything with 192.168.2
00:10:23 - because it doesn't start with 192.168.5. You see how
00:10:27 - dangerous access lists can be. I'm gonna hit the upper arrow and undo that; I'm gonna do no
00:10:31 - IP access group 1 in and we should see our neighbor relationship
00:10:35 - restored with EIGRP. Yup, now we're up. We're back online because
00:10:40 - we're not coming from that. So that's -- that I just wanted to give
00:10:43 - you before we get into this scenarios. The general syntax of
00:10:47 - working with access lists. Now with that in place, let's look at scenario
00:10:51 - one. Use a standard access list to block HostA from accessing
00:10:57 - HostB. And I have these hosts in place. We're going to be able to
00:11:00 - test this. HostA accesses HostB by going through router 2 through
00:11:06 - router 3, out and then ping right here. Now, I don't have his IP address.
00:11:10 - Let me wipe that off. HostB is.50. 192.168.3.50.
00:11:16 - So I'd like to start things off by going
00:11:19 - to HostA and doing a ping to HostB to make sure that
00:11:22 - we can access it right now.
00:11:25 - HostA is right here; the -- the role of HostA will be a remote
00:11:30 - connection to my laptop. So, let me just do an IP config
00:11:34 - on this guy. And you can see that I have the local area
00:11:38 - connection; that's my LAN interface -- 192.168.10.50 --
00:11:41 - jump back to the network diagram -- 192.168.10.50.
00:11:46 - So this is HostA right here. Now you can see the wireless
00:11:50 - connection. This is how I'm connecting to it via remote desktop.
00:11:53 - it just because these laptops are in another room. You can
00:11:57 - ignore this whole thing right here. Pretend it just does not
00:12:00 - exist because this is the interface that's actually being used.
00:12:03 - You can see this one doesn't even have a default gateway. So right -- so I'm on HostA
00:12:08 - and I'm going to do, I'll even do one better than a ping. Let's do a
00:12:12 - trace route to HostC; correct?
00:12:19 - HostB -- HostB is 192.168.3.50. 192.168.3.50.
00:12:22 - I'm gonna do a trace route dash (-) D; otherwise, it takes forever.
00:12:28 - All right. So we can see that HostA went to 192.168.10.1.
00:12:33 - then 2.2 ; then 3.50. Let's
00:12:37 - verify that against the diagrams. Started off with 10.1. So HostA
00:12:41 - it's in a VLAN, so it came over here, to its subinterface right
00:12:46 - there -- 10.1. The router took it and routed it back out
00:12:50 - over here to 2.2,
00:12:53 - there's 2.2. And then it finally hit the host -- 3.50 over there.
00:12:57 - So it is taking the correct direction to end up reaching hostB.
00:13:01 - Good. Now I also have a remote desktop connection to HostB,
00:13:06 - which is over here -- let me just bring it into the window.
00:13:10 - This is HostB. Again, I have an IP config already
00:13:13 - up; there's 3.50. And I'm gonna do a ping to -- well, let's do a trace back.
00:13:18 - Trace route 192.168.10.50.
00:13:23 - That's our original host -- ahhh, trace route dash D
00:13:29 - Otherwise, Windows tries to look up those IP addresses
00:13:32 - and figure out their name. There we go. That's -- that's what we thought
00:13:36 - 3.1 ; that's the Ethernet interface. 2.1; that's
00:13:39 - WAN link. So 3.1, 2.1 and then it's getting to HostA.
00:13:42 - So we have verified both HostA can access HostB. Now,
00:13:49 - use a standard access list to block HostA from reaching HostB. So
00:13:56 - I think the -- the first thing I want to do before we even get
00:13:59 - there is just pen this out on paper. It's always good to write down
00:14:03 - your access lists on paper before you put them into the command
00:14:06 - line interface and that goes for most configurations. So I want
00:14:10 - to create an access list that blocks HostA from accessing
00:14:12 - HostB. I'm gonna use the command just like we had before access
00:14:16 - list -- access dash list 1 or -- we'll use 10 for this example.
00:14:24 - It's just a number and I'm going to say deny -- now remember a
00:14:28 - standard access list can permit or deny based on
00:14:32 - source. Only the source IP address. So I'm gonna put deny host, remember
00:14:39 - that shortcut I just showed you a moment ago -- deny host
00:14:42 - and then I'll put the IP address: 192.168.10.50,
00:14:49 - which is deny that host; right? So that's what our access
00:14:54 - list should say; we should be denying it. Now with a
00:14:57 - standard access list, you cannot say denied from what because that's
00:15:01 - destination; that's what you need an extended for. So all we can say is
00:15:04 - that host is denied. Now
00:15:07 - couple things on that. If you have an access list that is
00:15:13 - only denying something and you apply it, you have denied
00:15:19 - everything. Think through it. Do you know why? Because at the bottom of every access
00:15:25 - list, is the invisible, implicit deny. So an access list that
00:15:29 - only has deny statements in it, will effectively deny everything
00:15:32 - if you permit. I mean, if we were to apply this we'll say you
00:15:35 - know, right here outbound or something in that -- that
00:15:38 - case it would check-in and say, "Okay, are you this host because if you are
00:15:41 - your denied." And then it would go to the next line, which is
00:15:43 - invisible, it's a deny everything and it says, "Oh, and by the way if
00:15:47 - you're not that host your also denied".
00:15:51 - So that's a -- a great warning to you because I've done this
00:15:55 - many times where you'll be on a router, you're -- you're quickly going through
00:15:58 - the config and you're like, oh, I just need to deny this one thing and apply. Wham!
00:16:02 - The router connection goes down. So we need to follow this
00:16:05 - up; I'll say access list 10; permit,
00:16:11 - and there's a couple ways we can do this. Let me bring us back
00:16:14 - to our -- our router here -- just to show the syntax. Access-list 10,
00:16:20 - permit and I'll do a question mark. Now, you can either -- you can either
00:16:24 - do it one of two ways. Permit any -- says any IP address. So going
00:16:30 - back to this, we have 10 deny host here and then we could put
00:16:34 - permit any.
00:16:36 - Let's try and squeeze it in over here -- permit any. And that would allow everything
00:16:40 - else -- so the implicit deny would never be reached. We can also put
00:16:43 - access list 10 and permit the IP address 0.0.0.0
00:16:48 - and follow it up with a wild card mask, which one do you think?
00:16:51 - To permit anything.
00:16:55 - That's it -- 255.255.255.255 -- you're saying permit this
00:16:59 - IP address and then I don't care I don't care I don't care
00:17:02 - I don't care. Watch what happens if we do that.
00:17:05 - I'm gonna type show access list;
00:17:08 - I created access list 10, but look, the router recognized that and goes, "Oh, you
00:17:12 - typed that in, but you really meant any".
00:17:15 - Now I -- I don't want you to think ones better than the other. One's
00:17:18 - definitely shorter, but they -- they're both equal; you can type it in
00:17:21 - either way; that'll work fine. So I'm gonna do no access list
00:17:25 - 1 and a no access list 10 because there's still one more
00:17:29 - thing we have to figure out. This is the access list we need to
00:17:32 - create. Now my question to you -- where do we put it? And in
00:17:38 - what direction do we apply it? If you want to please pause the
00:17:42 - video and think through that. Identify where we're coming from
00:17:46 - and identify where we're going to. Okay, pause now.
00:17:49 - Okay, you're back right? You've -- you've paused it; right? No, you -- you
00:17:52 - didn't pause it. Pause it. Okay, now you're back. HostA, right here is
00:17:57 - going to be accessing HostB. There's three, four -- four different
00:18:02 - places that we could apply this. We could apply it as HostA comes in
00:18:09 - to its default gateway. This is a valid place to apply that access
00:18:13 - list. I could apply it on fast Ethernet 0/0.10 inbound.
00:18:17 - Now if I did that,
00:18:20 - I mean I know we've got VLANs here; it's a, you know, a little
00:18:24 - not as clear as what it would be if we didn't have VLANs
00:18:28 - but by applying this in it would be as if HostA were connected
00:18:32 - to its router. And we said, "Okay, as you come in your default
00:18:36 - gateway's IP address, you will be denied". If we do that,
00:18:41 - well, will we accomplish our objective? Yes, HostA will not be
00:18:45 - able to access HostB.
00:18:47 - However, HostA will also lose access to everything else we've
00:18:52 - denied too much. So
00:18:55 - we can't apply it in right there. We could apply it out right
00:19:01 - here. And that as HostA when, you know, came in that interface, it would start routing
00:19:06 - them. But as it saw, "Oh, I'm gonna send you out this link", it would be denied. Problem with
00:19:10 - that: you've denied too much. Now I know in this picture right here,
00:19:14 - it looks like, oh, well that -- that would accomplish our objectives
00:19:16 - and it would. But what if router 3 had another connection to,
00:19:20 - you know, some other router down here in some other network
00:19:23 - that we didn't want to deny HostA from reaching? Well, that would deny too much.
00:19:27 - So -- let me just keep that imaginary network there for now.
00:19:32 - So other potentials, we could apply it inbound right here
00:19:36 - but same problem. As soon as he tried to come in router 3
00:19:39 - he wouldn't be able to get out to this mystery network over here.
00:19:42 - The best place to put this is as he goes out, again, hold
00:19:47 - your arms out -- you are a router; as the HostA goes out,
00:19:52 - the router 3 Ethernet 0/0 interface is gonna say you
00:19:57 - are denied. Now the argument could be well, what if there's
00:20:01 - other hosts on that network? Well, unfortunately using standard
00:20:05 - access lists, that's the best that we can do. Because we can't
00:20:09 - say what he's denied from, so the best practice and here's -- here's
00:20:12 - the rule that CISCO recommends -- the best practice with standard
00:20:16 - access lists is to place them as close as possible to the destination.
00:20:24 - Whatever destination you're trying access, put it as close as you
00:20:28 - can to there, because if you put it too close to the host; too
00:20:32 - close to the source is what I should say, he may deny them from
00:20:35 - too much. Since we can't say what they're denied from, they have
00:20:39 - to get all the way across the network to the -- near the destination
00:20:42 - just to find out they're dropped. It's kind of a bummer. HostA is all
00:20:45 - excited, you know? I'm going. I'm going. It's crossing the WAN link; I'm getting to the
00:20:49 - the router and wham! It dies as soon as it tries to exit that interface.
00:20:52 - But that's all we can do with the standard access list. So let's
00:20:55 - make it happen. Again, let's try it one more time just to make sure
00:20:58 - we're working. I'm gonna ping 192.168.3.50. And we are
00:21:03 - working; this is from HostA.
00:21:05 - So with that in place, let's go to router 3 and put this in action.
00:21:10 - I'm on -- hey, I'm there right now. I'll do access list.
00:21:14 - Oh, let's use 25. I like using nice random numbers. Remember,
00:21:18 - we're specifying a standard access list. I'm going to deny the
00:21:23 - host 192.168. -- he was 10.50.
00:21:30 - I don't know why I keep forgetting that --10.50.
00:21:33 - So we follow that up with access list 25 permit
00:21:37 - any -- to permit everybody else because an access list of all denies
00:21:41 - denies everything. Get into interface and what interface was
00:21:45 - that? Let's do a
00:21:47 - do show IP interface brief; my all time favorite command.
00:21:51 - Oh, look at all those loop backs. This is the 192.168.3.1
00:21:55 - Ethernet 0/0 -- interface Ethernet 0/0
00:22:00 - and here's the command. IP access group
00:22:06 - 25; that's the access list number we want to apply and the
00:22:10 - direction will be out.
00:22:13 - I want to make sure I emphasize that one more time. As somebody
00:22:17 - is going out this interface, be the router -- be router
00:22:21 - 3, hold your arm out, your right arm is Ethernet 0/0.
00:22:25 - As somebody tries to leave your right arm, if they are the
00:22:29 - source, 10.50, they will be denied.
00:22:33 - Now let's watch it happen. Let's go into that host; hit the
00:22:38 - upper arrow and do that ping again.
00:22:41 - Look at that; we were successful up here and now it is coming
00:22:45 - back destination net is unreachable. Reply from 192.168.2.2;
00:22:50 - who is that?
00:22:53 - That's router 3. Sweet! So it's working. Now -- now watch this. I'm going to go
00:22:57 - back to router 3, and I'm gonna do my favorite verification command for
00:23:01 - access lists; show access list. It's simple. It works and it even
00:23:06 - shows how many matches you've had on each -- each one of those.
00:23:11 - It has denied 10.50 eight times; eight times when it
00:23:17 - was trying to access that host. Now you can see eight, let's just hit the -- hit the upper arrow
00:23:23 - and do that ping again. While it well -- whoa, holy cow!
00:23:26 - That was insane -- while that ping was going through, I was trying to be fast
00:23:30 - it didn't work. Look at that -- sixteen matches. So what does that tell me?
00:23:34 - It tells me that Windows Vista is sending two ping packets
00:23:39 - every single time it tries to ping.
00:23:42 - It shows four of them, but it must be sending two ping packets
00:23:45 - each time because each time I do this ping, you can see the
00:23:49 - counters increase,
00:23:52 - by eight. Interesting, I learned something new about Windows Vista.
00:23:55 - So with that, that's -- that's how we have accomplished scenario
00:24:00 - one. Block HostA from accessing HostB. Holy cow, look at that time
00:24:06 - I get so into this, I'm just, let's -- let's make this video an hour.
00:24:09 - No, let's not. Here's what I'm gonna do. I'm gonna do scenario one and two in this
00:24:14 - video and then we'll do scenario three and four. I'll make a part
00:24:20 - two to the access list configuration because I'm not gonna do it.
00:24:24 - Not going to make it through that extended access list and
00:24:27 - and meet my 30 to 40 minute time buffer.
00:24:32 - All right. So scenario two: use a standard access list to prevent HostA
00:24:38 - from Telnetting or SSHing to router 1. Essentially managing
00:24:43 - it remotely. What I am showing you as I do this is an extremely
00:24:47 - common use of standard access lists. By default CISCO routers
00:24:52 - allow anybody to Telnet or SSH into them as long
00:24:56 - as they have the right username and password. Now, couple that
00:24:59 - with the problem. CISCO routers will let you try passwords all
00:25:03 - day long. Meaning, they're not going to lock you out after you
00:25:06 - miss the password three times or five times and then you have to, you
00:25:09 - know, call an admin or something like that. They'll just let you keep trying
00:25:12 - keep trying, until someday, somebody's going to figure it out and
00:25:16 - break on in. So
00:25:18 - what a lot of people will do is only allow certain hosts to
00:25:23 - Telnet to the router. Let's -- let's see, we're on router 1
00:25:28 - right? Router 1 as of right now, let's just verify.
00:25:33 - HostA -- let me clear the screen -- HostA can ping router 1
00:25:40 - 192.168.1.1; that's router 1. And I'm gonna
00:25:43 - Telnet: 192.168.1.1.
00:25:47 - Hass -- oh, no, we can't; he can't. There he is. So please don't log in
00:25:51 - oh, he guessed it; he's in. So he is able to access router 1.
00:25:56 - So our goal is to deny or prevent HostA from Telnetting or SSHing
00:26:01 - to router 1, but not affecting any other access. Meaning, if
00:26:06 - we were to -- to apply a standard access list just like we did
00:26:11 - on router 3, saying deny 192.168.10.50
00:26:15 - inbound on router 1, well, HostA sure -- he wouldn't be able
00:26:20 - to Telnet into router 1, but it wouldn't be able access the
00:26:22 - internet anyway either. He wouldn't -- wouldn't be able to do many things.
00:26:27 - As soon as he got to router 1, he'd be blocked. So you can apply a standard
00:26:32 - access list not only to an interface, but you can apply it
00:26:37 - to your VTY ports. Let's go to router 1 and I'll show you how.
00:26:42 - Pull up my connection here. Still on router 3, let's hop on over to router
00:26:47 - Pull up my connection here. Still on router 3, let's hop on over to router
00:26:49 - 1. Let's get all this out of our mind because we're done with router
00:26:51 - 3. All right. We're sitting on router 1. I'm gonna do
00:26:56 - well, let's -- let's just go right into it. Let's create the access
00:26:58 - list. On router 1 I'm going to type in access list and we're using still
00:27:03 - a standard access lists so something from 1 to 99.
00:27:06 - Access list, 70. Now as a side note, made me think
00:27:11 - of it when I hit the question mark. I don't know if you remember but
00:27:14 - when I hit the question mark on router 3, do you remember it had those
00:27:17 - IPX access lists in there, too? We don't see those on router
00:27:21 - 1 and it's a simple reason that router 1 has an IOS version,
00:27:26 - a software version, that doesn't support the IPX protocol or
00:27:30 - the DECnet protocol. You might -- might have saw me highlight
00:27:33 - that one I when I was on router 3. That's because those
00:27:35 - are old. Router 1 is new. It has a new IOS version and they
00:27:40 - discontinued support for those protocols. People don't use them anymore.
00:27:44 - So I'm just gonna use access list 70. So standard access list; question mark
00:27:49 - permit or deny. Now before I go any further,
00:27:52 - let me first mention, there's usually a little better strategy
00:27:56 - with picking access lists numbers than what I am showing you
00:28:00 - right now. Right now I'm just kind of randomly going in man
00:28:03 - like oh, let's throw a dart at the dart board; 70 sounds
00:28:06 - great. Usually people will go in order and they'll say okay one, access
00:28:09 - list one, okay. When they're done with that one they'll start and
00:28:12 - create another one two, and so on. Every access list could have
00:28:15 - hundreds or even thousands of lines in it. So there is
00:28:20 - practically no real limit on how long an access list can be. But
00:28:24 - do you remember that once you apply an access list, all those
00:28:27 - lines will take effect. So let me show you using a remark.
00:28:31 - I'm gonna type in access list 70; remark; question mark. It says comment up to two
00:28:36 - a hundred characters. I usually put my remarks in all capitals.
00:28:40 - This will deny HostA -- oops, A -- from Telnetting to R1.
00:28:48 - So I just put a nice little comment in there. Now I'll follow
00:28:52 - that up with -- oops, turn off my caps lock -- access list 70; deny and
00:28:58 - we'll do HostA. And I'll do it a little different this time. I'll do
00:29:01 - 192.168.10.50; that's HostA. Follow
00:29:06 - that up with that wild card mask of 0.0.0.0 which
00:29:10 - says specifically that Host. Good. So I'm gonna hit enter, I've put in the
00:29:15 - deny. Now remember we have to add -- add at least one permit statement.
00:29:19 - So I'll say access list 70; permit everybody else, permit any.
00:29:24 - So it's the identical access list to what was on router
00:29:29 - 3. I'm gonna type in show access list
00:29:33 - 70 and you can see there it is -- access list 70. Oh, this
00:29:39 - IOS version doesn't show the remarks. Let me do a show
00:29:42 - run include lines that have access list 70. They -- they
00:29:48 - will show up in the running config. You can see that that's where
00:29:51 - we see our remarks. And some of the other IOS versions will actually
00:29:54 - put the remarks in the show access list command. So okay -- so we've
00:29:58 - got the access list. Now the question is where do we apply
00:30:02 - it? I already told you we can't apply it to the interfaces of router
00:30:07 - 1 or else we -- we would block HostA from reaching the internet.
00:30:12 - And we'd block too much. So what we can do and this is a very
00:30:16 - unique feature for standard access lists; we can go under our
00:30:20 - VTY ports. Remember, VTY, line vty 0
00:30:25 - (space) 4. That's our Telnet ports. It may have been a little
00:30:28 - while since we've done that. So I'm under the Telnet ports and
00:30:31 - I want to apply an access list to the Telnet ports to prevent
00:30:35 - who can come in them. So I'm gonna type in and
00:30:40 - again, we go back to the question why did -- why did CISCO use IP
00:30:44 - access group to apply an access list to an interface? And you'll have the
00:30:48 - same question because the commands are different. They use the command
00:30:52 - access - class
00:30:55 - to apply an access list to VTY ports. They don't use access
00:30:59 - group; it's access class. It's functionally the same as the access
00:31:03 - group command, it's just for whatever reason you know that developers
00:31:07 - at CISCO were up a little late one night and they're like hey,
00:31:11 - why not? Let's make it access class. So I'm gonna type in access -- and also
00:31:15 - notice there's no IP on the front of that one. Just access
00:31:19 - class unlike, IP access group. So I'm gonna type in access class. I want to filter this
00:31:24 - using access list 70.
00:31:26 - And I want to filter incoming connections -- as people are coming
00:31:31 - in or Telnetting into this router on
00:31:36 - these VTY lines, I want to filter them based on that access list.
00:31:41 - 99.999999 percent of the time, you
00:31:44 - will always apply access class in the inbound direction. If
00:31:47 - you apply them outbound, weird things can happen; that's
00:31:50 - where you will suddenly randomly not be able to Telnet
00:31:53 - certain places from your router for some strange reason. So we're
00:31:57 - filtering it in. All right, cool. I'm gonna type in show access list 70.
00:32:04 - Check it out, we see it right there; looks good. Let's now go back
00:32:08 - to our client.
00:32:11 - He's still on the router so he's got an existing session
00:32:15 - I'm gonna kill. Hit the up arrow; Telnet 192.168.1.1.
00:32:19 - Denied.
00:32:23 - Try it again. Denied. Totally denied and I'm coming back here to my -- oops,
00:32:30 - my session with router 1, do the show command and you can
00:32:35 - see the deny has now been matched six times for Telnet access.
00:32:39 - That tells me another interesting fact, every single time I
00:32:43 - tried to Telnet with Windows Vista, it sends three packets --
00:32:46 - three attempts to try and open that session before it finally says
00:32:49 - connect failed. Now okay, that's good -- that's good, we denied
00:32:53 - HostA, but what about the other hosts? Could HostB access
00:32:58 - that router because we didn't want to deny HostB, right? Well let's try it
00:33:02 - out. I'm gonna bring up HostB, right here. This is HostB 3.50.
00:33:06 - And let's Telnet from HostB to 192.168.1.1.
00:33:09 - And look at that.
00:33:12 - HostB can still get in. And while we're Telnetted in on HostB, let's try
00:33:16 - this. I'm gonna do a show access list because we should
00:33:20 - see -- oops, oh, don't look -- don't look at that. You did not
00:33:26 - see that; that's for the next video. Show access list
00:33:31 - 70. Look at this: access list 70 is our Telnet access, still got
00:33:36 - the six denies for the 10.50, but look now the permit
00:33:40 - is getting matches as well, showing that HostB over here
00:33:45 - is being permitted to enter that. Good. So we now have completed
00:33:50 - scenario one and scenario two; prevented that and blocked telnet
00:33:54 - access for HostA.
00:33:58 - I'm going to freeze frame that network diagram with the first
00:34:02 - two scenarios completed as we transition into the next video
00:34:06 - which is going to pick up right where we left off. We've now
00:34:09 - completed standard access lists. Again, standard access lists
00:34:13 - are the fantastic because they're very easy on your processor
00:34:16 - but very limited in what's possible of denying only on the
00:34:21 - source address. So most people will use them for functions like VTY
00:34:26 - access, where you can be you -- where you apply it is very
00:34:29 - specific and you don't accidentally prevent somebody from reaching
00:34:32 - too much. In the next video, we'll pick up with the extended
00:34:35 - access lists. I hope this has been informative for you and I'd like to thank you for viewing.