00:00:00 - Alright, as I promised we are going to pick up with this video right
00:00:04 - where the previous one left off. So if you haven't seen the
00:00:07 - standard access lists video, jump back
00:00:10 - and check out that one first because extended is a little more complex. We're going
00:00:14 - to pick up with the second set of scenarios, scenario three and four,
00:00:17 - using extended access lists to permit or deny IP and
00:00:22 - TCP access and also explaining many of the other things
00:00:25 - that they're able to do. So let's get going.
00:00:28 - I'd like to approach the extended access lists the same
00:00:32 - way that I approached the standard in that before we jump into this
00:00:36 - scenario three and four on the whiteboard here, I'd like to
00:00:40 - talk about the syntax in general and then we'll, we'll hit these,
00:00:43 - these scenarios directly. Now, I do have to warn you before we
00:00:47 - get going with the extended access lists that some people consider
00:00:52 - the extended access lists the most difficult concept in CCNA.
00:00:56 - I don't think it's that bad, but I do think that the syntax
00:00:59 - can be a little frightening the first couple times through it.
00:01:03 - The first thing that we need to do is break down the extended
00:01:06 - access list into its major pieces. The command structure
00:01:11 - is just like the other one, we type in access list to start
00:01:14 - off and an identifier or a number from 100 to 199
00:01:19 - just like we saw in the previous video. Now, that identifier
00:01:23 - tells the router you're creating an extended access list.
00:01:27 - From there you have your permit or deny just like the standard
00:01:30 - and then we see our differences. We get to choose what protocol
00:01:34 - we would like to permit or deny. Examples of that might be
00:01:38 - like TCP or UDP or there's, there's some other ones we'll talk
00:01:43 - about in just a moment. We then type in our source information
00:01:49 - and then we follow that up. I'm going off my little white pad here. We
00:01:53 - follow that up with our destination
00:01:57 - information. So I might say something like access list 100
00:02:01 - permit the TCP protocol from this IP address to
00:02:06 - that IP address. Not too bad when you think about it that way but
00:02:10 - there are more options that you'll have to weed through like port
00:02:13 - numbers and stuff like that which, which we will get into as
00:02:16 - we get into
00:02:18 - scenario four right there. So what I'd like to do is, is just walk
00:02:22 - through a syntax of a couple access list commands and then we'll look
00:02:26 - at the scenarios specifically.
00:02:29 - To demo this I'd like to jump on to router three. It's a good
00:02:32 - place to just try some syntax. On router three I'll get into global config
00:02:36 - mode and do access list and a question mark. There's our options
00:02:40 - as we saw before. Extended access list is any number from 100
00:02:44 - to 199. I'll pick 150 right in the middle.
00:02:48 - It comes up and says, do you want to deny, dynamic. That's, that's some of the other
00:02:52 - options and we're not going to talk about every option with
00:02:55 - these extended access lists. We'll say deny, permit or remark.
00:02:59 - So we'll say access list 150, let's do a deny. It comes up. Now we're
00:03:05 - given our protocol options. If you're wanting the OSI model,
00:03:08 - these are all the protocols at layer four of the
00:03:12 - OSI model. TCP, UDP, you see those at the bottom. But we also see
00:03:16 - ICMP, ESP, that's used for VPN connections. There's many different
00:03:22 - options in here, but let me just focus in on what we need at
00:03:25 - the CCNA level. There, there's four different protocols, IP, TCP,
00:03:30 - UDP, and ICMP, okay?
00:03:37 - Now, TCP and UDP we already know about. Those protocols
00:03:42 - are used, you know, as a reliable connection or an unreliable
00:03:45 - connection. Things like web browsing, FTP sessions, Telnet
00:03:49 - sessions, SSH, there's all, you know, email, SMTP, they all
00:03:54 - use reliable connections. Most of our applications do. Things like
00:03:58 - voice over IP, video streaming, online games, instant messengers,
00:04:03 - those all use UDP-based communication because they're all unreliable.
00:04:07 - So, if, depending on what kind of applications
00:04:11 - we're using we could choose those protocols. But we also see
00:04:14 - ICMP.
00:04:16 - ICMP is the Internet Control Message Protocol. The, it's
00:04:21 - used for a lot of things, but the primary application you want
00:04:25 - to remember for it for the CCNA level is ping.
00:04:30 - Anytime you ping something it is using the ICMP protocol.
00:04:35 - Technically a ping is an echo and an echo reply. Think about
00:04:39 - a submarine, underneath you're going bong, sending out a sonar
00:04:43 - and you expect to hear that back to see where things are. In the
00:04:46 - same sense, the ping command sends out a message known as an
00:04:49 - ICMP echo and the device that receives it sends back an echo reply.
00:04:54 - That's technically how ping works. But ICMP is used
00:04:57 - for a lot of different things, that's, ping is I would guess
00:05:01 - the most famous of them all.
00:05:03 - Last but not least is the IP protocol. That one is used, and you can
00:05:08 - see that right here in this list, oops, right here,
00:05:12 - to encompass everything. For example, if I were to say
00:05:17 - deny TCP,
00:05:20 - then I'd only be denying TCP applications for something.
00:05:23 - Like maybe I want to deny one host from accessing another completely.
00:05:28 - If I deny TCP, that would just deny TCP applications but they'd
00:05:31 - still be able to use UDP or ICMP, things like that.
00:05:35 - If I just denied one of the other ones, you'd miss them all.
00:05:39 - IP is everything. As you can see in that description right there
00:05:42 - it says any Internet protocol is encompassed in that. So if I said
00:05:46 - deny IP, that means TCP, UDP, you know, all these.
00:05:52 - Everything is denied.
00:05:55 - So let's, let me first show you an example of that one. I'll say
00:05:59 - deny IP and it says what, what source address would you like
00:06:04 - to deny? I'll say 192.168.10.50
00:06:08 - just to pick on HostA. We will deny that address and it says what
00:06:13 - wildcard mask would you like? Well, since it's just a single host,
00:06:16 - a specific wildcard mask will work. Now, I hit the question mark and it says, okay, what,
00:06:21 - what destination do you want to deny? So I'll say the destination
00:06:25 - will be, just for this example,
00:06:29 - 192.168.3.50
00:06:32 - followed up with the wildcard mask 0.0.0.0,
00:06:36 - question mark, and now it's given me some options. Do you want to
00:06:40 - set DSCP? Do you want to check non-initial fragments? Do you want to log
00:06:45 - anytime this happens? You know, is there specific time ranges?
00:06:48 - All these options
00:06:51 - are part of the CCNP track. So we're not going to do that.
00:06:55 - You can see at the very end is return, and most, I'll tell you, most
00:06:58 - of these options are rarely used. So I'm gonna hit enter and
00:07:04 - I've now created my first extended access list. What it does, access
00:07:07 - list 150 denies this source from accessing this destination
00:07:13 - using any protocol in the TCP/IP protocol suite.
00:07:18 - Going back to that syntax I wrote up there, you know, deny, protocol,
00:07:22 - source, and destination. So I know what you're thinking. It's not too bad, right?
00:07:27 - Not too bad at all. It's not if you, if you look at it that way.
00:07:30 - But it is pretty long. And also, you know, realize that you
00:07:33 - could combine things up, you know. If we were going back here,
00:07:36 - access list 150, deny this source. I could do space question mark
00:07:40 - and I'll say, instead of putting the IP address like I did
00:07:43 - up here, I can also put, you know, host 192.168.3.50
00:07:47 - and that would do exactly the same thing.
00:07:50 - There's different ways to write it, you know. This is using a wildcard mask.
00:07:53 - This is using the host keyword. But functionally that
00:07:57 - and that are the same thing. The IP protocol is, is I would say
00:08:02 - the easiest one to permit or deny because
00:08:06 - it's just saying from this IP address to that IP address.
00:08:09 - Now, let's look at we'll say TCP. Access list 150 deny,
00:08:15 - let's do instead of IP. And remember this is just. I'm showing the
00:08:18 - syntax. I'm not looking for any specific mission here.
00:08:21 - We'll say I'm gonna deny the TCP protocol from, and we can
00:08:26 - see that same host 192.168.10.50
00:08:30 - space question mark.
00:08:33 - It says what wildcard bits, 0.0.0.0, so specifically
00:08:37 - that host. And now we'll start seeing a little bit of difference.
00:08:42 - With the TCP protocol it says, okay, well, TCP can have port
00:08:48 - numbers, meaning you might not want to deny the whole TCP
00:08:52 - protocol. You may just want to deny a certain port.
00:08:57 - Now here's the catch. If I go in here and type in deny TCP
00:09:01 - 192.168.10.50 without wildcard mask and I say,
00:09:05 - oh, oh, I only want to deny that guy from surfing the web.
00:09:09 - I could put equal to, you can see eq, match only a given port number,
00:09:16 - space question mark. And then it says, okay, well, what, what, port do you want? And it gives
00:09:19 - a lot of the common ports that people will use in here,
00:09:22 - or they can say right up top you can just type in the number.
00:09:27 - So you might say, well, I want to deny that host from using port 80,
00:09:31 - which is HTTP, web access, surfing the web. Now, there's the problem.
00:09:36 - When we type that in,
00:09:39 - we're denying this source and this source port number.
00:09:46 - It's time for a little review. Remember, when, whenever we have
00:09:50 - a computer that is surfing the Internet, you are going to,
00:09:55 - we'll say google.com. I'll just put g.com. When this computer
00:10:00 - goes out, it's going to be going to the destination port number 80
00:10:05 - which is how google.com knows that you're accessing
00:10:10 - the web services on there, not email or not anything like that,
00:10:13 - destination port number. But the computer, when you go and surf
00:10:17 - the website, generates a source port number at random, meaning
00:10:24 - Firefox or Internet Explorer or Safari. Whatever web browser you're
00:10:28 - using will automatically be assigned a port number. We'll say,
00:10:32 - and it's going to be greater than 1024,
00:10:35 - we'll say 3192, okay.
00:10:38 - So when you transmit to google.com you'll come from a
00:10:42 - source of 3192 to a destination of 80
00:10:45 - and that's how Google knows to send you to the web services.
00:10:48 - And when it sends that web page back to you, it will send to a destination
00:10:52 - of 3192 from a source of 80, and that's
00:10:56 - how your computer knows to give it to the Internet Explorer
00:10:59 - window or Firefox window because that window has been assigned
00:11:03 - for a time that specific port number.
00:11:07 - Now, rarely, if ever, will you ever know what source port number
00:11:12 - a computer is going to be generating because it's at random.
00:11:16 - So when we come back here to this syntax, this is where
00:11:19 - it's very easy to get tripped up because you type in
00:11:24 - outsource of this and we say equal to 80 but we're denying
00:11:27 - that host from using the source port of 80.
00:11:32 - Remember this host is the one surfing the web. It's never going to come
00:11:36 - from a source port of 80. It's only going to be going to
00:11:40 - a destination port of 80.
00:11:43 - So how do we fix that? Well, you can see right here I typed in deny TCP
00:11:48 - from this source IP address and now it's giving me the option to type in
00:11:51 - port numbers but I'm not going to take that option. I'm not going
00:11:55 - to put in a port number at this point. I'm just going to say the whole host,
00:11:57 - deny, you know, any source port number from accessing
00:12:02 - and now we can move on to the destination. If I'm talking about
00:12:05 - the Internet, I'll say any. Deny this source from accessing
00:12:10 - any destination using, and now I hit the question mark, and
00:12:14 - the port numbers are still there. You see that? Equal to a port number.
00:12:18 - Not equal to a port number. Less than a port number.
00:12:25 - You know, all these are port number options, but now, since we're typing
00:12:28 - it after the destination, we're talking about the destination
00:12:32 - port number. So the correct way to type in, if I was denying that host
00:12:36 - from surfing the web, I put equal to 80.
00:12:42 - Deny this protocol from this source horse, host number
00:12:46 - to this destination on the destination port number 80.
00:12:51 - Phoo, not quite as easy as the IP protocol, but that's how
00:12:57 - that, that's how you can write an extended access list.
00:13:03 - So with that in mind, what I would like to do is walk through both
00:13:08 - of these scenarios one by one and implement extended access
00:13:12 - lists in the best possible way.
00:13:14 - So Scenario 3: Use an extended access list to prevent HostA
00:13:19 - from accessing the R2 WAN link. Now when I see that, my
00:13:24 - initial thought goes to well, does that mean
00:13:27 - this IP address or does it mean the WAN link? Well, I would
00:13:33 - say it means the link, meaning prevent HostA from accessing
00:13:37 - this IP address or that IP, excuse me, that IP address, okay?
00:13:42 - So I'm going to,
00:13:46 - well, let's just clear all this off. First thing I'm going to do is go over to router three
00:13:51 - and I'm going to remove any access lists that's on there because
00:13:54 - I don't want any of those causing any confusion or conflicts
00:13:59 - with what we're about to do. We've got access list 25
00:14:02 - from the last video and 150. So I'll just do no access list 25.
00:14:07 - Wham, it's gone. No access list 150, wham, it's gone.
00:14:12 - So with, with that in place we now have no access
00:14:16 - lists created on this, this router. It's empty. And I'm going
00:14:20 - to hop over to router two to do this demonstration, to create
00:14:26 - this, this access list. Now, we'll talk about the placement of the extended
00:14:29 - access lists in a moment but let's first create it. It says prevent HostA
00:14:33 - from accessing the R2 WAN link. HostA is 192.168.10.50.
00:14:37 - The R2 WAN link is this subnet.
00:14:41 - So it, notice it didn't specify any protocol.
00:14:45 - It didn't specify anything. So I'm assuming all access from that subnet.
00:14:49 - So I'm going to jump back up here, router two,
00:14:53 - and I'm going to go into global config mode and create an access list.
00:14:57 - We'll do access lists. Let's start at the first one of the
00:15:00 - extended range, access lists 100.
00:15:03 - I'll say I want to deny the IP protocol because in my
00:15:10 - scenario it says accessing the R2 WAN link, the whole WAN link. It doesn't
00:15:14 - matter what protocol. So I'm going to say complete access. No matter what
00:15:18 - protocol they're using is going to be denied. So I'm saying deny IP
00:15:22 - from the source. We'll say from the source host
00:15:27 - 192.168.10.50. Now, you'll notice
00:15:32 - that I'm using the question mark the entire way through this
00:15:35 - access list. This is normal. Most people do use the question mark.
00:15:40 - And when you're on the CCNA exam, if certification
00:15:43 - is your focus, you will be able to use the question mark yourself
00:15:47 - in, in configuring this. So you can safely get used to it.
00:15:50 - So I'm going to say deny that host 10.50. Now I'm going to hit the question mark, and it's saying
00:15:54 - from what destination?
00:15:57 - Hmm, we'll just take a look. It says the R2 WAN link. So I have, I have
00:16:02 - two options here. I can either
00:16:06 - create one line and deny them, deny that host from that whole subnet,
00:16:10 - the 2.0 subnet, or I can put two lines in an access list
00:16:15 - and say deny it from that host and deny from that host
00:16:19 - and, and put it in two lines. Now, the best bet whenever you're considering
00:16:23 - access lists is to do it in as few lines as possible.
00:16:27 - The reason why is because the more lines your add, the more processing
00:16:30 - the router has to do. It's kind of like having a large routing
00:16:32 - table and it will slow the router down. So let's do it efficiently.
00:16:36 - Let's do it in one line. I'm going to say deny that host from accessing the destination
00:16:42 - address 192.168.2.0 with a wildcard
00:16:48 - mask 0.0.0.255
00:16:52 - which says specifically 192.168.2 denying
00:16:57 - from accessing anything that has specifically 192.168.2
00:17:00 - and I don't care what comes after that. So anything
00:17:03 - that starts with this you will be denied from.
00:17:08 - This last actually doesn't matter. So do a question mark and it says, you know,
00:17:12 - here's all your logging, time range. We're not going to use any of those options.
00:17:15 - We're just going to hit enter, okay.
00:17:19 - Now, I have to remind you the same rules apply for extended
00:17:24 - access lists as they do for standard access lists. If you have
00:17:29 - an access list with all denies it will deny everything because
00:17:33 - at the bottom of this extended access list is an invisible
00:17:36 - implicit deny. So what I would say is after we're done doing
00:17:40 - what this scenario asks for, which is denying that host from accessing that
00:17:44 - WAN link, then we should be able to go in and permit everything else.
00:17:49 - Now, you remember from our extended access list that we typed
00:17:52 - in permit any but it won't take that with an extended.
00:17:57 - We have to type in permit and then what protocol. Well, for
00:18:00 - permitting everything, it's going to be the IP protocol, and we'll put from
00:18:04 - any source to any destination.
00:18:08 - That is how you do a permit everything using extended access lists.
00:18:12 - I'm going to type in show IP access list. By the way, show IP access list
00:18:17 - and show access list do the exact same thing.
00:18:20 - So sometimes I'll use one or do the other, what's ever on my mind at the time.
00:18:23 - And I can see there is my deny from that host to that subnet,
00:18:27 - and then I'm permitting everything else. Good. So we've got
00:18:32 - the access list written that will do what it needs to do, but
00:18:36 - now we have to apply it. Hmm, think about it.
00:18:42 - If you were looking for efficiency and for completing the task,
00:18:47 - you want to make sure that you deny that host, where would
00:18:50 - you apply that access list?
00:18:54 - Option A, we can apply that access list as the host comes in.
00:18:58 - You know, remember this is on a VLAN so it's going to be coming
00:19:01 - in right here on this default gateway. That's option A that we could,
00:19:05 - we could apply it. We could apply it in the direction inbound.
00:19:09 - As that host comes in it's going to ask are you that source?
00:19:12 - Are you accessing that destination? If so, you're denied. That's our first option.
00:19:16 - Second option is we could apply it
00:19:21 - outbound right here. And as that goes out, the router two would
00:19:27 - ask are you the source? Are you trying to access that destination? If so,
00:19:30 - you are denied. So we'll call that option B. Options C, we could
00:19:35 - apply it inbound right here. So as it gets a router three it will say
00:19:40 - are you that host? Are you accessing the WAN link? If so, you are denied.
00:19:44 - You are on a certification exam. D is none of the above.
00:19:50 - What, what letter do you pick?
00:19:53 - Remember, we're after efficiency and we're after accomplishing
00:19:57 - the objective. The correct answer is A. B would
00:20:05 - accomplish the objective. It would work if I put it at B.
00:20:10 - But it would cause unnecessary processing, meaning as HostA comes
00:20:14 - into the FastEthernet 0/0 it will be able to check
00:20:18 - and say, are you this host, 10.50? The host will answer, yes, I am.
00:20:22 - The router will say, are you trying to access this destination,
00:20:26 - you know, the 2.0 subnet? And the host will answer, yes, I am.
00:20:29 - So before the router even has to allow it into itself,
00:20:34 - into that default gateway, it will say, well, since those two
00:20:37 - criteria are true, you are denied.
00:20:41 - Now, if we applied it outbound, the second option, option B, on
00:20:46 - router two, HostA would get into the router, meaning it would
00:20:50 - come in, the router would say, are you this host and are
00:20:53 - you going to this destination? The host would say yes. So it would say, okay, great,
00:20:56 - I don't have an access list here so let me look up in the routing table.
00:20:59 - Okay, it looks like you need to go out 0.0/1/0.
00:21:02 - So let's go ahead and route you over. So the packet would be moved
00:21:05 - from the Ethernet interface to the WAN interface, but before
00:21:09 - it's sent the router would say, oop, I see there is an access list
00:21:12 - outbound on that interface. Let's check you. Oh, you don't match.
00:21:16 - You will be denied and dropped. The problem is that squiggly line
00:21:19 - right there. It had to process that in order to make that determination.
00:21:23 - So now we come to the next best practice rule of Cisco.
00:21:28 - Standard access lists should be applied closest to their destination
00:21:34 - because in a standard access list, remember we're talking
00:21:36 - scenario one and two there, you can't say what they're denied from.
00:21:40 - So by putting it to a close you may deny them from too much.
00:21:45 - So you can think of it as standard, I'll just put stand
00:21:50 - equals destination.
00:21:54 - Extended, the best practice is to apply them as close as possible
00:21:59 - to the source because you can in an extended access list
00:22:04 - say what they are denied from. So if we can get, you know, if,
00:22:08 - if we could, you know, if it were possible to apply it on the switch, by golly,
00:22:12 - do it there, you know, if, if you can, because as that host is coming
00:22:16 - into that interface, we can say, are you this host? Are you trying
00:22:19 - to go there if? If you are, you're denied. You've prevented it from even being
00:22:23 - processed by the router. But applying access lists on switches
00:22:26 - is part of CCNP track. We're not going to talk about that here.
00:22:29 - But, so the closest source that we have is our router and
00:22:34 - its default gateway. So let's go back on to router two.
00:22:39 - I'll do a show IP interface brief just to verify. There is
00:22:43 - FastEthernet 0/0.1 And you know what,
00:22:46 - before I apply this access list, I want to make sure that HostA
00:22:49 - can indeed access that WAN link. Let's bring up our connection
00:22:53 - to HostA. Whoa, he's a little off there.
00:22:56 - I'm going to ping 192.168.2.1, it is replying, and 2.2.
00:23:00 - It is replying. So it is able to ping 2.1 and 2.2
00:23:05 - and why not? Let's do this. I'll also ping
00:23:09 - 3.1 because I want, oops, 3.1
00:23:13 - because I want to make sure. Sure enough we can get to 3.1 which is
00:23:16 - on the other end of the WAN connection. So what I'm going to do is
00:23:19 - go on to that router under the FastEthernet 0/0.10
00:23:23 - which is Host A's default gateway. And the same command as before,
00:23:27 - IP access group
00:23:30 - 100, the name of our access list or number, and
00:23:35 - what direction in.
00:23:38 - Now again, with extended access lists, it especially is important
00:23:42 - to hold out your arms and really determine which direction
00:23:45 - it's as that source comes in that FastEthernet 0/0.10
00:23:51 - that is going to be processed. If it were going out,
00:23:54 - if I applied it in the outbound direction, the source would be seen
00:23:58 - as if it were leaving that interface which is not true.
00:24:01 - That would probably mean it's coming from somewhere else on the network
00:24:04 - than, than that interface. So we've applied it in, right? Let's do a show
00:24:10 - access list 100. It looks like it's there. No, no
00:24:14 - packet hits yet. Let's jump back over to the host.
00:24:19 - Alright, let's do a clear screen and we'll do ping 192.168.2.1.
00:24:23 - Look at that, destination net unreachable.
00:24:28 - Ping 192.168.2.2, destination net unreachable.
00:24:32 - Reply from our router, 10.1, you are being denied.
00:24:36 - Let's jump on over to our router and hit that up arrow,
00:24:39 - and look at that. We are getting matches now on that deny
00:24:42 - to 192.168.2.0. Now, I've got a question
00:24:46 - for you.
00:24:48 - What do you think? Will HostA, we just verified HostA cannot access
00:24:52 - 2.1. It cannot access 2.2. Will HostA be able
00:24:59 - to ping 3.1 or this IP address on router three?
00:25:04 - Think about that. What do you think?
00:25:07 - Jeopardy music enters here. The answer to that question is yes.
00:25:12 - Now, wait a sec, you might be thinking. He, he is using the WAN
00:25:17 - link to get there.
00:25:20 - That's true. He is using the WAN link to get there, but the WAN link
00:25:23 - is never in a destination field of the IP header. And this
00:25:27 - is why it's so important to understand how networks communicate before
00:25:30 - you get to this point is because HostA, when it's engineering the packet,
00:25:35 - it will have some data. It will put its, you know, protocol which
00:25:38 - is TCP or UDP or ICMP, source and destination port number,
00:25:42 - source and destination IP address. If I were to ping
00:25:47 - 192.168.3.1, the source IP is 10.50
00:25:51 - which is HostA. The destination IP is 3.1.
00:25:55 - So when it comes in to router one and it looks at the access list, it's
00:25:59 - going to say, okay, are you that source, 10.50? And it says, yes, I am.
00:26:02 - And it says, are you trying to go to 2.0, the 2.0 subnet?
00:26:06 - And the host will say no, no, I'm not. I'm trying
00:26:10 - to go to 3.1. And so the router will say, okay, well,
00:26:14 - then I guess that access list does not match. I will go ahead
00:26:17 - and allow you through. So let's test it just be sure. I'm going to bring
00:26:20 - up that, that TeraTerm and you can see as of right now
00:26:23 - we've got the deny and we've got some permit traffic that has
00:26:28 - made its way through since, since I've been talking. I'll just hit it again.
00:26:32 - Some, something is going through. I'm not so sure what
00:26:35 - that is but we'll, we'll test it. I'll go to my host right here.
00:26:40 - You can see 2.1 and 2.2 are denied and I'll hit the up arrow and do 3.1, 3.1.
00:26:44 - There we go. And that is still going
00:26:49 - through successfully. We are getting replies coming back.
00:26:53 - And if I go back over to my
00:26:55 - show command I can see that the permits have been increasing
00:26:59 - because they are, they are being allowed through because of
00:27:03 - that reason I just mentioned. So scenario three, we can
00:27:08 - put a red check on that guy. We are good.
00:27:11 - Last but not least we'll hit scenario four and then I'll show you some
00:27:14 - of the tips and tactics and tricks of access lists.
00:27:19 - Scenario four says use an extended access list to prevent HostA from accessing
00:27:22 - the CBTNuggests homepage. Now, why you would ever want
00:27:27 - to do anything like that is beyond me, but we'll, we'll go ahead and
00:27:31 - do it for this example then we'll immediately remove the access list
00:27:34 - and forever revoke any such policy. So we have to prevent HostA from the
00:27:39 - CBTNuggets homepage. So immediately that triggers in my mind
00:27:43 - we're talking homepage. We're talking web access, somebody
00:27:47 - being able to access a web server that presents a homepage.
00:27:51 - So what I'm going to say in that case is that we need to deny, if we're
00:27:55 - talking in technical terms, HostA from using TCP
00:28:01 - port 80 destination port to access the CBTNuggets homepage. So now
00:28:07 - we come to a question, well, what's, what's the IP address
00:28:10 - of CBTNuggets web server? Well, let's go to our command line and we'll
00:28:15 - do a ping www.cbtnuggets.com, alright.
00:28:19 - CBTNuggets is blocking ping traffic as many websites
00:28:24 - do because that, you can actually attack websites that allow
00:28:27 - ICMP, but that is the IP address that represents the homepage.
00:28:31 - So with that IP address in our knowledge, let's go ahead and I'll
00:28:37 - just copy that to my clipboard and stick a little textbox
00:28:42 - up here.
00:28:45 - Let me just pick a font. There we go. Paste. Not that font. How about that one?
00:28:53 - That's a little better. So we'll do 126.96.36.199.
00:28:57 - I think I can read that.
00:29:00 - I can't read that. I'm going to make that a little larger.
00:29:07 - There we go. 188.8.131.52. Alright, good.
00:29:12 - So that's the IP address that we're going to be
00:29:15 - denying access to. So, you know, before we even do that, I just
00:29:19 - want to make sure that I verify that we can access the
00:29:23 - CBTNuggets web page because, you know, denying access to something
00:29:26 - you don't verify you have access to in the first place is never
00:29:28 - any good. So we'll do cbtnuggets.com, hit enter.
00:29:32 - It says transferring. Okay, sure enough there is the CBTNuggets
00:29:35 - web page. Good. So we verified that we can access it. Now, let's
00:29:40 - drop down to our router. And in this case we're also going
00:29:43 - to be on router two. Remember, denying with extended access lists should
00:29:47 - be done as close to the source as possible. So we're going to be applying
00:29:51 - it on that same interface.
00:29:54 - Now, this brings me to one of the rules of access lists. The rules
00:29:58 - of access lists is one ACL per
00:30:04 - interface, oh, I'm signing off the end here,
00:30:09 - per interface, per direction.
00:30:15 - So when we're saying I want to deny them from accessing the
00:30:20 - CBTNuggets web page, we're going to have to tack on, oops,
00:30:25 - to an existing access list that we already have there, meaning
00:30:28 - we have applied access list 100, one access list per interface
00:30:32 - to the FastEthernet 0/0.10 interface. That's
00:30:36 - our per interface, per direction inbound. We've applied it inbound
00:30:40 - and we're going to have to have that same policy. So what we're going to need
00:30:43 - to do is modify access list 100 to add this, this rule to it.
00:30:48 - So let's go ahead and go to
00:30:53 - router two. I'm going to do a show run, include lines that have access list 100 in it.
00:30:58 - That will filter my running output. Alright, so
00:31:02 - there's my config. Good.
00:31:04 - So I'm going to copy. I'm going to do a copy, open my ultra sophisticated notepad
00:31:14 - application and paste those lines in there. I'm going to back them up.
00:31:18 - Because what I'm going to do is I'm going to
00:31:21 - delete that access list, no access lists 100, and recreate it.
00:31:26 - I'm going to show you a little more efficient way of doing this in just
00:31:29 - a moment, but for now this is what we're gonna do. I'm going
00:31:32 - to go in and I see the IP address right up there. I'm going to say
00:31:35 - access list 100 deny,
00:31:40 - and then I'll come up and say, okay, what protocol? Now, whenever you're
00:31:43 - surfing the web, you're using the TCP protocol. So instead
00:31:46 - of IP, I'm going to put TCP.
00:31:49 - The source IP address will be the host, 192.168.10.50,
00:31:52 - that's our HostA,
00:31:55 - question mark, and now it's asking for port number. But remember,
00:31:59 - and I'll emphasize it again, if we put the port number right after the
00:32:03 - source host, you're going to be talking about the source port
00:32:06 - number rather than the destination. When we're surfing the web or doing
00:32:09 - most things, we're going to a destination port and the source
00:32:12 - port is pretty random. So I'm going to go in and I'm just going
00:32:16 - to keep going with the destination. Instead of saying any destination
00:32:19 - point, I don't want to deny the host from the whole Internet.
00:32:21 - I just want to deny him from the CBTNuggets web page.
00:32:23 - So I'll say I want to deny him from the destination host. You can see that's an option,
00:32:29 - single destination host, and there's the IP address above the
00:32:32 - config, 128.242, 242.116.211.
00:32:37 - So I'm denying them from accessing
00:32:41 - that specific host which is the CBTNuggets web server. Now, if I just
00:32:44 - hit enter there, I've denied too much. They will not be able
00:32:49 - to use any TCP application to access the CBTNuggets
00:32:52 - web server. And in this case it just said deny them from
00:32:55 - the homepage, not all access. So I need to specify a port number.
00:33:00 - So I'm going to hit the question mark. You see there's plenty of options.
00:33:04 - I'm going to say equal to and specify the port number 80.
00:33:09 - Now, I want to mention that when I put equal to question mark, it puts
00:33:12 - a bunch of common port numbers that are right here, well, somewhat common.
00:33:16 - It's been a long, long time since I've heard of the Gopher protocol.
00:33:19 - It was one of the original ones on the Internet.
00:33:22 - That's not around anymore but, you know, it does give you, for example,
00:33:25 - www shows HTTP port 80. So I have an option here.
00:33:31 - I can either type in equal to www, that's a valid keyword,
00:33:37 - or I could use the option at the top of this which, and just put
00:33:40 - equal to and type in the port number, 80.
00:33:43 - I usually like using the port number rather than those keywords
00:33:46 - because I forget all the keywords. It's easier for me to remember
00:33:50 - the numbers of the
00:33:52 - protocols than all those names. So I type in equal to 80, enter.
00:33:57 - Good. I'm going to type in show access list 100 and let's take a look at it.
00:34:02 - Look at what the router did. It swapped out my 80 for www.
00:34:05 - He said, oh, yeah, I'll show you. It, it knows what it is. It will do that
00:34:10 - for and that's okay. So it says deny that host from accessing
00:34:13 - that host on equal to port 80 as the destination. Now, we need
00:34:18 - add a permit in there and we also need to make sure our scenario
00:34:22 - three objectives are accomplished. So what I'm going to do is I'm going to go back
00:34:26 - to my notepad. I need to add that as my second line and that is
00:34:31 - my third. So let's copy that back to our clipboard, and in TeraTerm
00:34:36 - which is what I'm using here, we can just right-click and that
00:34:39 - will automatically paste. So I've pasted those back in there.
00:34:42 - Let me get rid of my notepad.
00:34:45 - And now, if I do a show access list 100, I can see
00:34:51 - line 10 or sequence 10 or first line is denying port 80.
00:34:55 - Second line is denying the WAN link and third line is permitting everything else.
00:35:00 - So let's test it. I'm going to go back to my web browser. Oh, wait a sec,
00:35:06 - not that one.
00:35:07 - Where am I? Here we go. Go back to my web browser. And you know what,
00:35:12 - I'm going to go in here and
00:35:17 - clear the cache. Oh, where is that? Do you know, you know what I mean
00:35:21 - by that, the cache. How do you, content, block pop-up windows.
00:35:27 - Oh, what am I thinking? Maybe security. Passwords. Oh, come on. Privacy? Privacy.
00:35:34 - Oh, there we go. How about I do this? Always clear my private data when
00:35:39 - I close Firefox. I'll clear everything. The reason I'm doing
00:35:44 - this is because I want to make sure that when I close Firefox,
00:35:47 - web browsers cache web pages, meaning this will show up again
00:35:51 - next time without having to contact CBTNuggets.
00:35:53 - I don't want it to do that. I want to make sure that it, it tries to contact
00:35:56 - CBTNuggets and it says, you know, I'm going to clear it all
00:35:59 - and I'll wipe it out. Good, wham, it's gone. Now, when I open my Firefox,
00:36:04 - there we go, we've got the Firefox start page and that's going to Google.
00:36:08 - So I know my Google access is working okay. Let's, let's
00:36:11 - try another website first. I'll do dub, dub, dub dot.
00:36:16 - See, when you want to think of a website you never can.
00:36:19 - How about ciscoblog.com.
00:36:27 - And what's happening right now is we're kind of hung here.
00:36:32 - There we go, Cisco Blog. Cisco Blog has now come up and we've, we've
00:36:36 - got access there. And before I even go to CBTNuggets,
00:36:39 - I'm going to hit the up arrow in here and see. Take a look. You see we haven't
00:36:43 - had any matches here or here but we've had 131
00:36:46 - matches on the permit because this host has been surfing
00:36:49 - the web. It took 131 packets to generate
00:36:52 - the Cisco Blog and Google homepage. So now let's do the ultimate test,
00:36:55 - www.cbtnuggets.com.
00:37:02 - Look at, I don't know if, can you see it at the bottom? It says connecting to
00:37:06 - cbtnuggets.com. I'm waiting. I'm waiting. I'm waiting.
00:37:14 - And while we're waiting, let's go ahead and come back here,
00:37:17 - hit the up arrow and do that show access list. Look at this.
00:37:21 - Look at that action. Nine matches have showed up on that statement.
00:37:24 - Let's go back. We're waiting and the connection has timed out,
00:37:28 - taking too long to respond. Frankly it's never going to be responding
00:37:31 - because it is being denied by this access list. It is no longer permitted.
00:37:36 - Excellent. Now that we've done that scenario four,
00:37:41 - we can remove that access list and never attempt such a silly,
00:37:45 - silly objective again. But that is, that is using the access
00:37:50 - list to block web access. Good. So at this point, you should
00:37:54 - have a little better idea of how to work with standard and
00:37:58 - extended access lists, just seeing those scenarios and putting
00:38:01 - them in place, seeing the general syntax of them. Practice makes perfect
00:38:05 - on those things. I would, I would say practice with yourself
00:38:08 - writing down, you know, this is something I need access to and here's
00:38:11 - how I access it. I always recommend, when somebody, whenever anybody
00:38:15 - how I access it. I always recommend, when somebody, whenever anybody
00:38:16 - should I set up a lab at home to practice this stuff? I say by all
00:38:20 - means do it. Cisco gear has become so cheap nowadays. And when
00:38:25 - I say Cisco gear, I mean stuff you can get off of eBay for
00:38:28 - practice in your own home lab. You can get a Cisco router for under
00:38:32 - 30 bucks nowadays that can route your home Internet connection.
00:38:35 - And that will give you the opportunity to go in there and try this out,
00:38:38 - come up with objectives of what you want to deny and
00:38:41 - practice using access lists because that's the only way that
00:38:44 - you'll be able to master those. Now, let me show you some cool
00:38:47 - tips and tricks of how to work with access lists.
00:38:51 - First things first, numbered access lists like we've been using
00:38:55 - all along have been
00:38:59 - enhanced in recent times by named access lists. Now, named access lists
00:39:05 - have been around for a long time but they've only recently
00:39:07 - begun to become very popular, and I'll show you a couple of features
00:39:11 - of them. Notice we've been typing in as we've been typing our access list
00:39:14 - commands access lists dah, dah, dah, dah, dah, and we type in our number. But Cisco
00:39:20 - has a nice little thing that you can do. You can type in IP
00:39:23 - access list, same, same command but look at, look at the difference.
00:39:29 - And now it comes up and says, would you like to create an extended,
00:39:32 - a standard access list, use resequencing features and, and some
00:39:36 - other things? But right here we can create our IP extended
00:39:41 - or our standard access list, same thing as the numbered but
00:39:44 - now we can specify. Let's say I want to create a extended access
00:39:48 - list since that's what we're talking about. Extended and I can type
00:39:51 - in word, meaning name. The great thing about typing in a name
00:39:55 - is you can be very descriptive in that name of what the access
00:39:58 - list does instead of just thinking, oh, yeah, access list 100,
00:40:02 - I think that's the one that denies HostA, right? Well, we can
00:40:05 - type in as the name deny HostA, nice and descriptive.
00:40:11 - Now, when I hit enter, you notice it takes me into NACL mode.
00:40:14 - That stands for named access control list. So I'm in NACL mode and
00:40:18 - now I can start adding in my permit and deny statements. I can say
00:40:21 - permit, you know, host 192.168.10.50.
00:40:25 - Same syntax as the number. It's just you don't have type in access list 100
00:40:28 - in front of everything. So permit that host
00:40:32 - to access the host. I'm just giving some examples.
00:40:37 - Oh, you know what, I forgot the protocol. Permit the IP
00:40:41 - protocol or TCP or whatever you'd like to do. Permit the,
00:40:45 - I'll just put TCP as second, you know, and permit TCP to that host,
00:40:52 - and so on. We keep adding numbers. And now when I do a show IP access list,
00:40:56 - you can see that I have access list 100 and then I have access list
00:41:00 - deny HostA. It's much more easy to remember that.
00:41:04 - Now, I will tell you functionally these are the same. They do
00:41:07 - and they, they can accomplish the same exact things. It's just this
00:41:11 - one gives a nice name along with it. Now, only from the named
00:41:16 - access list mode can you edit access lists, and this is the
00:41:21 - big feature I want to show you.
00:41:23 - All along we've seen this 10, 20, 30 next to things, 10, 20, 30.
00:41:27 - That is known as a sequence number. Only recently
00:41:31 - has Cisco been adding that feature to their access lists,
00:41:35 - and what that allows you to do is to modify access lists after
00:41:38 - you create them.
00:41:40 - Before those sequence numbers came around, the only way to modify
00:41:43 - an access list was to do what I showed you before, copy it to notepad,
00:41:47 - delete the whole thing, and then kind of modify it in notepad and
00:41:50 - paste it all back in. It's kind of a pain. So what we can do
00:41:54 - with these sequence numbers is I can make modifications. You notice,
00:41:58 - let me hit the question mark, from named access list mode, it shows
00:42:01 - I can type in permit, deny, or even type in a sequence number.
00:42:06 - So maybe I wanted to squeeze something in like, you know, as you
00:42:10 - add it just keeps adding to the bottom of this access list.
00:42:13 - But I wanted to squeeze something in between these two. So I could
00:42:16 - type in before I did my permit command sequence number 15,
00:42:20 - permit, and then same thing. We'll say TCP from the host 192.168.10.50
00:42:25 - to host
00:42:29 - 184.108.40.206.
00:42:31 - And now, when I go back and do my show command, you notice, look at that. Nice.
00:42:36 - I know, if you haven't seen access lists before, it's kind of like,
00:42:40 - oh, that's kind of cool. But I'm telling you, nice. That is such an improvement
00:42:45 - from what it used to be. And, and literally, you'd have to delete the whole
00:42:48 - thing and recreate it if you wanted to do something like that.
00:42:50 - So not only can we squeeze in but we can remove. I can say,
00:42:54 - oh, well, you know what, now that line 15 is in there,
00:42:57 - I don't want line 20.
00:43:02 - I can just type in no 20, no sequence number 20, and now when I go back you can see
00:43:06 - sequence 20 has disappeared. Nice.
00:43:09 - You know, it's, it's great. So we can modify these. And even, nowadays, we can
00:43:13 - even modify our numbered access lists but the way we do
00:43:17 - it is by, let me stop using the up arrow, I type in IP access list extended,
00:43:21 - but instead of typing in a name I can just say 100.
00:43:24 - And now I can make changes and I could say no, or most,
00:43:29 - no 20 on my access list 100. And when I do the
00:43:33 - show access list now, you can see line 20 has been removed.
00:43:37 - Pretty cool.
00:43:39 - So that is our way of modifying access lists using the named feature.
00:43:44 - Now, last but not least, what I would like to do is
00:43:48 - show you a reflexive access list.
00:43:53 - To review, what we talked about in the concepts video was maybe
00:43:58 - you wanted to create an access list that denied all Internet
00:44:01 - traffic into your organization. It's a good policy because you don't
00:44:04 - want uninvited Internet traffic to come on in. Well, if you create
00:44:08 - an access list that says deny IP any any
00:44:13 - from the Internet, you're going to deny everything including
00:44:17 - stuff that your clients were trying to get. So when you try and
00:44:20 - surf the Internet, when the response comes back, it will be denied.
00:44:24 - To fix that you can use a reflexive access list and let me
00:44:27 - show you how it works. I'm going to go on my router two, and let's, let's
00:44:31 - use a named access list since we've learned them. I'll type in IP,
00:44:35 - or actually this will be on router one. Let me jump over there.
00:44:39 - On router one I'll type in IP access list and we'll say it's extended.
00:44:43 - It must be an extended access list. And I'll say the name of that
00:44:47 - access list will be filter Internet. You see how these new names can
00:44:53 - be real nice? IP access list extended filter Internet. And under
00:44:56 - there I can say permit
00:45:01 - TCP traffic from any source to any destination, and I want to show you
00:45:05 - the keyword, established.
00:45:10 - That's it. That's a reflexive access list. Now when I come back
00:45:15 - I can go under my, let's see, what the Internet connection? Ethernet 0/1.
00:45:18 - I can go under Ethernet 0/1 on router one
00:45:23 - and type in IP access group filter Internet inbound.
00:45:28 - So what that does is under, let me jump back
00:45:37 - to the slide and diagram this out. Under Ethernet 0/1, as things are coming in,
00:45:42 - remember that direction, hold out your arms,
00:45:45 - in that interface from the Internet, it will go against that access list.
00:45:49 - Now, that access list says permit
00:45:53 - the TCP protocol from any source to any destination if it has been
00:45:56 - established. What established means is that there's been some requests
00:46:01 - from the inside that has established a TCP session with
00:46:05 - a host out here on the Internet. Once the host from the inside
00:46:09 - has established that, this host may come back in on that same
00:46:13 - response or for that same session and reply. That is known
00:46:17 - as established. If somebody else out here, we'll say this, this
00:46:22 - host, tries to come into the network but there was no established,
00:46:27 - then it's going to come on this line and, you know, the first line
00:46:29 - says permit anything that's been established. It will say, oop, sorry, you don't match
00:46:32 - because you're not established. And then the last line of that
00:46:35 - access list says deny IP any any. Remember the invisible implicit deny?
00:46:40 - So it will be automatically denied since it's not
00:46:43 - in already established connection.
00:46:47 - So that is using what's known as a reflexive access
00:46:50 - list to heavily filter your Internet connection.
00:46:54 - Whoo, I would say that is one of the most action-packed, dense
00:46:58 - videos I have ever recorded for CBTNuggets. There's more information
00:47:03 - in that video that I think I've packed into anything else. What I would
00:47:06 - recommend is extended access lists, while going through that
00:47:09 - and setting them up, it, you know, it seems only logical. It makes sense.
00:47:13 - It takes a while for it to soak in. So what I would say is
00:47:17 - it'd be good for you to try a few of these, you know, put up
00:47:20 - some objectives for yourself and to write out what you think
00:47:23 - would be a good access list to test that. I've been asked before,
00:47:26 - should I set up a home lab for the CCNA if I'm studying
00:47:29 - for that? And say if you can, by all means do it. You can get
00:47:33 - a Cisco router that's pretty good off of eBay for less than
00:47:37 - 30 bucks nowadays. They've dropped in price for some of
00:47:39 - the older ones and that's all you need to practice this, and that's
00:47:43 - I would say a great way to get some experience with extended
00:47:46 - access lists. Alright, so what we did was kind of wrapped up everything.
00:47:50 - We went through all of the standard and set up some standard access
00:47:54 - lists and the extended, and we expanded on that looking at
00:47:57 - the named access list, editing access list, and reflexive
00:48:01 - access list. The last thing I'll mention
00:48:05 - before we get into the next videos which are going to be on
00:48:08 - NAT, I did set up Internet access through router one for this video,
00:48:13 - which means I set up NAT on router one so that the host could
00:48:17 - access the Internet so we could do some cool demonstrations on
00:48:20 - blocking access. I am going to turn that off before we get into
00:48:24 - the next videos which is all about how to turn that back on
00:48:28 - because it, it seems kind of silly to get into NAT when you're
00:48:31 - thinking, but I thought you already had Internet access? We
00:48:35 - won't by the time we get into the NAT videos. So I hope this has been
00:48:39 - informative for you and I'd like to thank you for viewing.