Extended access list cisco packet tracer

In the previous post, we discussed the basics of IP access lists [ACLs] and how to configure standard access lists. In this post, we will explain how to configure an Extended Access List on Cisco routers. If you have any queries regarding the concept of Extended ACL, please visit the following link before start to configure Extended ACL.

• Introduction to Access Control Lists [ACLs]

1. First of all, let’s have a look at the syntax used to configure an Extended ACL on Cisco routers.

Router[config]#access-list

1. If the preceding syntax does not help you, let’s have a look at the following syntax in detail.
2. The following figure shows the syntax to select the action, protocol, and source address.
3. The following figure shows the syntax to select the destination address and packet filter method.
4. The following figure shows the syntax to select the port number.

Steps to Configure Extended ACL

Once you are familiar with the syntax used to configure Extended ACL, let’s begin the configuration. To configure an Extended ACL, we will use the following network topology. In this example, we will deny host 10.0.0.2 from accessing the Web server [20.0.0.2]. To do so, we need to filter the IP traffic containing the HTTP packet coming from 10.0.0.2 host.

1. We assume that you are already familiar with how to configure TCP/IP settings and how to configure routing. If you face any problem to configure the TCP/IP settings and a routing algorithm [such as RIP] for the preceding topology, the following links may help you.

• Basic router configuration
• How to configure RIP routing 

1. In order to prevent host 10.0.0.2 to access the Web server [20.0.0.2], you need to execute the following commands on Router2.

Router2[config]#access-list 150 deny tcp host 10.0.0.2 host 20.0.0.2 0.0.0.0 eq www Router2[config]#access-list 150 permit ip any any Router2[config]#int fa0/1 Router2[config-if]#ip access-group 150 in Router2[config-if]#exit Router2[config]#exit

1. Once you applied an ACL on the desired interface [in this case fa0/1], you can view the configured access lists by executing the following command.

Router2#show ip access-lists

1. The following figure shows how to configure an extended ACL on a Cisco router.

Verify Access Control List Configuration

1. To verify your configuration, open the Web browser on PC1, type //20.0.0.2, and press Enter. You should not be able to access the Web server as shown in the following figure.

1. Now move on to PC2 and try to access the Web server, this time you should be able to access the Web server.

That’s all you need to know to configure an Extended ACL on Cisco router. In this post, we have learned how to configure Extended ACl on Cisco Routers using the numbered method. In the next posts, we will learn how to configure Extended ACL using the named ACL method. If you found this article helpful, please share with others too. Sharing this article will not cost you anything.

In a previous lesson I covered the standard access-list, now it’s time to take a look at the extended access-list. This is the topology we’ll use:

Using the extended access-list we can create far more complex statements. Let’s say we have the following requirement:

• Traffic from network 1.1.1.0 /24 is allowed to connect to the HTTP server on R2, but they are only allowed to connect to IP address 2.2.2.2.
• All other traffic has to be denied.

Now we need to translate this to an extended access-list statement. Basically they look like this:

[source] + [ source port] to [destination] + [destination port]

Let’s walk through the configuration together:

R2[config]#access-list 100 ? deny Specify packets to reject dynamic Specify a DYNAMIC list of PERMITs or DENYs permit Specify packets to forward remark Access list entry comment

First of all we need to select a permit or deny. By the way you can also use a remark. You can use this to add a comment to your access-list statements. I’ll select the permit…

R2[config]#access-list 100 permit ? An IP protocol number ahp Authentication Header Protocol eigrp Cisco's EIGRP routing protocol esp Encapsulation Security Payload gre Cisco's GRE tunneling icmp Internet Control Message Protocol igmp Internet Gateway Message Protocol ip Any Internet Protocol ipinip IP in IP tunneling nos KA9Q NOS compatible IP over IP tunneling ospf OSPF routing protocol pcp Payload Compression Protocol pim Protocol Independent Multicast tcp Transmission Control Protocol udp User Datagram Protocol

Now we have a lot more options. Since I want something that permits HTTP traffic we’ll have to select TCP. Let’s continue:

R2[config]#access-list 100 permit tcp ? A.B.C.D Source address any Any source host host A single source host

Now we have to select a source. I can either type in a network address with a wildcard or I can use the any or host keyword. These two keywords are “shortcuts”, let me explain:

• If you type “0.0.0.0 255.255.255.255” you have all networks. Instead of typing this we can use the any keyword.
• If you type something like “2.2.2.2 0.0.0.0” we are matching a single IP address. Instead of typing the “0.0.0.0” wildcard we can use the keyword host.

I want to select network 1.1.1.0 /24 as the source so this is what we will do:

R2[config]#access-list 100 permit tcp 1.1.1.0 0.0.0.255 ? A.B.C.D Destination address any Any destination host eq Match only packets on a given port number gt Match only packets with a greater port number host A single destination host lt Match only packets with a lower port number neq Match only packets not on a given port number range Match only packets in the range of port numbers

Besides selecting the source we can also select the source port number. Keep in mind that when I connect from R1 to R2’s HTTP server that my source port number will be random so I’m not going to specify a source port number here.

R2[config]#access-list 100 permit tcp 1.1.1.0 0.0.0.255 host 2.2.2.2 ? ack Match on the ACK bit dscp Match packets with given dscp value eq Match only packets on a given port number established Match established connections fin Match on the FIN bit fragments Check non-initial fragments gt Match only packets with a greater port number log Log matches against this entry log-input Log matches against this entry, including input interface lt Match only packets with a lower port number neq Match only packets not on a given port number precedence Match packets with given precedence value psh Match on the PSH bit range Match only packets in the range of port numbers rst Match on the RST bit syn Match on the SYN bit time-range Specify a time-range tos Match packets with given TOS value urg Match on the URG bit

We will select the destination which is IP address 2.2.2.2. I could have typed “2.2.2.2 0.0.0.0” but it’s easier to use the host keyword. Besides the destination IP address we can select a destination port number with the eq keyword:

R2[config]#access-list 100 permit tcp 1.1.1.0 0.0.0.255 host 2.2.2.2 eq 80

This will be the end result. Before we apply it to the interface I will add one useful extra statement: