ACLs (Access Control Lists)PowerPoint PresentationNumbered Standard IP ACLNumbered Extended IP ACLNamed Extended IP ACLLockout PreventionApplying ACL to interfaceACLs (Access Control Lists)•Detailed in Doyle Appendix B•Numbered ACLs–1-99 standard IP ACLs–100-199 extended IP ACLs–(other types for other protocols we will not use like Appletalk, IPX, DECnet, MAC addr, etc.)•Named ACLs (IOS 11.2 and newer)INTERNETWWW EMAILiMacPC1ISP CPEiMacPC2128.186. 5.0/24.1.2 .3S0E0Numbered Standard IP ACL•Access-list 5 permit 128.186.0.0 0.0.255.255•Access-list 5 permit 204.194.36.243 0.0.0.0•Access-list 5 deny 0.0.0.0 255.255.255.255•Access-list 5 permit 128.186.0.0 0.0.255.255•Access-list 5 permit host 204.194.36.243•Access-list 5 deny anyNumbered Extended IP ACL•Access-list 103 permit tcp any any established•Access-list 103 permit tcp any host 128.186.5.2 eq 80•Access-list 103 permit tcp any host 128.186.5.3 eq 25•Access-list 103 permit icmp any any•Access-list 103 deny ip any anyNamed Extended IP ACL•ip access-list extended firewall• remark Allow established connections from inside• permit tcp any any established• remark Allow Internet access to WWW server• permit tcp any host 128.186.5.2 eq 80• remark Allow Internet access to Email server• permit tcp any host 128.186.5.3 eq 25• remark Allow PING, Traceroute, etc.• permit icmp any any• remark Restrict anything else• deny any any (redundant due to implicit deny any any)Lockout Prevention•Router#write•Building configuration...•[OK]•Router#reload in 5•Reload scheduled for 11:53:52 EST Thu Feb 3 2005 (in 5 minutes)•Proceed with reload? [confirm]y•Feb 3 11:48:53 EST: %SYS-5-SCHEDULED_RELOAD: Reload requested for 11:53:52•Router#conf t•Router(config)#ip access-list extended firewall •Router(config-ext-nacl)#permit tcp any any established•Router(config-ext-nacl)#permit tcp any host 128.186.5.2 eq 80•Router(config-ext-nacl)#permit tcp any host 128.186.5.3 eq 25•Router(config-ext-nacl)#permit icmp any any•Router(config-ext-nacl)#int e0/0•Router(config-if)#ip access-group firewall in•Router(config-if)#^Z•Router#•Feb 3 11:50:04 EST: %SYS-5-CONFIG_I: Configured from console by console•Router#reload cancel•Router#•***•*** --- SHUTDOWN ABORTED ---•***•Feb 3 11:50:08 EST: %SYS-5-SCHEDULED_RELOAD_CANCELLED: • Scheduled reload cancelled at 11:50:08 EST Thu Feb 3 2005Applying ACL to interface•no ip access-list extended firewall•ip access-list extended firewall• permit tcp any any established• permit tcp any host 128.186.5.2 eq 80• permit tcp any host 128.186.5.3 eq 25• permit icmp any any•interface serial0• ip access-group firewall