Standard ACL Internet

Extended ACL

f0/0
NAT Classification

ip nat inside source list 1 interface f0/0 overload

access-list 1 permit 10.0.0.0 0.255.255.255

access-list 1 permit 20.0.0.0 0.255.255.255

f0/1
access-list 2 permit DS1 0.255.255.255
10.0.0.0 Filtering
access-list 2 deny 20.0.0.0 0.255.255.255

interface f0/1
ip access-group 2 out

10.0.0.0/8 20.0.0.0/8
Standard ACL Internet

20.0.0. 0000 0001

f0/0 20.0.0. 0000 0010
172.16.1.1 20.0.0. 0000 0011
NAT
0.0.0. 0000 0011

ip access-group 1 out
Permit Wildcard Mask
Access
DS11 permit 10.0.0.0 0.255.255.255
access-list
Server access-list 1 deny 10.0.0.0
permit 20.0.0.1 0.255.255.255
20.0.0.0 0.0.0.0
access-list 1 deny 20.0.0.1 0.0.0.0
20.0.0.2
access-list 1 deny 20.0.0.3 0.0.0.0
access-list
access-list 1 permit 10.0.0.0
1 permit 20.0.0.0 0.255.255.255
0.255.255.255
access-list 1 deny 20.0.0.1 0.0.0.0
20.0.0.0 0.255.255.255
access-list 1 permit 10.0.0.0
access-list 1 deny 20.0.0.1 0.0.0.3
10.0.0.0/8 20.0.0.0/8
access-list 1 permit 20.0.0.0 0.255.255.255
20.0.0.1/8
Standard ACL Internet

20.0.0. 0000 0001

20.0.0. 0000 0010
20.0.0. 0000 0011
20.0.0. 0000 0100
20.0.0. 0000 0101
f0/0 20.0.0. 0000 0110
20.0.0. 0000 0111
NAT
0.0.0. 0000 0111

access-list 1 permit 10.0.0.0 0.255.255.255

access-list 1 deny 20.0.0.1 0.0.0.0
access-list 1 deny 20.0.0.2 0.0.0.0
access-list 1 deny 20.0.0.3 0.0.0.0
access-list
DS11 deny 20.0.0.4 0.0.0.0
access-list 1 deny 20.0.0.5 0.0.0.0
access-list 1 deny 20.0.0.6 0.0.0.0
access-list 1 deny 20.0.0.7 0.0.0.0
access-list 1 permit 20.0.0.0 0.255.255.255
access-list 1 permit 10.0.0.0 0.255.255.255
access-list 1 deny 20.0.0.1 0.0.0.7
10.0.0.0access-list 1 permit20.0.0.0
20.0.0.0 0.255.255.255
Standard ACL Internet

20.0.0. 0000 0001

20.0.0. 0000 0010
f0/0 20.0.0. 0000 0011
20.0.0. 0000 0100
NAT
0.0.0. 0000 0011

access-list 1 permit 10.0.0.0 0.255.255.255

access-list 1 deny 20.0.0.1 0.0.0.0
access-list 1 deny 20.0.0.2 0.0.0.0
access-list 1 deny 20.0.0.3 0.0.0.0
access-list
DS11 deny 20.0.0.4 0.0.0.0
access-list 1 permit 20.0.0.0 0.255.255.255
access-list 1 permit 10.0.0.0 0.255.255.255
access-list 1 deny 20.0.0.1 0.0.0.3
access-list 1 deny 20.0.0.4 0.0.0.0
access-list 1 permit 20.0.0.0 0.255.255.255

10.0.0.0 20.0.0.0
Standard ACL Internet

20.0.0. 0100 0000

20.0.0. 0100 0001
f0/0 20.0.0. 0100 0010
20.0.0. 0100 0011
NAT
0.0.0. 0000 0011

access-list 1 permit 10.0.0.0 0.255.255.255

access-list 1 deny 20.0.0.64 0.0.0.0
access-list 1 deny 20.0.0.65 0.0.0.0
access-list 1 deny 20.0.0.66 0.0.0.0
access-list
DS11 deny 20.0.0.67 0.0.0.0
access-list 1 permit 20.0.0.0 0.255.255.255
access-list 1 permit 10.0.0.0 0.255.255.255
access-list 1 deny 20.0.0.64 0.0.0.3
access-list 1 permit 20.0.0.0 0.255.255.255

10.0.0.0 20.0.0.0
Standard ACL Internet

f0/0
172.16.0.2 NAT
Access
in Internet

out
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 1 deny
DS1 any

10.0.0.0/24 20.0.0.0/24
Standard ACL Internet

Permit
Deny
Internet

f0/0
access-list 1 deny 20.0.0.0
NAT 0.0.0.255
access-list 1 permit any
ip access-group 1 in
line vty 0 4
access-class 1 in

Deny
telnet
DS1

10.0.0.0/24 20.0.0.0/24
 Standard vs Extended ACL
1300-1999
1-99

Standard ACL access-list 1 deny 20.0.0.1 0.0.0.0

Extended ACL access-list 100 deny tcp 20.0.0.1 0.0.0.0 any eq 80

100-199 Protocol S.IP D.IP D.Port

2000-2699 tcp
udp
Equal =
icmp
ip (tcp, udp, icmp)
eigrp
ospf
R(config)# access-list ?
<1-99> IP standard access list
<100-199> IP extended access list
<1000-1099> IPX SAP access list
<1100-1199> Extended 48-bit MAC address access list
<1200-1299> IPX summary address access list
<1300-1999> IP standard access list (expanded range)
<200-299> Protocol type-code access list
<2000-2699> IP extended access list (expanded range)
<300-399> DECnet access list
<600-699> Appletalk access list
<700-799> 48-bit MAC address access list
<800-899> IPX standard access list
<900-999> IPX extended access list
dynamic-extended Extend the dynamic ACL absolute timer
rate-limit Simple rate-limit specific access list

R(config)#
Extended ACL Internet

DNS
TFTP 172.16.1.1 NAT
HTTP
HTTPs
RDP

access-list 100 deny icmp 10.0.0.0 0.0.0.255 host 172.16.1.1

access-list 100 deny tcp 10.0.0.0 0.0.0.255 host 172.16.1.1 eq
53
access-list 100 deny udp DS1 0.0.0.255
10.0.0.0 host 172.16.1.1 eq
69
access-list 100 deny tcp 10.0.0.0 0.0.0.255 host 172.16.1.1 eq
80
access-list 100 deny tcp 10.0.0.0 0.0.0.255 host 172.16.1.1 eq
443
access-list 100 permit ip 10.0.0.0 0.0.0.255 any
10.0.0.0/24 20.0.0.0/24
Extended ACL Internet

DNS
TFTP 172.16.1.1 NAT
HTTP
HTTPs
RDP

access-list 100 permit udp 20.0.0.1 0.0.0.0 host 172.16.1.1 eq

3389
access-list 100 permit tcp 20.0.0.1
DS10.0.0.0 host 172.16.1.1 eq
3389
access-list 100 deny udp any host 172.16.1.1 eq
3389
access-list 100 deny tcp any host 172.16.1.1 eq
3389
access-list 100 permit ip any any

10.0.0.0/24 20.0.0.1/24
Extended ACL Internet

DNS
TFTP 172.16.1.1 NAT
HTTP
HTTPs
RDP

access-list 100 permit tcp 20.0.0.0

DS1 0.0.0.255 host 172.16.1.1 eq 80
access-list 100 deny tcp 20.0.0.0 0.0.0.255 any eq 80
access-list 100 deny tcp 20.0.0.0 0.0.0.255 any eq
443
access-list 100 permit ip any any

10.0.0.0/24 20.0.0.0/24
Extended ACL Internet

access-list 100 deny icmp 10.0.0.0 0.0.0.255 host 172.16.1.1 echo

access-list 100 permit icmp 10.0.0.0 0.0.0.255 host 172.16.1.1 echo-
reply
access-list 100 permit ip 10.0.0.0 0.0.0.255 any
access-list 100 permit ip 20.0.0.0 0.0.0.255 any
DNS
TFTP 172.16.1.1 NAT
HTTP
HTTPs ACL
Yu cu:
Cm mng 10.0.0.0/8 ping
echo-request

echo-reply

c ti Server nhng
vn cho php Server ping
c ti lp mng
10.0.0.0/8
echo-request

DS1
echo-reply

10.0.0.0/24 20.0.0.0/24
 Named-ACL

R(config)# access-list 1 permit 20.0.0.0 0.255.255.255

R(config)# ip access-list standard ABC

R(config-std-nacl)# permit 20.0.0.0 0.255.255.255

R(config)# ip access-list extended ABC

R(config-ext-nacl)# permit tcp 20.0.0.0 0.255.255.255 host 172.16.1.1 eq 23
 Named-ACL

R(config)# access-list 1 permit 10.0.1.0 0.0.0.255

R(config)# access-list 1 permit 10.0.2.0 0.0.0.255
R(config)# access-list 1 permit 10.0.3.0 0.0.0.255

R(config)# no access-list 1 permit 10.0.3.0 0.0.0.255

R(config)# ip access-list standard abc

R(config-std-nacl)# permit 10.0.1.0 0.0.0.255
R(config-std-nacl)# permit 10.0.2.0 0.0.0.255
R(config-std-nacl)# permit 10.0.3.0 0.0.0.255

R(config)# ip access-list standard abc

R(config-std-nacl)# no 30
 Named-ACL
R(config-if)# ip access-group abc in/out
R(config)# ip access-list standard abc
R(config-std-nacl)# 10 permit 10.0.1.0 0.0.0.255
R(config-std-nacl)# 20 permit 10.0.2.0 0.0.0.255
R(config-std-nacl)# 30 permit 10.0.3.0 0.0.0.255

R(config-std-nacl)# 15 permit 10.0.4.0 0.0.0.255

R(config-std-nacl)# 35 permit 10.0.5.0 0.0.0.255
R(config-std-nacl)# permit 10.0.6.0 0.0.0.255

R# show ip access-lists
Standard IP access list abc
10 permit 10.0.1.0, wildcard bits 0.0.0.255
20 permit 10.0.4.0,
15 10.0.2.0, wildcard bits 0.0.0.255
30 permit 10.0.2.0,
20 10.0.3.0, wildcard bits 0.0.0.255
30 permit 10.0.3.0, wildcard bits 0.0.0.255
35 permit 10.0.5.0, wildcard bits 0.0.0.255
45 permit 10.0.6.0, wildcard bits 0.0.0.255
 Named-ACL

R(config)# access-list 1 permit 10.0.1.0 0.0.0.255

R(config)# access-list 1 permit 10.0.2.0 0.0.0.255
R(config)# access-list 1 permit 10.0.3.0 0.0.0.255

R(config)# ip access-list standard 1

R(config-std-nacl)# no 30 , 20 , 10