Recently, I created a short video that shows you how to secure your Cisco router using Access-control lists (ACL) in the Cisco IOS. It is a step-by-step ten-minute video. It was originally published over at SearchNetworking.com.
In this video, I walk you through the steps you’ll need to take to use Cisco IOS access control lists (ACLs) to define and filter traffic for better network security.
I recommend Train Signal Cisco CCNA Video Training!
Here is my network diagram (click on it to enlarge it):
Here is the actual ACL used in the video:
! SAMPLE ACL
!
!Notes-
!DNS resolution must be happening locally
!Default gateways must be configured on each side of the network
!If you were doing this between a LAN and the Internet, you would have NAT to
take into account
!Reflexive access-lists or firewall features can be used to improve on this
ip access-list extended less-secure
remark allow all hosts on 10 net to access web server
permit tcp 10.1.1.0 0.0.0.255 host 192.168.1.200 eq www
permit tcp 10.1.1.0 0.0.0.255 host 192.168.1.200 eq 443
remark allow RESPONSE to secure PC’s requets for access to web, ftp control,
data, smtp, and pop3 on 10 net
permit tcp 10.1.1.0 0.0.0.255 eq www host 192.168.1.201
permit tcp 10.1.1.0 0.0.0.255 eq ftp host 192.168.1.201
permit tcp 10.1.1.0 0.0.0.255 eq ftp-data host 192.168.1.201
permit tcp 10.1.1.0 0.0.0.255 eq smtp host 192.168.1.201
permit tcp 10.1.1.0 0.0.0.255 eq pop3 host 192.168.1.201
ip access-list extended more-secure
remark allow web server to respond to all hosts on 10 net
permit tcp host 192.168.1.200 eq www 10.1.1.0 0.0.0.255
permit tcp host 192.168.1.200 eq 443 10.1.1.0 0.0.0.255
remark allow PC full access to make requests to less secure network
permit tcp host 192.168.1.201 10.1.1.0 0.0.0.255
int fa4
ip access-group less-secure in
int vlan1
ip access-group more-secure in
David Davis (CCIE #9369, VCP, CISSP, MCSE) has been in the IT industry for 15+ years. He has authored over 300 articles, 6 video training courses, and co-authored one book. Learn about David's certifications, video courses, and where you can find his content on our
{ 8 comments… read them below or add one }
Thank you for taking your valuable time to create such helpful content for those (like myself) that are new and curious to the Cisco world.
Hello,
I am new on cisco world. This video is very helpful and interesting.. but I have a question… why in your extended ACL you do not have a line saying…
Deny ip any any ???, or something that say that any other traffic won t be allowed?
Thanks!
i am a ccna. i visit this site to develop my knowledge. thank you for the video. i need to download this video, because my internet connection is very slow . help me plz
thank you
This is a response to Marlon’s question: You don’t have to put a statement like deny ip any any at the end of each list because there is an implict deny all statement at the end of each list as long as there is at least one permit access control element (ACE) in the ACL. I hope this answers your question.
Your video needs the ability to expand the size of the screen. Why, I cannot see a cotton pick’n thing with the screen size that small. If your videos are this way in tutorial, the student will have more trouble understanding what you typed and why….
Not all viewers have 20/20 or xray vision. 🙂
Thanks a lot for sharing the Knowledge. Keep Rocking.
HAI SIR IAM JAMES K
I WANT TO KNOW HOW TO CONFIGRATION CISCO ROUTER MODEL 1800
I WANT JUST FUNDAMENTELS
Hi
thanks for the video. it help full to all CCNA students include me.
anyway once again thank u ……………