Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,636 --> 00:00:03,536 >> While, we're building on the foundation that was laid in the last Nugget 2 00:00:03,536 --> 00:00:08,966 on standard access list, enhancing it now with more capabilities in the extended world. 3 00:00:09,266 --> 00:00:12,986 Same story, multiple scenarios back to back to back that we're going to walk 4 00:00:12,986 --> 00:00:16,596 through to show examples of using extended access-lists 5 00:00:16,596 --> 00:00:18,846 and by doing that, solidify the concept. 6 00:00:19,636 --> 00:00:24,286 Same topology as before so we can focus on the access-list concept, 7 00:00:24,286 --> 00:00:26,296 not re-learning what the network looks like. 8 00:00:27,216 --> 00:00:30,076 We've got five scenarios, three of which are on the screen right now. 9 00:00:30,366 --> 00:00:38,526 Number one, use an extended access-list to block 192.168.1.0/24 so these guys 10 00:00:38,526 --> 00:00:44,856 from reaching 192.168.2.128/25, it's these guys. 11 00:00:44,856 --> 00:00:48,586 Now is it possible to do that using a standard access list? 12 00:00:49,046 --> 00:00:51,506 Yes, the answer is absolutely yes. 13 00:00:51,506 --> 00:00:55,226 However, we can be a lot more efficient and it's just the norm 14 00:00:55,226 --> 00:00:57,766 to be using extended access-list for these kind of things. 15 00:00:57,766 --> 00:01:02,066 Anytime you have a source and a destination or port number or anything like that, 16 00:01:02,066 --> 00:01:03,686 extended access-list is the way to go. 17 00:01:04,236 --> 00:01:12,796 So, as a refresher, extended access-list, they can filter based on source and destination IP, 18 00:01:12,996 --> 00:01:17,136 they can filter based on protocol so things such as TCP, UDP, 19 00:01:17,136 --> 00:01:19,576 ICMP, et cetera, et cetera, et cetera. 20 00:01:19,576 --> 00:01:22,646 Those are the ones we care about in CCNA, and then port number. 21 00:01:22,816 --> 00:01:27,936 So, for instance TCP port 80, TCP port 25, all that kind of stuff. 22 00:01:27,936 --> 00:01:31,416 Now before-- I'm going to hold off. 23 00:01:31,416 --> 00:01:35,316 So let me do this, I'll show you the kind of the base example and then I want to start talking 24 00:01:35,316 --> 00:01:38,266 about what are some common port numbers that you're going to run into. 25 00:01:38,266 --> 00:01:44,326 So, what we're going to do is start off with the big question, where do we start off? 26 00:01:44,426 --> 00:01:49,276 Remember, there're two things, you configure the access list, which you can do all day 27 00:01:49,276 --> 00:01:52,926 without affecting anything and then you apply the access list. 28 00:01:53,156 --> 00:01:54,526 That's where it goes into action. 29 00:01:54,526 --> 00:01:56,856 But before you can configure, you have to know where you're at. 30 00:01:57,336 --> 00:01:59,126 Now here's the concept. 31 00:01:59,686 --> 00:02:04,306 With extended access-list, we can filter based on source and destination. 32 00:02:04,516 --> 00:02:13,296 So, based on this question, we need to create a statement that says deny 192.168.1.0/24 33 00:02:13,296 --> 00:02:20,976 from reaching 192.168.2.128/25, right? 34 00:02:21,676 --> 00:02:26,366 So, put that statement in there and then we can say permit anything else. 35 00:02:26,366 --> 00:02:28,516 I'm just kind of pre-planning our steps with this. 36 00:02:28,516 --> 00:02:31,656 Now, think this through with me. 37 00:02:31,976 --> 00:02:37,416 If I can say deny this source from reaching that destination, where can I apply it? 38 00:02:38,086 --> 00:02:40,576 Well, there're actually a lot of places. 39 00:02:40,576 --> 00:02:45,886 I could apply it like what we're doing with this standard access list, outbound right here to say 40 00:02:45,886 --> 00:02:49,386 as they're going out that interface, check this, is it this source? 41 00:02:49,386 --> 00:02:50,636 Are they trying to access this? 42 00:02:50,636 --> 00:02:51,496 Then they will be denied. 43 00:02:51,496 --> 00:02:53,046 And it will work, absolutely. 44 00:02:53,276 --> 00:02:57,936 But follow this, I could apply it inbound right here, right? 45 00:02:57,936 --> 00:03:01,406 And I could-- you know, as packets are coming in, they're chugging along their way, 46 00:03:01,686 --> 00:03:04,326 as they get in, it's going to say, "Okay, are you this?" 47 00:03:04,326 --> 00:03:06,536 And they'll say, "Yes, we are because we're coming from here." 48 00:03:06,536 --> 00:03:08,566 And it's going to say, "Well, are you trying to access this?" 49 00:03:08,566 --> 00:03:09,486 And they'll say, "Yes, we are. 50 00:03:09,486 --> 00:03:10,276 That's where we're going." 51 00:03:10,476 --> 00:03:12,756 They'll say, "Okay, well then, right here, I'm going to deny you." 52 00:03:13,456 --> 00:03:16,956 So just following that same logic, do you see the point here? 53 00:03:17,256 --> 00:03:20,986 I could apply outbound right here, I could apply inbound right here. 54 00:03:20,986 --> 00:03:25,716 I could apply outbound right here and I could even apply inbound right here, 55 00:03:25,716 --> 00:03:29,156 because even before the packets get into the router, it can, you know-- 56 00:03:29,156 --> 00:03:32,196 before they go any further it can say, "Are you this? 57 00:03:32,196 --> 00:03:33,576 Are you trying to access this? 58 00:03:33,576 --> 00:03:35,126 Oh, okay, then you're going to be denied." 59 00:03:35,126 --> 00:03:36,356 So I can even deny them right here. 60 00:03:36,356 --> 00:03:39,186 So then the big question is I could apply this, how many? 61 00:03:39,186 --> 00:03:43,746 One, two, three, four, five, six different places, they all work, 62 00:03:43,746 --> 00:03:49,016 they all accomplish the result, what's the best place to do it? 63 00:03:49,236 --> 00:03:53,646 Cisco would tell you, right here. 64 00:03:53,646 --> 00:03:58,996 Why? Because the further down the chain you apply the extended access-list, 65 00:03:59,246 --> 00:04:02,426 the further the traffic has to go just to find out that it's blocked. 66 00:04:02,426 --> 00:04:07,106 So, if I apply it right here, that means this router had to process it, waste bandwidth. 67 00:04:07,106 --> 00:04:09,156 This router had to process, waste bandwidth. 68 00:04:09,156 --> 00:04:11,876 And it had to get here and be processed before it found out it was going to be denied. 69 00:04:11,876 --> 00:04:14,466 Like I said in the last Nugget, it's like that bad trip to Disney Land, 70 00:04:14,466 --> 00:04:18,756 we're driving all that way just to find out Disney Land is closed. 71 00:04:18,896 --> 00:04:24,326 So we'd rather know before we leave the house, essentially right here, that it's closed 72 00:04:24,326 --> 00:04:27,156 or that we're going to be denied and that's Cisco's best practice. 73 00:04:27,626 --> 00:04:36,876 With extended access-list, the rule is to apply them as close to the source as possible. 74 00:04:37,296 --> 00:04:40,606 Even though it would work further away, we want to be able to-- 75 00:04:40,606 --> 00:04:43,396 to be as efficient in our configuration as possible, too. 76 00:04:43,396 --> 00:04:47,816 So, with that in mind, that's where I'm going to begin my configuration. 77 00:04:48,206 --> 00:04:49,726 Let's go over to router 1. 78 00:04:51,516 --> 00:04:55,616 So I've all the-- I was getting rid of all of the old config from the previous ones, 79 00:04:55,616 --> 00:04:58,046 so let's clear all that off gone. 80 00:04:58,346 --> 00:05:01,616 So, router 1, now I'm going to go-- let's start-- 81 00:05:01,616 --> 00:05:05,296 and I know last Nugget, we wrapped up with the named access list and we'll go there, 82 00:05:05,296 --> 00:05:07,586 but I'm going to start off with the traditional way which is numbered. 83 00:05:07,586 --> 00:05:12,636 First off, let's do a show ip interface brief that's just constant orientation. 84 00:05:12,856 --> 00:05:17,816 Okay, it's-- I, I know where I am, that's 192.168.1.1, that's right here, 85 00:05:17,816 --> 00:05:20,066 FastEthernet zero, serial 0 is right here. 86 00:05:20,196 --> 00:05:22,196 So, I'm going to create an access list. 87 00:05:22,196 --> 00:05:25,146 I'll do access list, question mark. 88 00:05:25,146 --> 00:05:27,426 Now we're going to move into the extended range. 89 00:05:27,426 --> 00:05:31,886 So I'm going to say extended, now you remember the syntax from the last Nugget, right? 90 00:05:32,046 --> 00:05:34,826 So, for instance, if I said, you know, five and I would say permit 91 00:05:34,826 --> 00:05:36,146 and it's like okay, what's your source? 92 00:05:36,146 --> 00:05:37,726 You got used to that, right? 93 00:05:37,956 --> 00:05:43,706 So now, when I do access list, let's go 100, I'm now in the extended range, 94 00:05:43,706 --> 00:05:47,426 I hit the question mark, immediately I see, there's a little difference there. 95 00:05:47,426 --> 00:05:49,316 There's this new word dynamic, we're actually not going 96 00:05:49,316 --> 00:05:51,436 to use those, but there's a new word in there. 97 00:05:51,436 --> 00:05:55,466 So, I already can tell that I'm moving on a little different track, so what am I doing? 98 00:05:56,076 --> 00:05:56,796 Denying somebody. 99 00:05:56,946 --> 00:06:01,946 I'm denying 192.168.1.0 from reaching the other one. 100 00:06:01,946 --> 00:06:05,996 So, okay, so I'm going to say deny, question mark, and now it's like, whoa, 101 00:06:05,996 --> 00:06:07,686 syntax went a totally different direction. 102 00:06:08,226 --> 00:06:12,546 First question it's going to ask you is what protocol? 103 00:06:13,306 --> 00:06:14,386 What protocol? 104 00:06:14,386 --> 00:06:16,506 Remember, that's one of the things we can filter on. 105 00:06:16,506 --> 00:06:21,546 What protocol would you like to allow or deny key ones that we care about, ICMP, 106 00:06:21,546 --> 00:06:28,856 that's things ling pings, echo, echo reply, unreachables, all those kind of things. 107 00:06:29,196 --> 00:06:30,786 TCP and UDP and IP. 108 00:06:31,476 --> 00:06:35,576 So, ICMP, protocol-wise, TCP, UDP, and IP. 109 00:06:36,046 --> 00:06:38,046 These three we know. 110 00:06:38,106 --> 00:06:45,026 Those' are the protocols that applications use so what's this mysterious IP? 111 00:06:45,026 --> 00:06:49,986 IP is everything, like for instance, you see a whole bunch of protocols there and if I allow, 112 00:06:50,186 --> 00:06:53,146 you know, maybe I block TCP traffic from these, well, 113 00:06:53,336 --> 00:06:55,866 problem is that allows UDP to still get through. 114 00:06:55,866 --> 00:07:00,056 That allows, you know, ICMP or IGMP and ESP, all these other stuff can still get 115 00:07:00,056 --> 00:07:03,896 through 'cause there's other protocols in TCP, but if I really want to catch all of them, 116 00:07:03,896 --> 00:07:06,826 IP is essentially everyone of these in one. 117 00:07:06,826 --> 00:07:09,926 It's all protocols is what it is. 118 00:07:09,926 --> 00:07:10,946 And that's what we want here. 119 00:07:11,136 --> 00:07:13,936 We said, "Block this from getting there." 120 00:07:13,936 --> 00:07:18,696 It didn't specify anything more so we're left to assume block, that's what it means, 121 00:07:18,696 --> 00:07:21,546 like deny everything, not just TCP or UDP. 122 00:07:21,546 --> 00:07:25,156 So we're actually going to go in here and say, "Deny the IP protocol." 123 00:07:25,726 --> 00:07:31,336 Now, I'd ask the question, what source address would you like to deny from? 124 00:07:31,896 --> 00:07:33,636 And I'll say, "Okay, well, I'm not actually looking 125 00:07:33,636 --> 00:07:37,646 for everybody nor am I looking for a specific host. 126 00:07:37,646 --> 00:07:41,626 I've been told to block this network and that's what I'm going to do." 127 00:07:41,626 --> 00:07:48,366 I'm going to go in and say, "The source that I'm blocking is 192.168.1.0." 128 00:07:48,366 --> 00:07:51,956 And of course, it's going to say "Okay, well, give me something more. 129 00:07:51,956 --> 00:07:55,166 Are you looking for just a host on there or the whole subnet." 130 00:07:55,166 --> 00:07:57,556 So that's where our good old wildcard mask comes in. 131 00:07:57,706 --> 00:08:00,976 Remember, this is from before, this is a class C subnet mask. 132 00:08:01,306 --> 00:08:06,516 Flip that, completely backwards rebel land and the wild world, we flip that around 000 133 00:08:06,516 --> 00:08:13,786 which says, "Look at 192, look at 168, look at 1, I don't care about that last action." 134 00:08:13,786 --> 00:08:15,266 So, that can be anything. 135 00:08:15,266 --> 00:08:17,486 If it starts with this, they match this. 136 00:08:17,486 --> 00:08:18,526 They're going to be denied. 137 00:08:18,866 --> 00:08:23,266 So I'll say 0.0.0.255. 138 00:08:23,266 --> 00:08:27,996 Now, we get new options, things that we didn't see at all in the standard access list, 139 00:08:27,996 --> 00:08:32,136 it's saying "Okay, now what destination would you like to refer to?" 140 00:08:32,136 --> 00:08:37,306 So I'm going to say, "I am blocking this source from," now I typed in the destination. 141 00:08:37,306 --> 00:08:40,086 Well, I'm not blocking it from everything nor a specific host. 142 00:08:40,086 --> 00:08:42,286 I'm blocking it from this network, right? 143 00:08:42,286 --> 00:08:49,696 192.168.2.128 right here, so we'll type that in. 144 00:08:49,906 --> 00:08:56,896 That's, that's the network ID, 192.168.2.128, hit the question mark. 145 00:08:56,896 --> 00:08:58,456 Now, it says, "What's the wildcard bit?" 146 00:08:58,456 --> 00:09:01,016 Well, you remember, we use the custom subnet here, so wildcard bits are going 147 00:09:01,016 --> 00:09:02,556 to be 000 dot and how do we figure that out? 148 00:09:02,556 --> 00:09:11,656 Well, slash 25 in decimal is 255.255.255.128, one of those funky subnet masks. 149 00:09:11,686 --> 00:09:16,386 So I could either convert all these to binary and then make all the one zeros 150 00:09:16,386 --> 00:09:20,646 and all the zeros one to figure it out or we can use that handy-dandy formula which is 151 00:09:20,646 --> 00:09:28,296 to take 255.255.255 and subtract this and that gives us 0.0.0.127 is the wildcard mask 152 00:09:28,506 --> 00:09:31,596 that we need to use to match that whole network. 153 00:09:31,786 --> 00:09:36,406 So, come in there and do 0.0.0.127. 154 00:09:36,636 --> 00:09:40,436 Hit the question mark, you know, things like do you want to log this enter-- entry? 155 00:09:40,636 --> 00:09:43,026 Are there certain types of service that you want to match? 156 00:09:43,026 --> 00:09:45,706 I mean, all of these goes way beyond. 157 00:09:45,706 --> 00:09:49,836 Types of service, DSCP, all those kinds of things, deal with quality of service. 158 00:09:49,836 --> 00:09:52,486 Same thing here, different quality of service tags that we can use. 159 00:09:52,486 --> 00:09:54,286 Don't even worry about it for now. 160 00:09:54,286 --> 00:09:56,506 I hit enter. 161 00:09:56,626 --> 00:10:00,536 We have entered our first extended access-list statement. 162 00:10:01,476 --> 00:10:04,706 Let's do a do show IP access list. 163 00:10:04,896 --> 00:10:08,216 Right there, we've got deny this source to this destination. 164 00:10:08,336 --> 00:10:12,306 Now, extended access-list can get pretty hairy. 165 00:10:12,636 --> 00:10:17,266 The biggest thing that you can do is remember the three key pieces. 166 00:10:17,556 --> 00:10:20,186 You're going to say-- well, I'll say you know, permit or deny right? 167 00:10:20,186 --> 00:10:22,186 I guess that-- that doesn't count. 168 00:10:22,316 --> 00:10:26,606 Permit or deny, so you have the protocol, that's one key piece, 169 00:10:26,606 --> 00:10:32,316 you pick your protocol you then have your source and you have your destination. 170 00:10:33,106 --> 00:10:36,366 No matter how complex, how big this thing starts getting like we're going to start seeing 171 00:10:36,366 --> 00:10:40,546 over here, no matter how big this is, you're always going to break into those three pieces, 172 00:10:40,736 --> 00:10:44,266 you pick what protocol it is, what your source is and what your destination is 173 00:10:44,266 --> 00:10:45,686 and that makes sense when we look at this. 174 00:10:46,176 --> 00:10:53,396 Deny IP that's a protocol, this is our source, this is our destination, cool? 175 00:10:53,816 --> 00:11:00,766 Now, extended access-list have the same rules as a standard if I have a deny in there, 176 00:11:00,766 --> 00:11:03,906 there's the implicit deny below that so it's going to deny everything. 177 00:11:03,906 --> 00:11:09,686 So what I need to do is get in here and type in, IP or-- wait, hang on, where was it? 178 00:11:09,686 --> 00:11:14,796 Access list 100 and I need to add a permit, so I'm going to say, you know, 179 00:11:14,796 --> 00:11:16,996 they're denied from that, but I'm going to permit everything else. 180 00:11:16,996 --> 00:11:20,866 Now, in an extended world, we have to type in permit so when I say, 181 00:11:20,866 --> 00:11:24,546 "I want to permit everything else," what protocol is that? 182 00:11:24,546 --> 00:11:25,206 IP, right? 183 00:11:25,456 --> 00:11:26,936 That's everything, all protocols. 184 00:11:27,296 --> 00:11:28,446 What's the source? 185 00:11:29,006 --> 00:11:30,986 Well, we can actually be very broad here. 186 00:11:30,986 --> 00:11:36,516 I can say any source to, well, what do you think? 187 00:11:36,516 --> 00:11:37,296 Any destination. 188 00:11:37,786 --> 00:11:41,816 That is your way of doing a permit all at the bottom 189 00:11:41,816 --> 00:11:45,086 of an extended access-list to overrule that deny everybody. 190 00:11:45,336 --> 00:11:49,136 So, now it's saying, "Okay, if you're this and you're trying 191 00:11:49,136 --> 00:11:52,536 to go to this, you will be denied." 192 00:11:52,956 --> 00:11:58,446 However, if you're anything else, you will be permitted even if you're this trying 193 00:11:58,446 --> 00:12:02,466 to access something other than this, does that make sense? 194 00:12:02,466 --> 00:12:07,876 So now, I can go in to applying it to Cisco's best practice as close to the source 195 00:12:07,876 --> 00:12:12,046 as possible, so I'm going to go into FastEthernet0/0, same exact command 196 00:12:12,046 --> 00:12:17,126 as we saw previously, IP access group and we say "Okay, well, 197 00:12:17,126 --> 00:12:19,486 what's the access list number or name?" 198 00:12:19,486 --> 00:12:23,076 And we'll say, "Access list 100," that's the one we just created so I'm saying, 199 00:12:23,306 --> 00:12:27,876 "Apply this access list in the inbound direction." 200 00:12:27,916 --> 00:12:33,606 Again, be the router-- I'll stop drawing my long arms in a minute but fast FastEthernet0/0 is 201 00:12:33,606 --> 00:12:36,986 over here so I'm saying as things are coming in, 202 00:12:37,646 --> 00:12:41,286 in that interface 'cause that's the interface mode I'm under right here, 203 00:12:41,396 --> 00:12:43,906 it's going to start going through that access list and saying, 204 00:12:43,906 --> 00:12:45,246 "Are you trying to get over here? 205 00:12:45,246 --> 00:12:47,976 Because I'm going to deny you otherwise, you're permitted to go through 206 00:12:48,196 --> 00:12:52,316 and pass out the Serial0/0 interface." 207 00:12:52,316 --> 00:12:55,106 So that will accomplish the goal. 208 00:12:55,546 --> 00:12:57,016 Let's test it. 209 00:12:57,176 --> 00:13:01,896 I'm going to go to PC1, that's over there on the left. 210 00:13:03,116 --> 00:13:09,326 No, it's right here, and let's just do a show ip interface brief, 211 00:13:09,916 --> 00:13:15,816 yes that's just a little lone guy over there on the network 192.168.1.50 that's him, 212 00:13:15,816 --> 00:13:20,526 so I'm going to try and ping, let's try and ping 10.1.1.1 make sure we can still get there, yup, 213 00:13:20,526 --> 00:13:24,836 and that-- so 10.1.1.1 you might remember is this guy, so it's going all the way 214 00:13:24,836 --> 00:13:31,396 across the network to here to reach it but now let's add in, let's go a little further. 215 00:13:31,706 --> 00:13:39,406 Let's go to ping 192.168.2.150 which should be a forbidden IP address and sure enough it is. 216 00:13:39,406 --> 00:13:43,796 So, the good news is our device is literally getting right here and being blocked. 217 00:13:43,796 --> 00:13:47,366 He doesn't have to travel much further like we did with the standard access list, 218 00:13:47,366 --> 00:13:49,546 we can't apply the standard access list any closer 219 00:13:49,546 --> 00:13:53,886 than out here 'cause you can't say what you're denied from so we would always have to have all 220 00:13:53,886 --> 00:13:56,346 of our traffic crossing the whole network to get there. 221 00:13:56,546 --> 00:14:03,076 Now I'm able to go back in to my router 1 to a show IP access list 222 00:14:03,556 --> 00:14:06,496 and I can see all the matches, the things that have been denied as well 223 00:14:06,496 --> 00:14:07,716 as the things that are being permitted. 224 00:14:08,996 --> 00:14:09,866 Okay, number two. 225 00:14:10,576 --> 00:14:22,916 Block 192.168.1.50, so this guy, from reaching 192.168.2.50 so this guy using HTTP or HTTPS. 226 00:14:23,366 --> 00:14:24,036 So what can we assume? 227 00:14:24,296 --> 00:14:29,596 Well, we'll just pretend that this guy is actually a web server that would be using those. 228 00:14:29,876 --> 00:14:34,056 So now is what I was holding myself back from, now is a good time 229 00:14:34,056 --> 00:14:36,546 to talk about common port numbers. 230 00:14:36,956 --> 00:14:42,726 TCP, UDP all of the different protocols out there have specific port numbers that they use. 231 00:14:42,726 --> 00:14:48,256 I'm going to do TCP, UDP and I'll just put ICMP up here. 232 00:14:48,816 --> 00:14:51,396 The three protocols we've been talking about so far, I guess we can throw IP, 233 00:14:51,396 --> 00:14:54,556 but it doesn't really have any port numbers 'cause that's everything, right? 234 00:14:54,706 --> 00:14:57,666 Those are the protocols that we've been talking about in the config, 235 00:14:58,016 --> 00:15:00,806 there are ones that you will want to know off the top of your head. 236 00:15:01,246 --> 00:15:13,796 TCP port 21 FTP, port 22 is SSH, TCP port 23 is Telnet, port-- 237 00:15:13,796 --> 00:15:18,336 you want to know port 25 which is SMTP that's email services. 238 00:15:18,406 --> 00:15:27,506 You want to know, maybe 53, which is actually a DNS server, so for instance, 239 00:15:27,506 --> 00:15:32,056 DNS servers that have all those records like google.com really points to these IP addresses, 240 00:15:32,296 --> 00:15:38,046 they replicate to each other or they can and they use TCP port 53 to do that. 241 00:15:38,046 --> 00:15:49,636 Port 80, the most well-known port in the world, HTTP, port 110 POP3, that's client email. 242 00:15:49,636 --> 00:15:53,716 So if you're downloading email from an email server, you use POP3. 243 00:15:53,976 --> 00:15:57,256 On the same token port, what is it? 244 00:15:57,256 --> 00:16:05,906 143, IMAP4 which that same thing, a client email but instead of downloading it from the server, 245 00:16:05,906 --> 00:16:09,896 it leaves it on the server so that way, the client doesn't hold the email at all, 246 00:16:09,896 --> 00:16:11,626 it stays on the server, so IMAP4. 247 00:16:11,626 --> 00:16:15,696 And then the only other one that I could foresee popping 248 00:16:15,696 --> 00:16:20,486 up at you is port 443 and that is HTTPS or SSL. 249 00:16:20,486 --> 00:16:24,446 So, encrypted or secured HTTP uses that port number. 250 00:16:24,936 --> 00:16:28,836 Now I know, you're like "Ooh, that's a lot of port numbers to know off the top of my head." 251 00:16:29,056 --> 00:16:33,006 Yes, the vast majority of them are in TCP because that's what all 252 00:16:33,006 --> 00:16:35,826 of our data applications use, correct? 253 00:16:35,826 --> 00:16:40,976 Now UDP, there are some but very few, UDP, you really only want 254 00:16:40,976 --> 00:16:45,546 to know port 53 which is DNS client. 255 00:16:46,636 --> 00:16:51,986 So when, for instance, your computer at home goes to google.com or cbtnuggets.com and tries 256 00:16:51,986 --> 00:16:55,526 to resolve that name to an IP address, it sends out a UDP request. 257 00:16:55,526 --> 00:16:57,966 It's just a-- that's the normal DNS lookup. 258 00:16:58,306 --> 00:17:02,156 And then port 69 which is TFTP. 259 00:17:03,516 --> 00:17:05,486 Our Cisco devices use that for a lot 260 00:17:05,486 --> 00:17:08,976 of configuration backups or upgrading the IOS software. 261 00:17:08,976 --> 00:17:11,216 So, those are really the only two on UDP. 262 00:17:11,216 --> 00:17:16,646 ICMP doesn't really use port numbers, it uses protocol numbers or protocol name 263 00:17:16,646 --> 00:17:21,556 so the only two you'll want to know there is echo and echo-reply. 264 00:17:22,336 --> 00:17:26,926 And if you combine both of those together, what do you get? 265 00:17:27,476 --> 00:17:32,446 A ping. That's when you ping something, it sends an echo and the other side sends back 266 00:17:32,446 --> 00:17:35,016 and an echo reply so that's how we do that. 267 00:17:35,016 --> 00:17:39,096 So, I would suggest and now this is-- well, you know, I was going to say, if you're studying 268 00:17:39,096 --> 00:17:41,826 for the exam, but I would say real world. 269 00:17:41,826 --> 00:17:46,146 Yeah, I mean, you use those all the time 'cause those are the major services that you end 270 00:17:46,146 --> 00:17:50,996 up supporting as a Cisco firewall administrator or you know, whatever you're doing with those, 271 00:17:50,996 --> 00:17:56,026 you constantly run across those service, so it's for good reason that Cisco allows those. 272 00:17:56,026 --> 00:18:04,396 So, okay, now back to the objective, block 192.168.1.50 from reaching this guy, 273 00:18:04,396 --> 00:18:07,816 who's probably a web server, on port 80 and 443. 274 00:18:08,236 --> 00:18:12,586 This is going to be awesome, I just-- I paused and I was like, "I've got an idea." 275 00:18:12,746 --> 00:18:17,716 I want to take this opportunity to show you how to edit an access list, 276 00:18:17,716 --> 00:18:20,676 because see here's the deal we already have, in scenario one, 277 00:18:20,976 --> 00:18:24,786 blocked this guy from reaching out over here on everything. 278 00:18:24,786 --> 00:18:30,786 So now we're saying, "Okay, in addition to that, I want to block this guy, that one IP address 279 00:18:30,786 --> 00:18:36,336 on the network, from reaching to this guy on port 80 and 443." 280 00:18:36,606 --> 00:18:40,096 I know that because I, you know, just did the quick correlation, 281 00:18:40,096 --> 00:18:42,846 HTTP and HTTPS are there in that list. 282 00:18:42,846 --> 00:18:48,196 So, we've already got an access list applied inbound right here that we can edit 283 00:18:48,196 --> 00:18:50,556 to add those restrictions to, so let's do it. 284 00:18:51,036 --> 00:18:52,736 So, where am I? 285 00:18:52,736 --> 00:18:57,156 Router 1, come right there, so there's our existing access list. 286 00:18:57,156 --> 00:18:59,486 Now you notice that we've got these sequence numbers right there. 287 00:18:59,906 --> 00:19:03,376 So that's going to leave us in a little bit of a pickle 288 00:19:03,666 --> 00:19:07,106 because if we-- yes, I did just say pickle. 289 00:19:07,106 --> 00:19:12,286 So if we use our normal access list command, if I say access list-- 290 00:19:12,286 --> 00:19:20,046 access list, you know 100 and I keep going down and I say, you know, permit IP-- 291 00:19:20,046 --> 00:19:22,646 or TCP and I start squeezing in all the stuff, 292 00:19:22,646 --> 00:19:24,676 it's going to keep adding on to the bottom of the list. 293 00:19:24,676 --> 00:19:26,406 No, no, no I can't do that. 294 00:19:26,406 --> 00:19:28,056 I want to squeeze stuff in. 295 00:19:28,676 --> 00:19:32,406 Now, do any of you remember where we saw that little-- 296 00:19:32,406 --> 00:19:36,386 in the last Nugget, I had the question mark and we say the option to type in a sequence number? 297 00:19:36,606 --> 00:19:40,916 So I can say, "Well, squeeze in sequence 15 in between these two," or something like that. 298 00:19:41,126 --> 00:19:41,986 Remember where that was? 299 00:19:42,476 --> 00:19:45,906 It was in the named access list, so let's back up a little bit. 300 00:19:45,906 --> 00:19:47,946 If I type in-- how to get to the named access list? 301 00:19:48,376 --> 00:19:51,756 IP access list, right? 302 00:19:51,876 --> 00:19:55,086 And I'll say this is going to be instead of using number 100 303 00:19:55,086 --> 00:19:59,756 and all that to specify it's extended, I'm going to say, "This is an extended access list, 304 00:19:59,756 --> 00:20:03,976 but now, it lets me type in, oh, which one are you editing or which one are you creating?" 305 00:20:04,166 --> 00:20:06,246 You can do both with this command. 306 00:20:06,246 --> 00:20:09,756 So we'll say extended and we'll say number 100. 307 00:20:10,306 --> 00:20:12,346 Now, you noticed it says, "Okay, go ahead and press Enter." 308 00:20:12,526 --> 00:20:16,836 Thanks, I'm now in the configuration mode, editing that access list. 309 00:20:16,836 --> 00:20:26,136 So now, what I can do is specify a sequence number to squeeze in the commands I'm 310 00:20:26,136 --> 00:20:29,126 about to do before we get to that permit IP any any. 311 00:20:29,946 --> 00:20:32,916 So, what do we do? 312 00:20:32,966 --> 00:20:39,296 Okay, so we're, first off, needing to block HTTP and then we'll block HTTPS 313 00:20:39,296 --> 00:20:41,766 which we'll be really easy once we get the first command. 314 00:20:41,766 --> 00:20:47,516 First off, I'm going to say, "Okay, previously, we had sequences 10 and 20, 315 00:20:47,716 --> 00:20:51,386 so I need to squeeze it in," so I was saying 15, but why go right in the middle? 316 00:20:51,386 --> 00:20:52,566 Why not just use 11? 317 00:20:52,566 --> 00:20:52,966 How is that? 318 00:20:52,966 --> 00:20:57,336 So, sequence number 11 will add the line between 10 and 20. 319 00:20:57,946 --> 00:21:02,376 It's like-- any of you-- my roots go back to the Commodore Amiga Computer. 320 00:21:02,376 --> 00:21:05,936 That's were I really got my first taste of computing 321 00:21:06,206 --> 00:21:09,526 and I remember [laughs] trying to learn programming. 322 00:21:09,526 --> 00:21:10,916 Now this is many, many moons ago. 323 00:21:10,916 --> 00:21:12,266 I was much, much, much younger. 324 00:21:12,606 --> 00:21:15,526 And I got into basic programming thinking, I'm going to-- 325 00:21:15,526 --> 00:21:19,166 you know, what's every kid dream of when they're getting into computers, 326 00:21:19,166 --> 00:21:21,246 I want to be a video game programmer, right? 327 00:21:21,246 --> 00:21:24,936 And so I got in the basic and, you know, got the book and out and says, "Okay, 328 00:21:25,256 --> 00:21:29,016 type in line 10, echo, hello world." 329 00:21:29,076 --> 00:21:34,976 And then you-- so you typed that into the basic compiler 10 Echo, you know, hello world. 330 00:21:35,086 --> 00:21:40,916 And then you do a line 20, go to 10, and you run the program and you just get a screen full 331 00:21:40,916 --> 00:21:45,516 of hello world and that's about as far as I got and I'm like, "Well, that was lame. 332 00:21:45,516 --> 00:21:49,586 I'm a long way away from creating, you know, Defender of the Crown kind of games," 333 00:21:49,586 --> 00:21:52,756 [laughs] you know, like which was of course the game of the year back then. 334 00:21:52,756 --> 00:21:57,286 So, what was I talking-- so that-- so yeah, this is very similar to that. 335 00:21:57,286 --> 00:22:00,046 We just got these sequence numbers to keep everything straight. 336 00:22:00,046 --> 00:22:03,466 So, I'm going to say sequence 11 to squeeze it in there, 337 00:22:03,726 --> 00:22:05,806 now we can put it in our permit and deny statements. 338 00:22:05,836 --> 00:22:07,356 So I'm going to say, "Deny. 339 00:22:07,356 --> 00:22:12,436 We're blocking them from-- " So saying, "Deny what?" 340 00:22:12,436 --> 00:22:17,406 Well, HTTP is a TCP-based protocol, right? 341 00:22:18,386 --> 00:22:21,926 So I'm going to say "Deny TCP." 342 00:22:21,926 --> 00:22:24,346 It's the-- TCP is the protocol that I'm blocking. 343 00:22:24,516 --> 00:22:26,496 Now it's saying, "Who are you denying?" 344 00:22:26,696 --> 00:22:31,346 Well, it's nice and easy here so I can say-- well, there's two ways, I can either say host 345 00:22:31,346 --> 00:22:38,126 and type in the IP address or I can type in the IP address, let's do 192.168.1.50, right? 346 00:22:38,236 --> 00:22:40,456 The two we're-- let's this squeeze this a little bit. 347 00:22:40,606 --> 00:22:46,556 The two we're blocking 192.168.1.50 from-- and then so I'll hit the question mark says, "Okay, 348 00:22:46,556 --> 00:22:48,696 what's your wildcard bits, 0.0.0.0." 349 00:22:48,696 --> 00:22:51,666 So if I would have used the host keyword, I could have skipped doing 350 00:22:51,666 --> 00:22:52,906 that 'cause it would assume that. 351 00:22:52,966 --> 00:22:56,306 So, now it's going to say, okay, what is your-- 352 00:22:56,576 --> 00:23:00,776 okay what is your-- so I've got this mouse, right? 353 00:23:00,776 --> 00:23:04,756 And the scroll-- it doesn't have a scroll wheel, it's invisible, like if you just kind of move 354 00:23:04,756 --> 00:23:08,506 over the mouse, it scrolls for you so that's why I'm doing all that time. 355 00:23:08,506 --> 00:23:15,266 So, it's saying, "Okay, this is your source now into your destination," but wait, but wait. 356 00:23:15,826 --> 00:23:19,466 This is actually a point where a lot of confusion comes in, 357 00:23:20,036 --> 00:23:22,396 because somebody hits the question which we all do. 358 00:23:22,396 --> 00:23:25,336 This is-- hitting the question mark is something you always do in Cisco. 359 00:23:25,716 --> 00:23:31,046 And we see-- oh wait, wait, match packets on a port number or greater than a port number 360 00:23:31,046 --> 00:23:35,446 or less than a port number or not equal to a port number. 361 00:23:35,606 --> 00:23:37,886 That's NEQ, not equal to or range of port. 362 00:23:37,886 --> 00:23:42,086 So we're like, "Oh okay, so this is where I type in my port number, right?" 363 00:23:43,126 --> 00:23:48,506 Major area where access list get kind of messed up and this goes back 364 00:23:48,506 --> 00:23:50,366 to what I was just showing you on the last example. 365 00:23:50,586 --> 00:23:55,476 Remember, the access list is always comprised of three main pieces. 366 00:23:55,806 --> 00:24:01,506 You say, I want to allow or deny the protocol, which we chose as TCP, the source, 367 00:24:01,506 --> 00:24:04,586 you put in your source information, then the destination. 368 00:24:05,856 --> 00:24:08,076 Now you might be saying, "Well yeah, that's what we're doing, right?" 369 00:24:08,076 --> 00:24:09,236 And we said, port 80. 370 00:24:09,236 --> 00:24:11,686 Well, if we type in the port number right here-- 371 00:24:11,686 --> 00:24:17,626 not there, right here, if we type in the port number and we say, "Okay, equal to port 80," 372 00:24:18,016 --> 00:24:22,176 then we're actually choosing the source port and that's not what we want. 373 00:24:22,376 --> 00:24:26,436 I mentioned this way early on in the series so I want to talk about it again. 374 00:24:26,656 --> 00:24:30,856 When a computer creates a connection to, well, let's just say this web server, 375 00:24:32,146 --> 00:24:34,836 it'll always creates what's known as a socket 376 00:24:35,016 --> 00:24:41,476 and what a socket is-- this guy is 192.168.2.50, right? 377 00:24:41,476 --> 00:24:45,206 And this guy is 192.168.1.50. 378 00:24:45,526 --> 00:24:48,576 So a socket is when he says, "I want to talk you web server." 379 00:24:48,656 --> 00:24:51,076 And the web server is like, "Well, I actually do a lot of stuff. 380 00:24:51,076 --> 00:24:51,856 I'm a web server. 381 00:24:51,856 --> 00:24:52,766 I'm an email server. 382 00:24:52,906 --> 00:24:57,976 I'm a [laughs]-- like what else-- oh, I'm an online gaming server. 383 00:24:58,116 --> 00:25:02,896 I'm a database server," I mean, he's like, "So what service on me do you want to talk to? 384 00:25:03,196 --> 00:25:06,746 You can't just say you want to talk me, you got to tell me what on me you want to talk to," 385 00:25:06,946 --> 00:25:08,556 so that's why this guy creates a socket. 386 00:25:08,556 --> 00:25:15,036 He says, "Well actually, I want to talk to you, 192.168.2.50. 387 00:25:15,036 --> 00:25:20,006 I want to talk to you on a socket of 192.168.2.50:80," 388 00:25:20,286 --> 00:25:22,386 which now when he gets that he goes, "Oh, okay. 389 00:25:22,386 --> 00:25:27,536 You're trying to access my web server," because that's assigned to port 80 on here. 390 00:25:27,866 --> 00:25:33,936 But at the same token, this guy also creates a source socket, to where he says, "Oh, 391 00:25:33,936 --> 00:25:43,526 coming from 192.168, you know, when you talk back to me, I'm coming from 192.168.1.50 colon." 392 00:25:43,766 --> 00:25:44,386 What is it? 393 00:25:44,386 --> 00:25:47,156 How's 5196? 394 00:25:47,636 --> 00:25:51,296 [laughs] We don't know because Windows makes that up. 395 00:25:51,386 --> 00:25:52,856 When I open-- you remember this? 396 00:25:52,856 --> 00:25:58,706 When I open a web browser, I open, you know, Google and go cbtnuggets.com, 397 00:25:59,306 --> 00:26:03,346 the operating system-- we did this early on, we do netstat. 398 00:26:03,696 --> 00:26:08,636 It comes in and says, okay, well, I'm creating all these little source ports, you know, 399 00:26:08,636 --> 00:26:11,786 this is my source IP address and I'm going-- 400 00:26:11,786 --> 00:26:15,196 you know, coming from this source port which identifies, you know, Google Chrome 401 00:26:15,196 --> 00:26:19,596 or whatever app and now I've got other stuff right here like wow, that's a lot of stuff. 402 00:26:19,596 --> 00:26:21,316 Well, I've got a lot of stuff running on here. 403 00:26:21,506 --> 00:26:25,506 But you know, these, I can tell you, are all related to CBT Nuggets 404 00:26:25,506 --> 00:26:31,926 because CBT Nuggets stores their data in Amazon AWS which uses EC2 services 405 00:26:31,926 --> 00:26:34,976 which is-- that's another great series. 406 00:26:35,126 --> 00:26:39,556 If you're ever interested in that, CBT Nuggets has a series on AWS, it's amazing. 407 00:26:40,496 --> 00:26:41,046 [laughs] Amazing. 408 00:26:41,166 --> 00:26:43,046 So, moving on. 409 00:26:43,266 --> 00:26:46,556 So, this, you know, is going to be made up by the operating system. 410 00:26:46,556 --> 00:26:51,286 So if-- going back to where we're at, let's see, we were on router 1. 411 00:26:51,706 --> 00:26:57,266 If we type in equal next to the source, we're going to be saying, "I want to deny based 412 00:26:57,266 --> 00:27:00,836 on the source port number," which we don't know what that's going to be. 413 00:27:00,836 --> 00:27:04,226 We rarely if ever are going to know what the source port are going to be-- 414 00:27:04,396 --> 00:27:09,616 is going to be, so rather, I'm just going to go right into the destination. 415 00:27:09,616 --> 00:27:12,876 I'm going to say, "Okay, I've specified this. 416 00:27:13,056 --> 00:27:16,496 I've specified my source and I'm not going to specify a source port number 417 00:27:16,496 --> 00:27:17,626 because I don't know what it's going to be. 418 00:27:17,796 --> 00:27:19,386 I'm just going to move on to the destination." 419 00:27:20,026 --> 00:27:24,436 So watch this, come back here-- oh, I just pasted that in. 420 00:27:25,116 --> 00:27:27,616 And now I'm going to say, "Okay destination." 421 00:27:27,616 --> 00:27:37,526 Well, the destination host is 192.168.2.50, hit the questions mark, wildcard bits 0.0.0.0. 422 00:27:38,376 --> 00:27:38,926 There we go. 423 00:27:38,926 --> 00:27:45,426 So we've got-- I'm denying a TCP from this source, no port number, to this destination, 424 00:27:45,836 --> 00:27:49,826 and now, now, we specify the port number. 425 00:27:49,826 --> 00:27:51,516 Now notice, equal to a port number. 426 00:27:51,516 --> 00:27:55,896 Now, we get a ton of other options like, you know, match flags, log, [inaudible], 427 00:27:55,896 --> 00:27:57,556 I mean, it just goes on and on and on. 428 00:27:57,556 --> 00:28:00,266 But really, the main one that we use is equal to. 429 00:28:00,506 --> 00:28:06,206 So I'm going to say, "I want to deny TCP on ports equal to and I'll hit the question mark." 430 00:28:06,206 --> 00:28:09,106 I know I'm reaching the edge of my screen there-- equal to-- 431 00:28:09,106 --> 00:28:14,386 and now look at this CISCO says, "You can just type in the port number which I prefer." 432 00:28:14,806 --> 00:28:17,896 You can just type it in right there and we'll take whatever port number you specify 433 00:28:17,896 --> 00:28:22,036 or Cisco's like, "I know sometimes you forget a lot of the common port number 434 00:28:22,036 --> 00:28:28,006 so we created a list of-- and I'm putting in quotes, "common" port numbers 435 00:28:28,156 --> 00:28:31,296 that we haven't updated since 1985. 436 00:28:31,296 --> 00:28:33,946 I mean, it's like seriously, this-- I mean, look at this list. 437 00:28:33,946 --> 00:28:34,946 I mean, gopher. 438 00:28:35,216 --> 00:28:40,086 Does anyone remember Windows 3.1, where you had the original like a little gopher-- 439 00:28:40,086 --> 00:28:45,016 it had little teeth that-- it was like-- it was FTP before there was FDS. 440 00:28:45,016 --> 00:28:50,106 So, I mean, if you want to remember this archaic list, then go for it, but I'm telling you, 441 00:28:50,106 --> 00:28:52,736 just stick to the port number, you know. 442 00:28:52,816 --> 00:28:55,566 So let's go on, so you can see the list. 443 00:28:55,566 --> 00:28:56,626 Now, notice this. 444 00:28:57,046 --> 00:28:59,366 It's not even HTTP that they chose as the name. 445 00:28:59,366 --> 00:29:03,266 They said www which again, it's been that way since long, long ago. 446 00:29:03,266 --> 00:29:07,196 So, we'll just put equal to 80, how about that? 447 00:29:07,196 --> 00:29:09,316 Whoa, you see what just happened there? 448 00:29:09,426 --> 00:29:11,516 It just kind of scooted over and put a dollar sign. 449 00:29:11,826 --> 00:29:16,626 Remember way early on in the series, I said, if you ever type a line that's really long, 450 00:29:16,966 --> 00:29:20,556 the iOS is like, "Okay, I'm going to put a dollar sign representing 451 00:29:20,556 --> 00:29:22,056 that you've reached the end of that line." 452 00:29:22,056 --> 00:29:25,666 So-- or I should say, there's more to the left here 453 00:29:25,666 --> 00:29:28,116 so you can scroll back to see the entire thing. 454 00:29:28,116 --> 00:29:32,406 So, I'll hit the enter key and now I've got in there. 455 00:29:32,606 --> 00:29:33,666 Now watch this. 456 00:29:33,666 --> 00:29:38,356 I'm going to a show ip access list so we can verify that command. 457 00:29:38,666 --> 00:29:43,306 So notice, first off, sequence 11 so it squeezed it in between 10 and 20, that was successful. 458 00:29:43,566 --> 00:29:46,886 Notice as well that the Cisco IOS recognize, it goes, "Oh, 459 00:29:46,886 --> 00:29:48,526 you're using a wildcard mask of all zeros. 460 00:29:48,526 --> 00:29:51,816 Tell you what, how about we make that a host?" 461 00:29:51,986 --> 00:29:54,676 So, remember, I said you can type it one or two ways. 462 00:29:54,846 --> 00:29:58,186 Well, you can, but the Cisco IOS is like, "I prefer this way. 463 00:29:58,186 --> 00:29:59,616 It's a little prettier that way." 464 00:29:59,616 --> 00:30:00,146 So let's do that. 465 00:30:00,146 --> 00:30:00,976 So it converts back it to you. 466 00:30:01,046 --> 00:30:06,386 And also notice, it recognized port 80, he goes, "Oh, well, you really mean www." 467 00:30:06,506 --> 00:30:08,286 Does that mean that we have to know that? 468 00:30:08,846 --> 00:30:10,846 No, it just means that, you know, there's a-- 469 00:30:10,846 --> 00:30:15,756 you know, the IOS does a lot of stuff behind the scenes and that's fine. 470 00:30:15,756 --> 00:30:16,816 We'll let it do that. 471 00:30:16,816 --> 00:30:23,926 So, that now allows or I should say denies TCP from this source, on any source port number, 472 00:30:24,186 --> 00:30:27,656 to this host using the destinate-- remember, when we're talking about socket. 473 00:30:27,656 --> 00:30:31,176 This is a destination port number, destination port of 80. 474 00:30:31,256 --> 00:30:32,836 Now, what about HTTPS? 475 00:30:33,076 --> 00:30:34,776 That is just an up arrow away. 476 00:30:34,776 --> 00:30:39,356 I hit the up arrow and say, okay, well-- actually, I'll go back to the beginning and say, 477 00:30:39,356 --> 00:30:41,656 "This will be line 12, sequence 12." 478 00:30:41,996 --> 00:30:46,146 Otherwise, it will-- but you may go, "Well, what happens if you put 11?" 479 00:30:46,146 --> 00:30:49,676 Some IOS versions, it all squeeze it in and bump the other one down. 480 00:30:49,816 --> 00:30:53,376 A lot of other ones will say, it will either overwrite it or it will-- 481 00:30:53,376 --> 00:30:57,486 it's IOS dependent or it will just say, "Sorry, there's something else at sequence 11. 482 00:30:57,686 --> 00:30:59,226 You can't create it there." 483 00:30:59,226 --> 00:31:02,896 So it's usually best just, you know, don't try and figure out which you got. 484 00:31:02,896 --> 00:31:04,996 Just go in and specify a unique sequence number. 485 00:31:05,126 --> 00:31:07,576 So I'll put 443. 486 00:31:07,576 --> 00:31:08,666 That's HTTPS. 487 00:31:08,666 --> 00:31:09,676 Hit the up arrow. 488 00:31:09,996 --> 00:31:16,506 With that, we've now got two lines in there that's denying or saying, "Deny this source host 489 00:31:16,506 --> 00:31:20,196 to this destination host on this destination port for both of them." 490 00:31:20,196 --> 00:31:21,126 Okay. Great. 491 00:31:21,296 --> 00:31:24,166 Now this-- so we edited the existing access list. 492 00:31:24,166 --> 00:31:27,206 The beauty is it still applied to the interface. 493 00:31:27,446 --> 00:31:31,216 So I still have the ability to go in there and test it. 494 00:31:31,216 --> 00:31:33,056 I don't have to reapply it or anything like that. 495 00:31:33,056 --> 00:31:34,326 Now, you've got to be careful. 496 00:31:34,326 --> 00:31:37,916 It's a little dangerous 'cause these commands are going into action right away. 497 00:31:38,166 --> 00:31:43,506 So if you mess up, it's not like, "Oh, whoops," you know, like this is, while it's-- 498 00:31:43,506 --> 00:31:47,426 well, the router is working, so these are immediately active when you press the enter key. 499 00:31:47,426 --> 00:31:48,096 So let's test it. 500 00:31:48,216 --> 00:31:49,526 How do I test this? 501 00:31:50,426 --> 00:31:56,036 Okay. One way that we can test access list, now obviously this is a router that's simulating 502 00:31:56,036 --> 00:32:00,566 as if I was a PC and does a very good job at that, but there's no web browser on here. 503 00:32:00,566 --> 00:32:07,386 So I can't open a website and test it there and nor is this device really a web server. 504 00:32:07,386 --> 00:32:11,676 But one of the things I can do is use the Telnet command to test. 505 00:32:11,726 --> 00:32:15,956 I might say, well, Telnet-- wait a sec, that uses port 23. 506 00:32:16,326 --> 00:32:18,516 It does, but watch this. 507 00:32:18,516 --> 00:32:26,286 I'm going to type in Telnet 192.168.2.50 and I'm going to follow up here 508 00:32:26,286 --> 00:32:29,956 and see that it gives me the option to type a port number. 509 00:32:30,526 --> 00:32:34,646 So, I can say, well Telnet-- if I just hit the enter key, it will Telnet and I can say, "Oh, 510 00:32:34,646 --> 00:32:36,176 hey, I can Telnet to that device. 511 00:32:36,176 --> 00:32:36,856 That's great." 512 00:32:36,856 --> 00:32:38,606 Okay. So I'm going to get pass that. 513 00:32:38,606 --> 00:32:42,686 So that verifies to me that port 23 is working, but when I go back and I'll say, "Well, 514 00:32:42,686 --> 00:32:44,916 I want to specify Telnet to port 80." 515 00:32:45,076 --> 00:32:46,626 It immediately comes back. 516 00:32:46,626 --> 00:32:47,636 It's like, deny. 517 00:32:47,636 --> 00:32:48,426 Now, okay. 518 00:32:48,906 --> 00:32:52,836 Did that happen because this guy isn't running a web server or did it happen 519 00:32:52,836 --> 00:32:54,936 because the access list really did block that? 520 00:32:55,356 --> 00:32:56,406 Well, how do you think we can see? 521 00:32:56,936 --> 00:32:58,796 Go to router 1. 522 00:32:59,966 --> 00:33:02,556 Hit the up arrow and see did we have any hits? 523 00:33:02,986 --> 00:33:04,376 And we did. 524 00:33:04,376 --> 00:33:11,256 Essentially, PC1 sent three attempts to try and open that www port, it tried to get there 525 00:33:11,446 --> 00:33:13,076 and the router was like, "You're denied. 526 00:33:13,076 --> 00:33:13,646 You're denied. 527 00:33:13,646 --> 00:33:14,106 You're denied." 528 00:33:14,106 --> 00:33:17,656 So, okay let's try this, let's hit the up arrow and try 443. 529 00:33:17,856 --> 00:33:20,086 Hit the up arrow. 530 00:33:20,086 --> 00:33:20,956 Look at that. 531 00:33:20,956 --> 00:33:22,376 Now we have three matches on that. 532 00:33:22,376 --> 00:33:26,426 So that will-- I mean, without actually having a computer with a web server to-- 533 00:33:26,426 --> 00:33:30,266 or a web server setup and a web client to test, what a great-- 534 00:33:30,266 --> 00:33:32,186 and by the way, everybody does this. 535 00:33:32,186 --> 00:33:37,816 This is a very common thing in the real realm of Cisco that you're constantly using Telnet 536 00:33:38,016 --> 00:33:41,516 to really test if your port restrictions are working or not. 537 00:33:41,606 --> 00:33:44,066 In this case, we can see they are working like a gem. 538 00:33:45,286 --> 00:33:51,876 Now, I'd like you to pause the Nugget and see if you can do number 3 on your own. 539 00:33:51,876 --> 00:33:56,306 Even if you don't have a Cisco IOS in front of you, whether it's GNS3 or a real router, 540 00:33:56,506 --> 00:33:58,296 still just write it down on paper. 541 00:33:58,426 --> 00:34:01,286 That's where you really get used to the syntax. 542 00:34:01,336 --> 00:34:04,016 Write it down and see if you can figure out the commands that you would use. 543 00:34:04,016 --> 00:34:06,926 Now, I will tell you, it's a little challenging. 544 00:34:06,926 --> 00:34:10,626 It goes a little different mindset than what we've done so far. 545 00:34:11,026 --> 00:34:13,326 Okay. So pause and let's do it. 546 00:34:13,326 --> 00:34:19,136 Okay, so permit 192.168.2.0 to access 10.1.1.1. 547 00:34:19,136 --> 00:34:20,026 Let's identify the player. 548 00:34:20,026 --> 00:34:27,436 So I'm saying, permit this whole subnet, 192.168.2.0 that's the network ID slash 25. 549 00:34:27,466 --> 00:34:30,416 So that whole subnet and we figure that out in the last Nugget, 550 00:34:30,416 --> 00:34:36,336 that's really 192.168.2.0 through 127. 551 00:34:36,616 --> 00:34:38,606 This being the broadcast, that being the network. 552 00:34:38,606 --> 00:34:42,226 So, you know, that first one is usable when all the-- we figured out the range for that. 553 00:34:42,226 --> 00:34:48,666 So we're saying that whole range can access this guy only using Telnet and SSH. 554 00:34:49,006 --> 00:34:51,406 Now, again, this IP address right here, okay? 555 00:34:51,696 --> 00:34:52,986 So, where are we at? 556 00:34:53,366 --> 00:34:56,586 Most efficient close to the source as possible is going to be router 2. 557 00:34:56,906 --> 00:35:04,776 Okay? So, I'm going to go in router 2 and let's just clear the screen from the previous Nuggets. 558 00:35:04,776 --> 00:35:06,876 So let's clear the screen off that. 559 00:35:07,146 --> 00:35:11,526 Router 2, and I'm going to shrink this down just so we can keep things in front of us. 560 00:35:12,026 --> 00:35:12,396 All right. 561 00:35:12,396 --> 00:35:17,516 So, I've got permit 192.168.2-- there we go. 562 00:35:17,516 --> 00:35:18,176 How about right here? 563 00:35:18,176 --> 00:35:22,056 Permit 192.168.2.0 to access it. 564 00:35:22,056 --> 00:35:28,746 So I'm going to go in and let's use this opportunity, use a named access list. 565 00:35:28,746 --> 00:35:29,846 Again, you can use number. 566 00:35:29,846 --> 00:35:33,366 That's fine if you did this beforehand, but I'm going to use a named one 'cause it kind 567 00:35:33,366 --> 00:35:35,196 of gets you experience with that side as well. 568 00:35:35,596 --> 00:35:40,376 Anytime you want to use a named access list, it is ip access-list 569 00:35:40,526 --> 00:35:41,426 and then we hit the question mark. 570 00:35:41,426 --> 00:35:42,086 We say, "Okay. 571 00:35:42,086 --> 00:35:43,246 Extend it." 572 00:35:43,366 --> 00:35:44,686 We're in the extended world now. 573 00:35:44,986 --> 00:35:46,676 And what name do you want to do? 574 00:35:46,776 --> 00:35:55,836 We'll just say, let's just say, R3 Telnet SSH, how is that? 575 00:35:56,596 --> 00:35:58,626 Just a unique name. 576 00:35:59,666 --> 00:36:04,126 Okay, so I'm going to come in here and do a permit. 577 00:36:04,786 --> 00:36:07,426 Now again, we could specify sequence numbers and all that, but I'm-- 578 00:36:07,426 --> 00:36:11,036 this is a new access-list so I'm just going to let it kind of generate those for me. 579 00:36:11,036 --> 00:36:21,816 So I'll do permit and we're going to say the protocol, so we'll say, TCP as the protocol. 580 00:36:21,816 --> 00:36:25,566 Permit TCP 'cause Telnet and SSH are both TCP based. 581 00:36:25,566 --> 00:36:27,106 That's port 22 and port 23. 582 00:36:27,106 --> 00:36:35,926 So permit TCP from the source of 192.168.2.0 with a wildcard mask and you know, 583 00:36:35,926 --> 00:36:37,246 we've figured this out a couple of times. 584 00:36:37,246 --> 00:36:43,806 It's actually 0.0.0.127 is that custom wildcard mask for the slash 25, right? 585 00:36:43,806 --> 00:36:49,926 So that is what-- that's how the router knows its-- all of these IP addresses, 0 through 127. 586 00:36:49,926 --> 00:36:50,926 So, I'll hit the question mark. 587 00:36:50,926 --> 00:36:51,546 It says, "Okay. 588 00:36:51,726 --> 00:36:54,956 You can either type in a destination address or put in port numbers." 589 00:36:54,956 --> 00:36:57,076 Now, again, we're not going to make that mistake. 590 00:36:57,396 --> 00:37:01,076 If we type in a port number here, it's the source port number and we're not doing that. 591 00:37:01,076 --> 00:37:05,386 We don't-- we're caring if it's going to the Telnet and SSH protocol. 592 00:37:05,386 --> 00:37:10,546 It's going to this device on port 22 or 23 not coming from port 22 or 23. 593 00:37:10,776 --> 00:37:22,946 So I'm going to say, it's going to the host 10.1.1.1 'cause we're only permitting access 594 00:37:22,946 --> 00:37:24,996 to this one using those port numbers. 595 00:37:25,636 --> 00:37:27,746 So, let me-- now, okay. 596 00:37:27,746 --> 00:37:32,866 So we've got the source so this is the source information, this is the destination 597 00:37:32,866 --> 00:37:34,416 and now we can put in the port number. 598 00:37:34,416 --> 00:37:36,156 So I'll say equal to. 599 00:37:36,156 --> 00:37:39,286 Oh, there's another way I could do this, but I'm not going to do that yet. 600 00:37:39,456 --> 00:37:42,626 So, we're going to say equal to 22, enter. 601 00:37:43,376 --> 00:37:45,706 And then I'm just-- I mean, now it's easy. 602 00:37:45,706 --> 00:37:47,756 I hit the up arrow and say equal to 23. 603 00:37:48,036 --> 00:37:51,756 That is SSH, that's port 22, and Telnet is port 23. 604 00:37:52,716 --> 00:37:56,726 Now, what I was brainstorming is I was saying you could also come in here. 605 00:37:56,916 --> 00:37:58,456 I mean, the options are endless. 606 00:37:58,456 --> 00:38:00,376 I could type in-- not reflect. 607 00:38:00,576 --> 00:38:08,406 I could type in reflect, but I'm going to say range and I could say 22 to 23. 608 00:38:09,016 --> 00:38:11,816 That would do it in one line if you want doing an access-list. 609 00:38:11,816 --> 00:38:16,446 So, it's saying both of those port numbers from-- or I could 22 through 1024. 610 00:38:16,446 --> 00:38:19,136 I mean, you can put in whatever is the end port. 611 00:38:19,136 --> 00:38:23,266 So that would be another option, but we're not doing that. 612 00:38:23,436 --> 00:38:24,776 So, delete list. 613 00:38:24,776 --> 00:38:29,596 Okay. So let's do a show ip access list on the source. 614 00:38:29,596 --> 00:38:31,846 So we've got-- okay, the core of this is done. 615 00:38:32,066 --> 00:38:35,726 We're permitting this and this. 616 00:38:36,496 --> 00:38:39,116 And so initially, like, okay. 617 00:38:39,116 --> 00:38:39,956 I think we're good. 618 00:38:39,956 --> 00:38:41,186 We can apply it, right? 619 00:38:41,696 --> 00:38:45,476 No. Because what that will do is that says, "Okay. 620 00:38:45,476 --> 00:38:49,496 You're permitted to access this on port 22 and 23, 621 00:38:49,716 --> 00:38:52,856 but everything else hits the implicit deny, right?" 622 00:38:53,306 --> 00:38:54,576 And that would say, "Okay. 623 00:38:54,576 --> 00:38:56,516 I can't access anything over here. 624 00:38:56,516 --> 00:38:57,556 I can't get to this guy." 625 00:38:57,556 --> 00:39:02,196 I mean, so you might-- you know, this was said, only block access to that, 626 00:39:02,606 --> 00:39:04,896 not all of the other pieces that are in here. 627 00:39:04,896 --> 00:39:08,286 So, we've got to be a little more-- do a little more than that. 628 00:39:08,376 --> 00:39:11,716 So I'm going to come back here and we're going to say, okay, so, 629 00:39:11,716 --> 00:39:15,096 I need to say these two are permitted. 630 00:39:15,096 --> 00:39:20,746 Everything else to this guy has to be denied to that IP address 'cause it says only 631 00:39:20,746 --> 00:39:23,286 as it tells us, but then I need to permit everything else, right? 632 00:39:23,426 --> 00:39:26,816 Everything else should be allowed and that's exactly what we'll do. 633 00:39:27,076 --> 00:39:27,996 So come back in here. 634 00:39:28,776 --> 00:39:34,366 I'm still in the named access list so I'm going to say, deny, with caps lock, with authority. 635 00:39:34,706 --> 00:39:40,056 Deny and I'll say-- and this is a very common mistake, it's easy to say, TCP. 636 00:39:40,056 --> 00:39:42,596 You know, just kind of copy and paste this whole thing again. 637 00:39:42,836 --> 00:39:44,936 But remember, TCP is just TCP. 638 00:39:44,936 --> 00:39:47,926 There're all kinds of other stuff so I'm going to say, deny IP. 639 00:39:47,926 --> 00:39:54,016 So everything else from-- now we can copy-paste actually this whole thing, 640 00:39:55,286 --> 00:40:01,976 everything else from this source to this destination is now denied, right? 641 00:40:02,046 --> 00:40:03,936 So, hang on, let's look at the access list now. 642 00:40:04,216 --> 00:40:09,606 It says, "Okay, this is allowed so I can SSH, I can Telnet," then everything else 643 00:40:09,606 --> 00:40:16,286 from this source to this destination is now denied, which is achieving our goal, but then-- 644 00:40:16,446 --> 00:40:23,076 but I want to say, but beyond that, everything else is allowed, how do I do that? 645 00:40:23,076 --> 00:40:23,476 Permit IP. 646 00:40:23,476 --> 00:40:27,716 [laughs] I was thinking I was like, "I think I forgot." 647 00:40:27,836 --> 00:40:29,156 Permit IP any any. 648 00:40:29,156 --> 00:40:32,316 So now, that allows everything else. 649 00:40:32,736 --> 00:40:36,626 So, here's what I want to-- here's a couple of things. 650 00:40:36,626 --> 00:40:42,776 So, okay-- so, let me finish the config and then we'll expound on it. 651 00:40:42,776 --> 00:40:45,796 So now I want to go in to interface Serial0/1, right? 652 00:40:46,176 --> 00:40:51,326 Now, this is going to be where we apply it as things are going out of that interface. 653 00:40:51,326 --> 00:40:54,496 Ooh, is that the most efficient? 654 00:40:54,496 --> 00:40:55,056 Actually, no. 655 00:40:56,156 --> 00:40:57,916 Man, I almost busted myself. 656 00:40:58,126 --> 00:41:00,806 The most efficient would be inbound right here. 657 00:41:01,116 --> 00:41:05,196 This is really efficient, you could say as it's coming out this interface 658 00:41:05,226 --> 00:41:09,176 but you could be even-- you could-- but the router would then have to accept it, process it, 659 00:41:09,176 --> 00:41:10,826 and get it to here just to find it was denied. 660 00:41:10,826 --> 00:41:15,556 So, we can even save a couple more processor nanocycles by saying, you know, 661 00:41:15,556 --> 00:41:20,496 as it comes in right here, I want to say, "Are you going right here, using anything other 662 00:41:20,496 --> 00:41:22,226 than Telnet and SSH 'cause you're going to be denied." 663 00:41:22,266 --> 00:41:24,636 So, this will be our good application point. 664 00:41:24,636 --> 00:41:30,736 So, I'm going to go into not serial-- FastEthernet0/0 and I'll do IP access-- 665 00:41:30,876 --> 00:41:38,726 write that down, IP access group R3 Telnet SSH in. 666 00:41:40,336 --> 00:41:44,266 Ooh, we've now applied that in the inbound direction. 667 00:41:44,766 --> 00:41:49,466 Okay, so here's something-- I want to show you something that I find a lot 668 00:41:49,466 --> 00:41:53,516 of folks get stuck on, I got stuck on it when I first learned access list. 669 00:41:53,516 --> 00:41:58,136 So, I know a lot of people run into this as well 'cause as I see it. 670 00:41:58,136 --> 00:42:05,876 So, we just said, deny everything to 10.1.1.1, right? 671 00:42:05,876 --> 00:42:08,896 Except for-- yeah, I know-- I know except for port 22 and 23, 672 00:42:09,126 --> 00:42:11,796 that's permitted, that's Telnet and SSH. 673 00:42:11,796 --> 00:42:18,226 So the question is, if everything is denied right here, can this host still make it 674 00:42:18,226 --> 00:42:20,816 through here and access that guy? 675 00:42:21,736 --> 00:42:27,696 You know, option A, yes, option B-- you know, here's your exam, no, 676 00:42:27,856 --> 00:42:31,036 option C none of the above, whatever, you know, 677 00:42:31,036 --> 00:42:33,846 this would be a good exam question, will it make it through? 678 00:42:34,416 --> 00:42:39,706 The answer is actually absolutely yes, no problem, because remember, 679 00:42:39,846 --> 00:42:51,096 this guy is 192.168.2.50 and he-- let's say he's trying to access 192.168.2.150, right? 680 00:42:51,366 --> 00:42:53,386 So, let's just say he pings from here to here. 681 00:42:53,486 --> 00:43:00,516 Well, all IP is denied to 10.1.1.1, so the packet will actually fly along-- 682 00:43:00,516 --> 00:43:05,126 well actually, we put the filer right here, but let's just pretend we put it right there. 683 00:43:05,216 --> 00:43:08,716 The packet would fly along and as it comes in here, it would say, "Okay, 684 00:43:09,016 --> 00:43:13,726 are you 192.168.2.0, are you part of this subnet?" 685 00:43:13,726 --> 00:43:14,896 And he would say, "Yes, I am." 686 00:43:14,896 --> 00:43:17,356 And he would say, okay, are you trying to access, you know-- 687 00:43:17,356 --> 00:43:22,886 let's look at the access list, it would say, are you trying to acces-- where am I? 688 00:43:23,896 --> 00:43:27,916 Oh, right here, "Are you trying to access this IP address using port 22?" 689 00:43:28,246 --> 00:43:29,726 And he would say, "No, actually I'm not." 690 00:43:29,726 --> 00:43:33,956 He's going to say, "Okay, okay, are you trying to access this IP address using Telnet?" 691 00:43:33,956 --> 00:43:36,616 And the packet would say, "No, actually I'm not." 692 00:43:36,616 --> 00:43:39,636 And then he would say, "Okay, then you're not permitted on either one of those." 693 00:43:39,636 --> 00:43:42,136 He goes, "Okay, now wait a sec, are you this person trying 694 00:43:42,136 --> 00:43:44,746 to access this IP address in any way whatsoever?" 695 00:43:45,196 --> 00:43:48,786 And the answer is, "No, I'm not. 696 00:43:48,786 --> 00:43:53,686 I'm not interested in you at all, I don't even know you exist," from this guy's perspective. 697 00:43:53,776 --> 00:43:59,326 I created a packet which was a ping and I said, "It's coming from the source IP address 698 00:43:59,326 --> 00:44:07,616 of 192.168.250 going to the destination IP address of 192.168.2.150." 699 00:44:07,616 --> 00:44:09,666 So, when this packet gets here, he goes, "Okay well, you know what, 700 00:44:09,666 --> 00:44:13,846 as long as your destination IP address is not 10.1.1.1 'cause if it were, 701 00:44:13,846 --> 00:44:14,996 man, you're busted, you're dropped. 702 00:44:15,566 --> 00:44:21,196 But since your destination IP address is not 10.1.1.1, then I'm going to say, 703 00:44:21,336 --> 00:44:24,666 this is not a match because you're not trying to access-- 704 00:44:24,666 --> 00:44:27,306 even though you're going through that IP address, you don't know you're going through it, 705 00:44:27,306 --> 00:44:29,496 you're not trying to access that IP address. 706 00:44:29,496 --> 00:44:33,886 So, that line doesn't match and you hit the permit IP any any at the bottom." 707 00:44:34,976 --> 00:44:36,276 Are you feeling it yet? 708 00:44:36,276 --> 00:44:40,136 Are you looking at these access lists and starting to feel little warm and cozy with them? 709 00:44:40,446 --> 00:44:42,466 Let's do two more, I want to solidify this down. 710 00:44:42,866 --> 00:44:50,986 Number one, block 192.168.1.0/24, that's these guys from accessing any WAN IP address, 711 00:44:51,026 --> 00:44:55,076 so that's this and this, those are our Wide Area Networks links. 712 00:44:55,076 --> 00:44:58,556 Okay, so there's two ways we could approach this, first off it says, from reaching any-- 713 00:44:58,556 --> 00:45:02,456 from reaching, that's a keyword there, because that means block everything, 714 00:45:02,516 --> 00:45:04,436 don't-- TCP, UDP, everything, right? 715 00:45:04,686 --> 00:45:09,186 So, from reaching, okay, second thing is there's two approaches we could take, 716 00:45:09,186 --> 00:45:13,516 there's I'm sure plenty more of that but two main ones, one we could say deny 717 00:45:13,516 --> 00:45:17,506 to that IP address, deny to this IP address, deny to this-- 718 00:45:17,506 --> 00:45:21,016 you know, do the individual host route and deny to each one of those, 719 00:45:21,016 --> 00:45:23,946 we could do that in four ACL statements. 720 00:45:24,186 --> 00:45:30,026 We could also go in there and say, deny to this network, deny to this network 721 00:45:30,026 --> 00:45:35,546 and we could do the same thing into ACL statements, rule of thumb, less is more. 722 00:45:35,706 --> 00:45:40,706 The shorter your access list the better it is because it takes less to process 723 00:45:40,706 --> 00:45:42,796 that kind of access list on your router. 724 00:45:42,796 --> 00:45:45,076 It's more efficient and it's just the best practice. 725 00:45:45,126 --> 00:45:46,736 Fewer lines is better access list. 726 00:45:46,736 --> 00:45:48,366 So, that's the way we want to go with it. 727 00:45:48,576 --> 00:45:54,256 So, what I'm going to do just so we don't get any old access list in the way from our test, 728 00:45:54,256 --> 00:45:57,826 let's first off go to router 1, and I'm just going 729 00:45:57,826 --> 00:46:01,446 to remove any access list that we have in action. 730 00:46:01,446 --> 00:46:07,986 Let me do a show-- let's just do a show run and I'll do section interface, show me the config 731 00:46:07,986 --> 00:46:12,206 for all the interfaces, oop there is one, we got one on the FastEthernet0/0. 732 00:46:12,206 --> 00:46:16,806 So, that's-- looks like that is the only one, I'm going to do interface, fe0/0, 733 00:46:16,806 --> 00:46:22,246 no IP access group 100 in, that section command is pretty nice, huh? 734 00:46:22,306 --> 00:46:25,186 So, you can see just those sections of the configuration. 735 00:46:25,266 --> 00:46:28,066 You can do that with just about anything in the running config. 736 00:46:28,676 --> 00:46:34,196 So that's out, okay now let's look at this, block 192.168, so let me just scoot this 737 00:46:34,196 --> 00:46:35,726 over here, from any WAN IP address. 738 00:46:35,726 --> 00:46:40,086 So, first thing we want to do is go in and set up the access list. 739 00:46:40,086 --> 00:46:43,226 So, let's use the named one, now that we know the named access list, 740 00:46:43,226 --> 00:46:44,576 that's all I use nowadays. 741 00:46:44,576 --> 00:46:53,106 So, I'll say IP access list extended and I'll say the name of it is NO WAN, NO WAN FOR YOU. 742 00:46:54,276 --> 00:46:58,966 [laughs] So, the NO WAN FOR YOU access list is going to say, rule number one, 743 00:46:59,166 --> 00:47:03,706 deny or sequence-- you know, first sequence, deny, who are we denying? 744 00:47:03,706 --> 00:47:04,546 What's the source? 745 00:47:04,726 --> 00:47:07,126 Oop, what protocol are we denying? 746 00:47:07,236 --> 00:47:09,266 It's going to be IP because it's everything, right? 747 00:47:09,266 --> 00:47:10,466 TCP, UDP, et cetera. 748 00:47:10,706 --> 00:47:11,616 What source? 749 00:47:11,616 --> 00:47:16,186 It's going to be 192.168.1.0, what wildcard mask? 750 00:47:16,186 --> 00:47:18,916 0.0.0.255, right? 751 00:47:19,336 --> 00:47:20,116 Good so far? 752 00:47:20,116 --> 00:47:21,516 Identified the first three octets. 753 00:47:21,516 --> 00:47:24,606 Next one, it says, "Okay, what is your destination address?" 754 00:47:24,606 --> 00:47:29,246 Okay, let's look at-- scrunch this down a little bit, 755 00:47:29,246 --> 00:47:30,826 destination-- I want to deny these networks. 756 00:47:30,826 --> 00:47:38,926 Okay, we need a little pen work here, 10.1.1.1/0 or dot zero slash 30 and dot 4 slash 30. 757 00:47:39,146 --> 00:47:42,936 We want to find out what those mean and again, I just want to emphasize, you know, 758 00:47:42,936 --> 00:47:48,306 slash 30 equals, if we were to convert that to decimal, you know, would be eight ones, 759 00:47:48,646 --> 00:47:55,666 eight ones, eight ones and then so that'd be 24, 25, 26, 27, 28, 29, 30, so we got-- 760 00:47:56,526 --> 00:47:58,506 I count that right, six ones, yup and the last [inaudible]. 761 00:47:58,506 --> 00:48:05,506 So, that's 255.255.255.252, kind of get back to that decimal form 'cause we can see it, 762 00:48:05,506 --> 00:48:10,956 it makes sense to us and that 252 is represented right there, it is six ones and two zeros. 763 00:48:10,956 --> 00:48:12,636 So, I'm going to say, what is my increment? 764 00:48:12,636 --> 00:48:15,486 It is a four, that's 1, 2, 4. 765 00:48:15,486 --> 00:48:18,526 So, the increment when we-- they came up with these subnets was a four, 766 00:48:18,526 --> 00:48:25,106 so the ranges is actually 10.1.1.0.4.8., this is our typical WAN link range. 767 00:48:25,106 --> 00:48:28,806 I know, I know, some of you are like, "I got that," but some people don't. 768 00:48:28,806 --> 00:48:31,776 So, I want to show the reverse engineering of this along the way. 769 00:48:32,006 --> 00:48:36,136 So, now we want to say, "Okay, well I'm going to say this destination and this destination 770 00:48:36,136 --> 00:48:40,316 on the block, but I have to use a custom wildcard mask for that." 771 00:48:40,316 --> 00:48:44,106 So again, just like we saw previously, for a custom wildcard mask, 772 00:48:44,106 --> 00:48:48,936 we can either reverse all the ones and make them all zeros, zero, zero, zero, and then, you know, 773 00:48:48,936 --> 00:48:54,196 one, two, three, four, five, six, one, one, and do it that way or you can take this 774 00:48:54,196 --> 00:49:01,286 and subtract it from all 255s, you know, 255.255.255.255 775 00:49:01,286 --> 00:49:08,596 and our ending wildcard mask would be 0.0.0.3 and get the same thing, you know, 776 00:49:08,596 --> 00:49:16,266 it's either a 1 plus 2, that's 3, or just subtracting 252 from 255 gives you a 3. 777 00:49:16,506 --> 00:49:26,956 So our wildcard mask and it is wild looking for those WAN links will be 0.0.0.3. 778 00:49:26,956 --> 00:49:37,826 So, first off destination address, so WAN link number one, there, wildcard mask, 0.0.0.3, good. 779 00:49:37,886 --> 00:49:44,866 WAN link number two, now this we can just hit the up arrow 4 and say 10.1.1.4, okay good. 780 00:49:44,866 --> 00:49:48,396 Let's look at our progress so far, I'm going to do a show IP access list. 781 00:49:48,396 --> 00:49:50,936 We've got two of them, this one we've removed 782 00:49:50,936 --> 00:49:54,376 from the interface, so it's not interfering anymore. 783 00:49:54,376 --> 00:49:55,916 We've got the NO WAN FOR YOU access. 784 00:49:55,916 --> 00:49:57,896 You can't even say it, "Yeah, no WAN for you," we have to say it 785 00:49:57,926 --> 00:49:58,796 like the Soup Nazi from Seinfeld. 786 00:49:58,826 --> 00:50:00,416 So, we've got the source subnet going to this and going to that, 787 00:50:00,446 --> 00:50:01,406 so now we've got all denies, that's great. 788 00:50:01,436 --> 00:50:01,946 So, we need a permit. 789 00:50:01,976 --> 00:50:03,566 So I'm going to hit the up arrow and let's-- well I'll just do a-- 790 00:50:03,596 --> 00:50:04,976 wait a second, I'm still in the named acces list mode. 791 00:50:05,156 --> 00:50:08,116 So I'll do permit ip any any. 792 00:50:08,636 --> 00:50:13,946 Looks good to me, yeah, all right. 793 00:50:13,946 --> 00:50:16,946 So, now where do I apply this? 794 00:50:16,946 --> 00:50:24,176 I'm going to-- I would say-- well, if it applies to 192.168.1.0, the best possible way, 795 00:50:24,176 --> 00:50:28,116 the most efficient possible way would be inbound right here, okay? 796 00:50:28,436 --> 00:50:33,936 We could do it outbound right here, however, we would have to process it more 797 00:50:33,936 --> 00:50:35,386 to actually send it out and deny it. 798 00:50:35,386 --> 00:50:36,536 So this is the most efficient way. 799 00:50:36,536 --> 00:50:39,616 So in FastEthernet0/0. 800 00:50:39,726 --> 00:50:41,976 So get back there. 801 00:50:42,516 --> 00:50:52,696 [ Pause ] 802 00:50:53,196 --> 00:50:56,986 Done. IP access group, NO WAN FOR YOU in. 803 00:50:57,176 --> 00:51:02,826 So to test, let's go over to the PC number 1 to make sure this thing is working here. 804 00:51:03,226 --> 00:51:09,436 PC number 1, let's do a ping, let's just make sure we can ping anything 10 dot-- 805 00:51:09,436 --> 00:51:13,116 192.168.1.1, that's my default gateway. 806 00:51:13,116 --> 00:51:15,976 And now, even though-- and another great example of what I was just telling you 807 00:51:15,976 --> 00:51:23,466 from the previous slide, even though they're denied-- my pen is doing something very odd. 808 00:51:24,156 --> 00:51:24,406 There we go. 809 00:51:24,616 --> 00:51:26,946 Even though they're denied from accessing these WAN links, 810 00:51:26,946 --> 00:51:29,346 they can't ping the WAN links themselves, 811 00:51:29,546 --> 00:51:32,316 that doesn't mean they can't go through those WAN links, right? 812 00:51:32,466 --> 00:51:35,066 Because again, it's coming from this source going to this destination, 813 00:51:35,066 --> 00:51:37,856 that doesn't violate any access list at all. 814 00:51:37,856 --> 00:51:40,586 So I should be able to have no problem on router PC1 I should say, 815 00:51:40,586 --> 00:51:44,816 pinging 192.168, let's just go 2 dot 129. 816 00:51:44,816 --> 00:51:48,796 Let's go in all the way over there to the right hand side and that's pinging just fine. 817 00:51:48,796 --> 00:51:52,026 So let's now ping the WAN links. 818 00:51:52,026 --> 00:51:55,596 Let's go 10.1.1.1. 819 00:51:55,596 --> 00:51:56,856 Unreachable, that's what we want to see. 820 00:51:56,856 --> 00:52:01,336 The use indicate access list are stepping in to intervene. 821 00:52:01,786 --> 00:52:09,846 Let's go back into our show ip access and I'm seeing-- I'm seeing some-- 822 00:52:09,846 --> 00:52:11,566 a lot-- matches on that first one. 823 00:52:11,596 --> 00:52:13,046 That's the first subnet. 824 00:52:13,046 --> 00:52:20,096 So let's just ping the second subnet so let's go to-- let's go to-- I scribbled it all, 10.1.1.5, 825 00:52:20,096 --> 00:52:22,986 that's going to be router 2, 10.1.1.5. 826 00:52:23,206 --> 00:52:28,566 And again, unreachables being seen-- oop, I don't know what I've done there. 827 00:52:28,566 --> 00:52:31,696 So let me just hit the up arrow here and I can see 828 00:52:31,696 --> 00:52:35,856 that now both statements have 11 matches whereas before it was just one. 829 00:52:35,856 --> 00:52:38,086 So we are looking good on that. 830 00:52:38,086 --> 00:52:42,026 Okay, so good, check everybody onboard? 831 00:52:42,326 --> 00:52:48,096 Great. Last one, permit 192.168.2.50-- permit-- 832 00:52:48,096 --> 00:52:56,246 okay, okay permit access to 192.168.2.50 using only SMTP, POP3 and IMAP4 from anywhere. 833 00:52:56,876 --> 00:53:01,596 So clear off all the chicken scratch and this is the computer in question. 834 00:53:01,596 --> 00:53:10,246 So we're saying, permit anybody to access that using SMTP-- only SMTP, POP3 and IMAP4. 835 00:53:10,296 --> 00:53:15,076 You see, while knowing those port numbers is so critical, these are all TCP-based protocol, 836 00:53:15,136 --> 00:53:21,456 SMTP 25, POP3 110, IMAP4 143, so you immediately can fill in the gaps on your firewall. 837 00:53:21,456 --> 00:53:23,016 So only those ports are allowed in. 838 00:53:23,276 --> 00:53:26,586 I want to show you another use of access list while we're here. 839 00:53:26,586 --> 00:53:30,036 It is the last example so I figure, why not. 840 00:53:30,376 --> 00:53:32,666 Have you ever heard of a debug IP packet? 841 00:53:33,216 --> 00:53:36,026 If somebody tells you to type it, don't. 842 00:53:36,256 --> 00:53:38,666 But what it is, is it's the ability to-- 843 00:53:38,666 --> 00:53:42,696 you know, the ability to see just about every single thing passing through. 844 00:53:42,696 --> 00:53:46,676 So for example, let me just-- now I'm in a lab environment. 845 00:53:46,676 --> 00:53:52,426 By the way, this will likely take down a production router if I type in debug IP packet. 846 00:53:52,656 --> 00:53:56,436 What it's going to do is show me the output of every single packet that is going 847 00:53:56,436 --> 00:53:58,206 through my router at this time to the screen. 848 00:53:58,456 --> 00:54:00,946 Now, not that you know, like, well, that was exciting. 849 00:54:01,106 --> 00:54:05,096 Because this router is literally sitting idle, that's very rare. 850 00:54:05,536 --> 00:54:12,616 But for instance, [inaudible] say ping, let's just ping 192.168.2.1. 851 00:54:12,616 --> 00:54:16,576 I can see that-- I see five exclamation points and then it shows to my screen. 852 00:54:16,816 --> 00:54:22,266 Okay, it looks like here is packet one, this source went to this destination, I sent it out 853 00:54:22,266 --> 00:54:27,066 and then this destination responded to this source, you know, I received it in. 854 00:54:27,066 --> 00:54:29,896 So you're actually able to see every single packet 855 00:54:30,086 --> 00:54:32,526 that is being sent to and from this device. 856 00:54:32,526 --> 00:54:36,556 You can imagine why in a production network-- I mean, that was what you see, 857 00:54:36,556 --> 00:54:38,746 it filled the screen was five pings. 858 00:54:38,866 --> 00:54:41,916 So in production, when you have thousands of packets every single second, 859 00:54:41,916 --> 00:54:45,366 if you were to turn this on, a lot of times the routers just literally lock. 860 00:54:45,606 --> 00:54:51,006 So what's done often is access list are applied to filter it down. 861 00:54:51,006 --> 00:54:53,756 Let me show you what we can do. 862 00:54:53,756 --> 00:55:01,566 So I want to create a filter for PC2 so I can do a debug, let's do undebug all 863 00:55:01,566 --> 00:55:05,166 that turns off all the debugs and-- 'cause we don't want to get flooded by any means. 864 00:55:05,526 --> 00:55:10,706 But I want to do a debug where I can see if any of these protocols are coming in to my router 865 00:55:10,856 --> 00:55:12,616 or going through my router or whatever. 866 00:55:12,616 --> 00:55:17,766 So I can go in there and I can do access list, a lot of times I use numbered ones 867 00:55:17,766 --> 00:55:22,576 for these 'cause they're always temporary, I'll just do 170. 868 00:55:22,896 --> 00:55:29,316 Permit, now I'm looking for three TCP protocol, so I'll say, permit TCP from any source 869 00:55:29,316 --> 00:55:33,886 to any destination equal to port 25, see that? 870 00:55:34,136 --> 00:55:39,446 Equal to port 110, equal to port 143, I'm creating this custom filter that says, 871 00:55:39,646 --> 00:55:45,816 if any source sends anything, me being anything, traffic on this port or this port or this port, 872 00:55:45,816 --> 00:55:48,756 which is those three protocols, then I want to know about it. 873 00:55:48,756 --> 00:55:53,716 Now again creating access list all day they don't do anything until I do an application, 874 00:55:53,716 --> 00:55:56,546 so here's another-- we don't always have to apply an access list 875 00:55:56,546 --> 00:55:58,036 to an interface, that's only for security. 876 00:55:58,036 --> 00:56:03,746 So here's another use, I can do a debug IP packet but Cisco knows you'll crash your router 877 00:56:03,746 --> 00:56:06,506 if you put that with too much traffic so they always allow you 878 00:56:06,506 --> 00:56:09,456 to filter it down using an access list. 879 00:56:09,456 --> 00:56:14,176 Now also notice, they don't let you us a named access list to do this. 880 00:56:14,736 --> 00:56:17,596 Some things-- there are some things still to this day in Cisco 881 00:56:17,596 --> 00:56:20,846 that you must use a numbered access list for it, that's why they're still around. 882 00:56:20,846 --> 00:56:25,126 So debug IP packet, filter it using 170, okay. 883 00:56:25,666 --> 00:56:33,046 So now, if I do a ping, you know, I do that same ping, I can see the ping and notice, 884 00:56:33,046 --> 00:56:37,126 no messages were displayed because it's like, well, a ping doesn't use port 25, 885 00:56:37,356 --> 00:56:40,616 110 or 143, so let's go a little further. 886 00:56:40,616 --> 00:56:44,246 Let's-- here's what I'm going to do, I'm going to go to router 2 and attempt 887 00:56:44,246 --> 00:56:47,336 to access this host on one of those port numbers, right? 888 00:56:47,526 --> 00:56:54,306 So let's bring up PC2 and then let's go to router 2 and the way that I'm going 889 00:56:54,306 --> 00:56:57,426 to access them on one of those port numbers, is by using Telnet just 890 00:56:57,426 --> 00:56:59,066 like we did previously to test this. 891 00:56:59,066 --> 00:57:03,556 So, do Telnet to-- what is the IP address? 892 00:57:03,556 --> 00:57:06,756 Let's find out, show ip interface brief, I think it's dot 50. 893 00:57:07,176 --> 00:57:09,066 I know it's dot 50, but I've typed the command. 894 00:57:09,476 --> 00:57:15,846 So Telnet to 192.168.2.50 and then I'm going to put port 25. 895 00:57:16,016 --> 00:57:18,596 Look at that. 896 00:57:19,156 --> 00:57:21,006 Connection was refused by host, that's fine. 897 00:57:21,576 --> 00:57:23,266 It's not an email server, it's a router. 898 00:57:23,436 --> 00:57:27,496 But I'm able to verify, look at that, I just received a packet from that person 899 00:57:27,496 --> 00:57:30,636 and I'm able to see what's going on. 900 00:57:30,636 --> 00:57:33,406 You can say well, show me port 110. 901 00:57:33,816 --> 00:57:37,496 See that right there? 902 00:57:37,496 --> 00:57:40,676 Show me port 23, not part of my access list, right? 903 00:57:40,676 --> 00:57:45,206 I'm able to get in there and you know, no messages are displayed, whereas, 904 00:57:45,206 --> 00:57:47,776 if I wouldn't have had that access list, let's check this out. 905 00:57:48,086 --> 00:57:51,376 Hang on, let me just bail out here. 906 00:57:51,376 --> 00:57:57,396 So let's just do-- here, I'll do a u all, that's a shortcut for undebug all and then I'm going 907 00:57:57,396 --> 00:58:04,666 to do a debug ip packet and now watch what happens when I do that same Telnet. 908 00:58:05,016 --> 00:58:07,946 It's like, that's just for that Telnet session. 909 00:58:07,946 --> 00:58:11,906 So you can see how valuable it is to be able to filter it down to just-- 910 00:58:11,906 --> 00:58:14,526 again, just another perfect use of an access list. 911 00:58:14,526 --> 00:58:15,706 Now let's accomplish our goal. 912 00:58:15,986 --> 00:58:21,676 We need to permit access to this guy using only SMTP, POP3 and IMAP4 from anywhere. 913 00:58:21,986 --> 00:58:24,086 So already, again we're thinking ahead, right? 914 00:58:24,086 --> 00:58:27,186 We have to create the access list, we have to configure it, 915 00:58:27,466 --> 00:58:30,816 but we don't know where to configure it yet because we first have to determine 916 00:58:31,006 --> 00:58:34,276 where it's going to be applied, where am I going to apply this? 917 00:58:34,416 --> 00:58:35,686 Now this kind of reverse it. 918 00:58:35,686 --> 00:58:41,536 Remember I said, "It's best to apply extended access-list as close to the source as possible." 919 00:58:42,436 --> 00:58:46,716 Well, the problem is we don't know the source, it could-- 920 00:58:46,716 --> 00:58:50,646 you know, it's saying, "Permit access using only these ports from anywhere," 921 00:58:50,646 --> 00:58:54,346 so the source could be over here, it could be over here, there could be some cloud here 922 00:58:54,346 --> 00:58:59,906 with you know raining dogs-- anywhere is a big name so it could come from anywhere. 923 00:58:59,906 --> 00:59:03,466 So there's no way I can say, "Okay, I'm going to put it there to catch them as soon as possible." 924 00:59:03,946 --> 00:59:07,516 Now I have to put it as close to the destination as possible 925 00:59:07,516 --> 00:59:08,996 because I'm filtering it from anywhere. 926 00:59:09,256 --> 00:59:10,066 See what I mean? 927 00:59:10,156 --> 00:59:13,746 With that anywhere argument, it kind of changes the story a little bit. 928 00:59:14,356 --> 00:59:17,076 So, what I'm going to do is I'm going to hang out on router 2, 929 00:59:17,076 --> 00:59:22,716 that's where the filtering is going to happen, I'm going to go in and-- oh, I was Telneting. 930 00:59:23,906 --> 00:59:30,716 So back on router 2, there we go, go in to global, let's do ip access-list, I don't know, 931 00:59:30,716 --> 00:59:36,906 what do you want to call it, extended, we'll call it port filter and then we will say, well, 932 00:59:36,906 --> 00:59:41,716 actually you know what, better name EMAIL FILTER. 933 00:59:42,406 --> 00:59:45,076 Those are all email protocols so maybe that is an email server. 934 00:59:45,076 --> 00:59:49,306 So we will do permit, so what are we permitting? 935 00:59:49,306 --> 00:59:52,126 We're permitting TCP-based traffic, right? 936 00:59:52,126 --> 00:59:56,266 Not IP, that's everything, TCP 'cause all those are TCP-based protocols, from where? 937 00:59:56,946 --> 00:59:58,866 Well, it's in a box, below the screen. 938 00:59:59,096 --> 01:00:00,976 Anywhere, to where? 939 01:00:01,416 --> 01:00:03,546 Well, this is where we can get a little more specific. 940 01:00:03,546 --> 01:00:09,346 We could say, "Okay, this is going to the host 192.168.2.50 and you know 941 01:00:09,346 --> 01:00:19,626 that we could have also left host off and done 192.168.2.50 with a wildcard of 0.0.0.0.0, 942 01:00:19,916 --> 01:00:22,416 that's fine so we've got permit, protocol, source, destination 943 01:00:22,416 --> 01:00:23,606 and now the destination port number. 944 01:00:23,606 --> 01:00:37,206 Destination port will be equal to so I put eq to 25 and now it's as easy and up arrow 110, 143. 945 01:00:37,206 --> 01:00:40,586 And so now, we look back here and so-- okay, well where am I going to apply this? 946 01:00:40,766 --> 01:00:44,446 Again from anywhere means it could be coming in here, it could be coming in here, 947 01:00:44,446 --> 01:00:46,506 it could be coming from some mysterious interface 948 01:00:46,506 --> 01:00:48,406 that hasn't been added yet, but will be someday. 949 01:00:48,626 --> 01:00:53,616 So, I think it would be best since it's always from anywhere to catch it as it's going out. 950 01:00:53,846 --> 01:00:58,166 So as things are coming in here, they're not filtered, but once they go out to try 951 01:00:58,166 --> 01:01:01,266 and get to that server that's where I'm going to smack them down. 952 01:01:01,346 --> 01:01:05,336 I'm going to say, "No, you've got to use these ports, otherwise you will be denied access." 953 01:01:05,606 --> 01:01:14,746 So, let's go to router 2 right there and to interface FastEthernet0/0 954 01:01:15,076 --> 01:01:22,496 and we will do IP access group and it is-- oh, it's the email server? 955 01:01:22,836 --> 01:01:23,526 Email server, right? 956 01:01:24,366 --> 01:01:28,726 Email filter, I'm glad I looked, email filter outbound. 957 01:01:31,456 --> 01:01:37,666 Good. Now we've got an action, let's test it, let's go-- let's camp of it at router 1. 958 01:01:38,916 --> 01:01:47,636 So we'll attempt to access that host from router 1, so-- good I just-- good grief. 959 01:01:48,386 --> 01:01:49,756 I just caused an outage. 960 01:01:50,156 --> 01:01:53,566 [laughs] Some-- I just took down the network, 961 01:01:53,566 --> 01:02:00,226 see how and I did so on purpose because I wanted to demonstrate. 962 01:02:00,226 --> 01:02:03,876 I just-- you see how easy it is to where I said, you know, 963 01:02:03,876 --> 01:02:10,046 allow access to that host using those port numbers. 964 01:02:10,046 --> 01:02:13,216 Let's do a show access list okay, I didn't do it on purpose 965 01:02:13,216 --> 01:02:15,536 but man that would-- that would've been devastating. 966 01:02:15,536 --> 01:02:19,706 So what this did is it says, "Okay, permit any host to access this guy using this, 967 01:02:19,926 --> 01:02:23,976 this and this," and you know, there's an implicit deny for that. 968 01:02:24,116 --> 01:02:27,076 Now, we might say, "Well, isn't that what we want?" 969 01:02:27,586 --> 01:02:32,706 Well maybe, but isn't there more people on that network than just dot 50? 970 01:02:32,706 --> 01:02:35,186 I know we can only see in this little picture of dot 50. 971 01:02:35,406 --> 01:02:39,136 But if I've got a subnet here, I'm assuming the reason I have a subnet, 972 01:02:39,136 --> 01:02:41,796 and not just like a crossover cable going to a computer, 973 01:02:42,026 --> 01:02:43,716 is because there's other hosts on here. 974 01:02:44,246 --> 01:02:47,386 You know what, they just lost their access completely because even if they're trying 975 01:02:47,386 --> 01:02:48,736 to come out, nothing can come back 976 01:02:48,736 --> 01:02:53,276 in because the only thing allowed back in is these three port numbers. 977 01:02:53,276 --> 01:03:00,856 So, any of you catch that. 978 01:03:01,436 --> 01:03:08,706 ip access list extended email filter and let's do-- now we need to add a statement, 979 01:03:08,706 --> 01:03:18,476 we will say, "Deny ip from any source to the host 192.168.2.50." 980 01:03:18,476 --> 01:03:21,636 Now you're going, "Well, that wasn't what I expected to do. 981 01:03:21,636 --> 01:03:26,196 I mean, do a show access-- do show IP access." 982 01:03:27,676 --> 01:03:30,626 So right here, wait a second, why are you denying, 983 01:03:30,626 --> 01:03:32,226 I thought you said we've been too restrictive. 984 01:03:32,226 --> 01:03:36,016 Well, we have because nothing-- everything else is denied because the same-- 985 01:03:36,016 --> 01:03:40,656 and I'm going to follow this up with is permit IP any any, right? 986 01:03:41,546 --> 01:03:51,386 So now, we've got these three ports allowed, everything else is denied to that host 987 01:03:51,646 --> 01:03:53,966 but then everything beyond that because we weren't told 988 01:03:53,966 --> 01:03:58,036 to put any restrictions beyond that, everything beyond that is allowed. 989 01:03:58,606 --> 01:04:02,216 Okay well, it's already applied so the damage had been done, 990 01:04:02,216 --> 01:04:06,606 but now connectivity has been restored but, oh man, I'm kind of-- 991 01:04:06,796 --> 01:04:11,866 I didn't do it on purpose but yes I'm kind of glad I did because do you see how easy it is? 992 01:04:12,166 --> 01:04:16,386 You're like, oh I see my objective let me just do this, apply it and I mean, right there, 993 01:04:16,386 --> 01:04:20,526 that would have been a complete network outage for everybody else on that network except 994 01:04:20,656 --> 01:04:26,746 that one server but even that one server would only be able to get those three ports coming in. 995 01:04:26,746 --> 01:04:35,636 So, good. Do you see now why I said that extended access-lists are almost always used 996 01:04:35,636 --> 01:04:37,666 for filtering like we've been doing all along. 997 01:04:37,666 --> 01:04:42,496 There's just so much more flexibility than a standard access list. 998 01:04:42,496 --> 01:04:46,106 So at this point, you might say, well, I mean after seeing that, 999 01:04:46,106 --> 01:04:48,976 it seems like all I would ever use is an extended access-list. 1000 01:04:48,976 --> 01:04:50,016 Where would I use the standard? 1001 01:04:50,156 --> 01:04:54,226 Standards are still used in particular places but usually, 1002 01:04:54,456 --> 01:04:56,536 they're applied for a specific purpose. 1003 01:04:56,686 --> 01:05:02,066 I want to do one more demonstration to show you a typical use of a standard access list. 1004 01:05:02,406 --> 01:05:06,056 It is for restricting access to Telnet in VTY. 1005 01:05:06,536 --> 01:05:08,386 Did I just say Telnet VTY? 1006 01:05:08,386 --> 01:05:12,536 Telnet and SSH which both come in the VTY ports of your device. 1007 01:05:12,536 --> 01:05:14,576 So here's the problem. 1008 01:05:14,706 --> 01:05:18,386 A lot of times, we have our routers connected directly to the internet that's one 1009 01:05:18,386 --> 01:05:20,966 of their key goals is to take the internet connection 1010 01:05:20,966 --> 01:05:22,866 and route it in to our internal network. 1011 01:05:23,146 --> 01:05:27,216 Well, once we connect it to the internet, it's going to have an IP address, 1012 01:05:27,216 --> 01:05:32,606 we'll just say 150.1.1.1 that anybody out in the world can access. 1013 01:05:32,606 --> 01:05:33,196 And you know what? 1014 01:05:33,196 --> 01:05:37,136 Cisco, by default, does not have any kind of password locking mechanisms or things 1015 01:05:37,136 --> 01:05:41,586 like that enabled so somebody out here in the world could just run a little script 1016 01:05:41,586 --> 01:05:46,956 that runs all day everyday that tries the Telnet or SSH into your device 1017 01:05:47,256 --> 01:05:51,286 and attempt different user names and different passwords, it's called the brute force attack. 1018 01:05:51,606 --> 01:05:54,796 They're very inefficient because that's what they have to do, they have to sit there 1019 01:05:54,926 --> 01:05:59,456 and just try and try and try until it happens to come across some combination that works, 1020 01:05:59,526 --> 01:06:04,536 but the problem is in their persistence, this guy can start a brute force attack and walk away 1021 01:06:04,626 --> 01:06:07,706 and allow it to run a year later, it's still running. 1022 01:06:07,906 --> 01:06:12,066 I mean-- and by then, it's tried thousands and millions of possible combinations 1023 01:06:12,066 --> 01:06:17,466 of passwords likely could stumble on yours depending on the strength of your password 1024 01:06:17,466 --> 01:06:20,836 and so on, that's why we need good strong password, but why run that risk? 1025 01:06:21,096 --> 01:06:25,596 Let's set it up to where only particular IP addresses from the outside 1026 01:06:25,596 --> 01:06:28,846 or maybe no IP addresses from the outside can get in. 1027 01:06:29,106 --> 01:06:32,866 Now, we don't want to apply an access list here 1028 01:06:33,176 --> 01:06:37,366 because that will now filter all traffic that's going in to that device. 1029 01:06:37,366 --> 01:06:41,536 I just want to apply an access list that filters access to VTY. 1030 01:06:42,556 --> 01:06:44,356 Well, there's a special command that allows you 1031 01:06:44,356 --> 01:06:49,126 to apply an access control list to your VTY ports. 1032 01:06:49,536 --> 01:06:52,606 It is known as access class. 1033 01:06:52,966 --> 01:06:57,546 So what I can do is create a standard access list, for instance, 1034 01:06:57,546 --> 01:07:03,906 let's just say my internal network is 10.1.1.0/24 and I only want my internal network 1035 01:07:03,906 --> 01:07:05,936 to be able to Telnet and SSH in here, 1036 01:07:06,196 --> 01:07:10,306 and I don't want anybody else, nothing from the outside world. 1037 01:07:10,306 --> 01:07:15,386 So what I can do is let me just grab a router, any router will do, how's router 3? 1038 01:07:16,376 --> 01:07:22,916 I'm going to go in and create a standard access list, IP access list standard 1039 01:07:23,296 --> 01:07:27,576 and we will do, let's just say VTY ACL. 1040 01:07:28,936 --> 01:07:40,296 Now, once in here, I'm going to do a permit 10.1.1.0 wildcard mask 0.0.0.255 and hit enter. 1041 01:07:40,296 --> 01:07:42,356 After seeing extended access-list 1042 01:07:42,356 --> 01:07:45,756 so much doesn't simple-- or standard just seem so simple? 1043 01:07:45,756 --> 01:07:48,426 It's just like-- it's like, wow, was it really that easy? 1044 01:07:48,426 --> 01:07:49,686 So that's it. 1045 01:07:49,686 --> 01:07:52,666 So just permit those source IP addresses. 1046 01:07:52,666 --> 01:07:56,606 Now, instead of going in to an interface, I go into-- 1047 01:07:58,316 --> 01:08:06,546 line VTY zero space 4 and do access-class followed 1048 01:08:06,546 --> 01:08:12,476 by what access list I'd like to use, VTY ACL inbound. 1049 01:08:12,896 --> 01:08:17,556 So, essentially now, as people are Telneting, you know, 1050 01:08:17,556 --> 01:08:22,706 in Telnet and SSH both uses the VTY lines, as they're trying to Telnet into my device, 1051 01:08:22,706 --> 01:08:26,546 the VTY is going to say, "Are you from 10.1.1.0? 1052 01:08:26,716 --> 01:08:28,636 If you are, you're allowed, otherwise, 1053 01:08:28,636 --> 01:08:32,166 you are completely restricted from Telneting to this device." 1054 01:08:32,166 --> 01:08:36,496 So standard access lists are great when you can apply them in such a way 1055 01:08:36,496 --> 01:08:39,686 that it doesn't impact a bunch-- if you just need to identify a whole bunch 1056 01:08:39,686 --> 01:08:45,016 of source addresses for quality of service or for Telnet access or for again the millions 1057 01:08:45,016 --> 01:08:49,306 of other uses that you will learn in your journey through Cisco, then absolutely, 1058 01:08:49,306 --> 01:08:51,726 standard access list is the way to go, so much simpler. 1059 01:08:51,986 --> 01:08:55,056 I hope this has been informative for you and I'd like to thank you for viewing. 105139