Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated:
1
00:00:00,636 --> 00:00:03,536
>> While, we're building on the
foundation that was laid in the last Nugget
2
00:00:03,536 --> 00:00:08,966
on standard access list, enhancing it now
with more capabilities in the extended world.
3
00:00:09,266 --> 00:00:12,986
Same story, multiple scenarios back to
back to back that we're going to walk
4
00:00:12,986 --> 00:00:16,596
through to show examples of
using extended access-lists
5
00:00:16,596 --> 00:00:18,846
and by doing that, solidify the concept.
6
00:00:19,636 --> 00:00:24,286
Same topology as before so we can
focus on the access-list concept,
7
00:00:24,286 --> 00:00:26,296
not re-learning what the network looks like.
8
00:00:27,216 --> 00:00:30,076
We've got five scenarios, three of
which are on the screen right now.
9
00:00:30,366 --> 00:00:38,526
Number one, use an extended access-list
to block 192.168.1.0/24 so these guys
10
00:00:38,526 --> 00:00:44,856
from reaching 192.168.2.128/25, it's these guys.
11
00:00:44,856 --> 00:00:48,586
Now is it possible to do that
using a standard access list?
12
00:00:49,046 --> 00:00:51,506
Yes, the answer is absolutely yes.
13
00:00:51,506 --> 00:00:55,226
However, we can be a lot more
efficient and it's just the norm
14
00:00:55,226 --> 00:00:57,766
to be using extended access-list
for these kind of things.
15
00:00:57,766 --> 00:01:02,066
Anytime you have a source and a destination
or port number or anything like that,
16
00:01:02,066 --> 00:01:03,686
extended access-list is the way to go.
17
00:01:04,236 --> 00:01:12,796
So, as a refresher, extended access-list, they
can filter based on source and destination IP,
18
00:01:12,996 --> 00:01:17,136
they can filter based on protocol
so things such as TCP, UDP,
19
00:01:17,136 --> 00:01:19,576
ICMP, et cetera, et cetera, et cetera.
20
00:01:19,576 --> 00:01:22,646
Those are the ones we care about
in CCNA, and then port number.
21
00:01:22,816 --> 00:01:27,936
So, for instance TCP port 80, TCP
port 25, all that kind of stuff.
22
00:01:27,936 --> 00:01:31,416
Now before-- I'm going to hold off.
23
00:01:31,416 --> 00:01:35,316
So let me do this, I'll show you the kind of the
base example and then I want to start talking
24
00:01:35,316 --> 00:01:38,266
about what are some common port
numbers that you're going to run into.
25
00:01:38,266 --> 00:01:44,326
So, what we're going to do is start off with
the big question, where do we start off?
26
00:01:44,426 --> 00:01:49,276
Remember, there're two things, you configure
the access list, which you can do all day
27
00:01:49,276 --> 00:01:52,926
without affecting anything and
then you apply the access list.
28
00:01:53,156 --> 00:01:54,526
That's where it goes into action.
29
00:01:54,526 --> 00:01:56,856
But before you can configure,
you have to know where you're at.
30
00:01:57,336 --> 00:01:59,126
Now here's the concept.
31
00:01:59,686 --> 00:02:04,306
With extended access-list, we can
filter based on source and destination.
32
00:02:04,516 --> 00:02:13,296
So, based on this question, we need to create
a statement that says deny 192.168.1.0/24
33
00:02:13,296 --> 00:02:20,976
from reaching 192.168.2.128/25, right?
34
00:02:21,676 --> 00:02:26,366
So, put that statement in there and
then we can say permit anything else.
35
00:02:26,366 --> 00:02:28,516
I'm just kind of pre-planning
our steps with this.
36
00:02:28,516 --> 00:02:31,656
Now, think this through with me.
37
00:02:31,976 --> 00:02:37,416
If I can say deny this source from reaching
that destination, where can I apply it?
38
00:02:38,086 --> 00:02:40,576
Well, there're actually a lot of places.
39
00:02:40,576 --> 00:02:45,886
I could apply it like what we're doing with this
standard access list, outbound right here to say
40
00:02:45,886 --> 00:02:49,386
as they're going out that interface,
check this, is it this source?
41
00:02:49,386 --> 00:02:50,636
Are they trying to access this?
42
00:02:50,636 --> 00:02:51,496
Then they will be denied.
43
00:02:51,496 --> 00:02:53,046
And it will work, absolutely.
44
00:02:53,276 --> 00:02:57,936
But follow this, I could apply
it inbound right here, right?
45
00:02:57,936 --> 00:03:01,406
And I could-- you know, as packets are
coming in, they're chugging along their way,
46
00:03:01,686 --> 00:03:04,326
as they get in, it's going
to say, "Okay, are you this?"
47
00:03:04,326 --> 00:03:06,536
And they'll say, "Yes, we are
because we're coming from here."
48
00:03:06,536 --> 00:03:08,566
And it's going to say, "Well,
are you trying to access this?"
49
00:03:08,566 --> 00:03:09,486
And they'll say, "Yes, we are.
50
00:03:09,486 --> 00:03:10,276
That's where we're going."
51
00:03:10,476 --> 00:03:12,756
They'll say, "Okay, well then,
right here, I'm going to deny you."
52
00:03:13,456 --> 00:03:16,956
So just following that same
logic, do you see the point here?
53
00:03:17,256 --> 00:03:20,986
I could apply outbound right here,
I could apply inbound right here.
54
00:03:20,986 --> 00:03:25,716
I could apply outbound right here and
I could even apply inbound right here,
55
00:03:25,716 --> 00:03:29,156
because even before the packets get
into the router, it can, you know--
56
00:03:29,156 --> 00:03:32,196
before they go any further
it can say, "Are you this?
57
00:03:32,196 --> 00:03:33,576
Are you trying to access this?
58
00:03:33,576 --> 00:03:35,126
Oh, okay, then you're going to be denied."
59
00:03:35,126 --> 00:03:36,356
So I can even deny them right here.
60
00:03:36,356 --> 00:03:39,186
So then the big question is
I could apply this, how many?
61
00:03:39,186 --> 00:03:43,746
One, two, three, four, five, six
different places, they all work,
62
00:03:43,746 --> 00:03:49,016
they all accomplish the result,
what's the best place to do it?
63
00:03:49,236 --> 00:03:53,646
Cisco would tell you, right here.
64
00:03:53,646 --> 00:03:58,996
Why? Because the further down the chain
you apply the extended access-list,
65
00:03:59,246 --> 00:04:02,426
the further the traffic has to go
just to find out that it's blocked.
66
00:04:02,426 --> 00:04:07,106
So, if I apply it right here, that means this
router had to process it, waste bandwidth.
67
00:04:07,106 --> 00:04:09,156
This router had to process, waste bandwidth.
68
00:04:09,156 --> 00:04:11,876
And it had to get here and be processed
before it found out it was going to be denied.
69
00:04:11,876 --> 00:04:14,466
Like I said in the last Nugget, it's
like that bad trip to Disney Land,
70
00:04:14,466 --> 00:04:18,756
we're driving all that way just
to find out Disney Land is closed.
71
00:04:18,896 --> 00:04:24,326
So we'd rather know before we leave the house,
essentially right here, that it's closed
72
00:04:24,326 --> 00:04:27,156
or that we're going to be denied
and that's Cisco's best practice.
73
00:04:27,626 --> 00:04:36,876
With extended access-list, the rule is to
apply them as close to the source as possible.
74
00:04:37,296 --> 00:04:40,606
Even though it would work further
away, we want to be able to--
75
00:04:40,606 --> 00:04:43,396
to be as efficient in our
configuration as possible, too.
76
00:04:43,396 --> 00:04:47,816
So, with that in mind, that's where
I'm going to begin my configuration.
77
00:04:48,206 --> 00:04:49,726
Let's go over to router 1.
78
00:04:51,516 --> 00:04:55,616
So I've all the-- I was getting rid of all
of the old config from the previous ones,
79
00:04:55,616 --> 00:04:58,046
so let's clear all that off gone.
80
00:04:58,346 --> 00:05:01,616
So, router 1, now I'm going
to go-- let's start--
81
00:05:01,616 --> 00:05:05,296
and I know last Nugget, we wrapped up with
the named access list and we'll go there,
82
00:05:05,296 --> 00:05:07,586
but I'm going to start off with the
traditional way which is numbered.
83
00:05:07,586 --> 00:05:12,636
First off, let's do a show ip interface
brief that's just constant orientation.
84
00:05:12,856 --> 00:05:17,816
Okay, it's-- I, I know where I am,
that's 192.168.1.1, that's right here,
85
00:05:17,816 --> 00:05:20,066
FastEthernet zero, serial 0 is right here.
86
00:05:20,196 --> 00:05:22,196
So, I'm going to create an access list.
87
00:05:22,196 --> 00:05:25,146
I'll do access list, question mark.
88
00:05:25,146 --> 00:05:27,426
Now we're going to move into the extended range.
89
00:05:27,426 --> 00:05:31,886
So I'm going to say extended, now you remember
the syntax from the last Nugget, right?
90
00:05:32,046 --> 00:05:34,826
So, for instance, if I said, you
know, five and I would say permit
91
00:05:34,826 --> 00:05:36,146
and it's like okay, what's your source?
92
00:05:36,146 --> 00:05:37,726
You got used to that, right?
93
00:05:37,956 --> 00:05:43,706
So now, when I do access list, let's
go 100, I'm now in the extended range,
94
00:05:43,706 --> 00:05:47,426
I hit the question mark, immediately I
see, there's a little difference there.
95
00:05:47,426 --> 00:05:49,316
There's this new word dynamic,
we're actually not going
96
00:05:49,316 --> 00:05:51,436
to use those, but there's a new word in there.
97
00:05:51,436 --> 00:05:55,466
So, I already can tell that I'm moving on a
little different track, so what am I doing?
98
00:05:56,076 --> 00:05:56,796
Denying somebody.
99
00:05:56,946 --> 00:06:01,946
I'm denying 192.168.1.0 from
reaching the other one.
100
00:06:01,946 --> 00:06:05,996
So, okay, so I'm going to say deny,
question mark, and now it's like, whoa,
101
00:06:05,996 --> 00:06:07,686
syntax went a totally different direction.
102
00:06:08,226 --> 00:06:12,546
First question it's going
to ask you is what protocol?
103
00:06:13,306 --> 00:06:14,386
What protocol?
104
00:06:14,386 --> 00:06:16,506
Remember, that's one of the
things we can filter on.
105
00:06:16,506 --> 00:06:21,546
What protocol would you like to allow or
deny key ones that we care about, ICMP,
106
00:06:21,546 --> 00:06:28,856
that's things ling pings, echo, echo reply,
unreachables, all those kind of things.
107
00:06:29,196 --> 00:06:30,786
TCP and UDP and IP.
108
00:06:31,476 --> 00:06:35,576
So, ICMP, protocol-wise, TCP, UDP, and IP.
109
00:06:36,046 --> 00:06:38,046
These three we know.
110
00:06:38,106 --> 00:06:45,026
Those' are the protocols that applications
use so what's this mysterious IP?
111
00:06:45,026 --> 00:06:49,986
IP is everything, like for instance, you see a
whole bunch of protocols there and if I allow,
112
00:06:50,186 --> 00:06:53,146
you know, maybe I block TCP
traffic from these, well,
113
00:06:53,336 --> 00:06:55,866
problem is that allows UDP to still get through.
114
00:06:55,866 --> 00:07:00,056
That allows, you know, ICMP or IGMP and
ESP, all these other stuff can still get
115
00:07:00,056 --> 00:07:03,896
through 'cause there's other protocols in TCP,
but if I really want to catch all of them,
116
00:07:03,896 --> 00:07:06,826
IP is essentially everyone of these in one.
117
00:07:06,826 --> 00:07:09,926
It's all protocols is what it is.
118
00:07:09,926 --> 00:07:10,946
And that's what we want here.
119
00:07:11,136 --> 00:07:13,936
We said, "Block this from getting there."
120
00:07:13,936 --> 00:07:18,696
It didn't specify anything more so we're
left to assume block, that's what it means,
121
00:07:18,696 --> 00:07:21,546
like deny everything, not just TCP or UDP.
122
00:07:21,546 --> 00:07:25,156
So we're actually going to go in
here and say, "Deny the IP protocol."
123
00:07:25,726 --> 00:07:31,336
Now, I'd ask the question, what source
address would you like to deny from?
124
00:07:31,896 --> 00:07:33,636
And I'll say, "Okay, well,
I'm not actually looking
125
00:07:33,636 --> 00:07:37,646
for everybody nor am I looking
for a specific host.
126
00:07:37,646 --> 00:07:41,626
I've been told to block this network
and that's what I'm going to do."
127
00:07:41,626 --> 00:07:48,366
I'm going to go in and say, "The source
that I'm blocking is 192.168.1.0."
128
00:07:48,366 --> 00:07:51,956
And of course, it's going to say
"Okay, well, give me something more.
129
00:07:51,956 --> 00:07:55,166
Are you looking for just a host
on there or the whole subnet."
130
00:07:55,166 --> 00:07:57,556
So that's where our good
old wildcard mask comes in.
131
00:07:57,706 --> 00:08:00,976
Remember, this is from before,
this is a class C subnet mask.
132
00:08:01,306 --> 00:08:06,516
Flip that, completely backwards rebel land
and the wild world, we flip that around 000
133
00:08:06,516 --> 00:08:13,786
which says, "Look at 192, look at 168, look
at 1, I don't care about that last action."
134
00:08:13,786 --> 00:08:15,266
So, that can be anything.
135
00:08:15,266 --> 00:08:17,486
If it starts with this, they match this.
136
00:08:17,486 --> 00:08:18,526
They're going to be denied.
137
00:08:18,866 --> 00:08:23,266
So I'll say 0.0.0.255.
138
00:08:23,266 --> 00:08:27,996
Now, we get new options, things that we
didn't see at all in the standard access list,
139
00:08:27,996 --> 00:08:32,136
it's saying "Okay, now what
destination would you like to refer to?"
140
00:08:32,136 --> 00:08:37,306
So I'm going to say, "I am blocking this
source from," now I typed in the destination.
141
00:08:37,306 --> 00:08:40,086
Well, I'm not blocking it from
everything nor a specific host.
142
00:08:40,086 --> 00:08:42,286
I'm blocking it from this network, right?
143
00:08:42,286 --> 00:08:49,696
192.168.2.128 right here, so we'll type that in.
144
00:08:49,906 --> 00:08:56,896
That's, that's the network ID,
192.168.2.128, hit the question mark.
145
00:08:56,896 --> 00:08:58,456
Now, it says, "What's the wildcard bit?"
146
00:08:58,456 --> 00:09:01,016
Well, you remember, we use the custom
subnet here, so wildcard bits are going
147
00:09:01,016 --> 00:09:02,556
to be 000 dot and how do we figure that out?
148
00:09:02,556 --> 00:09:11,656
Well, slash 25 in decimal is 255.255.255.128,
one of those funky subnet masks.
149
00:09:11,686 --> 00:09:16,386
So I could either convert all these to
binary and then make all the one zeros
150
00:09:16,386 --> 00:09:20,646
and all the zeros one to figure it out or
we can use that handy-dandy formula which is
151
00:09:20,646 --> 00:09:28,296
to take 255.255.255 and subtract this and
that gives us 0.0.0.127 is the wildcard mask
152
00:09:28,506 --> 00:09:31,596
that we need to use to match that whole network.
153
00:09:31,786 --> 00:09:36,406
So, come in there and do 0.0.0.127.
154
00:09:36,636 --> 00:09:40,436
Hit the question mark, you know, things
like do you want to log this enter-- entry?
155
00:09:40,636 --> 00:09:43,026
Are there certain types of
service that you want to match?
156
00:09:43,026 --> 00:09:45,706
I mean, all of these goes way beyond.
157
00:09:45,706 --> 00:09:49,836
Types of service, DSCP, all those kinds
of things, deal with quality of service.
158
00:09:49,836 --> 00:09:52,486
Same thing here, different quality
of service tags that we can use.
159
00:09:52,486 --> 00:09:54,286
Don't even worry about it for now.
160
00:09:54,286 --> 00:09:56,506
I hit enter.
161
00:09:56,626 --> 00:10:00,536
We have entered our first
extended access-list statement.
162
00:10:01,476 --> 00:10:04,706
Let's do a do show IP access list.
163
00:10:04,896 --> 00:10:08,216
Right there, we've got deny
this source to this destination.
164
00:10:08,336 --> 00:10:12,306
Now, extended access-list can get pretty hairy.
165
00:10:12,636 --> 00:10:17,266
The biggest thing that you can do
is remember the three key pieces.
166
00:10:17,556 --> 00:10:20,186
You're going to say-- well, I'll
say you know, permit or deny right?
167
00:10:20,186 --> 00:10:22,186
I guess that-- that doesn't count.
168
00:10:22,316 --> 00:10:26,606
Permit or deny, so you have the
protocol, that's one key piece,
169
00:10:26,606 --> 00:10:32,316
you pick your protocol you then have your
source and you have your destination.
170
00:10:33,106 --> 00:10:36,366
No matter how complex, how big this thing
starts getting like we're going to start seeing
171
00:10:36,366 --> 00:10:40,546
over here, no matter how big this is, you're
always going to break into those three pieces,
172
00:10:40,736 --> 00:10:44,266
you pick what protocol it is, what your
source is and what your destination is
173
00:10:44,266 --> 00:10:45,686
and that makes sense when we look at this.
174
00:10:46,176 --> 00:10:53,396
Deny IP that's a protocol, this is our
source, this is our destination, cool?
175
00:10:53,816 --> 00:11:00,766
Now, extended access-list have the same rules
as a standard if I have a deny in there,
176
00:11:00,766 --> 00:11:03,906
there's the implicit deny below that
so it's going to deny everything.
177
00:11:03,906 --> 00:11:09,686
So what I need to do is get in here and type
in, IP or-- wait, hang on, where was it?
178
00:11:09,686 --> 00:11:14,796
Access list 100 and I need to add a
permit, so I'm going to say, you know,
179
00:11:14,796 --> 00:11:16,996
they're denied from that, but I'm
going to permit everything else.
180
00:11:16,996 --> 00:11:20,866
Now, in an extended world, we have
to type in permit so when I say,
181
00:11:20,866 --> 00:11:24,546
"I want to permit everything
else," what protocol is that?
182
00:11:24,546 --> 00:11:25,206
IP, right?
183
00:11:25,456 --> 00:11:26,936
That's everything, all protocols.
184
00:11:27,296 --> 00:11:28,446
What's the source?
185
00:11:29,006 --> 00:11:30,986
Well, we can actually be very broad here.
186
00:11:30,986 --> 00:11:36,516
I can say any source to,
well, what do you think?
187
00:11:36,516 --> 00:11:37,296
Any destination.
188
00:11:37,786 --> 00:11:41,816
That is your way of doing
a permit all at the bottom
189
00:11:41,816 --> 00:11:45,086
of an extended access-list to
overrule that deny everybody.
190
00:11:45,336 --> 00:11:49,136
So, now it's saying, "Okay, if
you're this and you're trying
191
00:11:49,136 --> 00:11:52,536
to go to this, you will be denied."
192
00:11:52,956 --> 00:11:58,446
However, if you're anything else, you will
be permitted even if you're this trying
193
00:11:58,446 --> 00:12:02,466
to access something other than
this, does that make sense?
194
00:12:02,466 --> 00:12:07,876
So now, I can go in to applying it to
Cisco's best practice as close to the source
195
00:12:07,876 --> 00:12:12,046
as possible, so I'm going to go into
FastEthernet0/0, same exact command
196
00:12:12,046 --> 00:12:17,126
as we saw previously, IP access
group and we say "Okay, well,
197
00:12:17,126 --> 00:12:19,486
what's the access list number or name?"
198
00:12:19,486 --> 00:12:23,076
And we'll say, "Access list 100," that's
the one we just created so I'm saying,
199
00:12:23,306 --> 00:12:27,876
"Apply this access list in
the inbound direction."
200
00:12:27,916 --> 00:12:33,606
Again, be the router-- I'll stop drawing my long
arms in a minute but fast FastEthernet0/0 is
201
00:12:33,606 --> 00:12:36,986
over here so I'm saying as things are coming in,
202
00:12:37,646 --> 00:12:41,286
in that interface 'cause that's the
interface mode I'm under right here,
203
00:12:41,396 --> 00:12:43,906
it's going to start going through
that access list and saying,
204
00:12:43,906 --> 00:12:45,246
"Are you trying to get over here?
205
00:12:45,246 --> 00:12:47,976
Because I'm going to deny you
otherwise, you're permitted to go through
206
00:12:48,196 --> 00:12:52,316
and pass out the Serial0/0 interface."
207
00:12:52,316 --> 00:12:55,106
So that will accomplish the goal.
208
00:12:55,546 --> 00:12:57,016
Let's test it.
209
00:12:57,176 --> 00:13:01,896
I'm going to go to PC1, that's
over there on the left.
210
00:13:03,116 --> 00:13:09,326
No, it's right here, and let's
just do a show ip interface brief,
211
00:13:09,916 --> 00:13:15,816
yes that's just a little lone guy over there
on the network 192.168.1.50 that's him,
212
00:13:15,816 --> 00:13:20,526
so I'm going to try and ping, let's try and ping
10.1.1.1 make sure we can still get there, yup,
213
00:13:20,526 --> 00:13:24,836
and that-- so 10.1.1.1 you might remember
is this guy, so it's going all the way
214
00:13:24,836 --> 00:13:31,396
across the network to here to reach it but
now let's add in, let's go a little further.
215
00:13:31,706 --> 00:13:39,406
Let's go to ping 192.168.2.150 which should be
a forbidden IP address and sure enough it is.
216
00:13:39,406 --> 00:13:43,796
So, the good news is our device is literally
getting right here and being blocked.
217
00:13:43,796 --> 00:13:47,366
He doesn't have to travel much further
like we did with the standard access list,
218
00:13:47,366 --> 00:13:49,546
we can't apply the standard
access list any closer
219
00:13:49,546 --> 00:13:53,886
than out here 'cause you can't say what you're
denied from so we would always have to have all
220
00:13:53,886 --> 00:13:56,346
of our traffic crossing the
whole network to get there.
221
00:13:56,546 --> 00:14:03,076
Now I'm able to go back in to my
router 1 to a show IP access list
222
00:14:03,556 --> 00:14:06,496
and I can see all the matches, the
things that have been denied as well
223
00:14:06,496 --> 00:14:07,716
as the things that are being permitted.
224
00:14:08,996 --> 00:14:09,866
Okay, number two.
225
00:14:10,576 --> 00:14:22,916
Block 192.168.1.50, so this guy, from reaching
192.168.2.50 so this guy using HTTP or HTTPS.
226
00:14:23,366 --> 00:14:24,036
So what can we assume?
227
00:14:24,296 --> 00:14:29,596
Well, we'll just pretend that this guy is
actually a web server that would be using those.
228
00:14:29,876 --> 00:14:34,056
So now is what I was holding myself
back from, now is a good time
229
00:14:34,056 --> 00:14:36,546
to talk about common port numbers.
230
00:14:36,956 --> 00:14:42,726
TCP, UDP all of the different protocols out
there have specific port numbers that they use.
231
00:14:42,726 --> 00:14:48,256
I'm going to do TCP, UDP and
I'll just put ICMP up here.
232
00:14:48,816 --> 00:14:51,396
The three protocols we've been talking
about so far, I guess we can throw IP,
233
00:14:51,396 --> 00:14:54,556
but it doesn't really have any port
numbers 'cause that's everything, right?
234
00:14:54,706 --> 00:14:57,666
Those are the protocols that we've
been talking about in the config,
235
00:14:58,016 --> 00:15:00,806
there are ones that you will want
to know off the top of your head.
236
00:15:01,246 --> 00:15:13,796
TCP port 21 FTP, port 22 is SSH,
TCP port 23 is Telnet, port--
237
00:15:13,796 --> 00:15:18,336
you want to know port 25 which
is SMTP that's email services.
238
00:15:18,406 --> 00:15:27,506
You want to know, maybe 53, which is
actually a DNS server, so for instance,
239
00:15:27,506 --> 00:15:32,056
DNS servers that have all those records like
google.com really points to these IP addresses,
240
00:15:32,296 --> 00:15:38,046
they replicate to each other or they
can and they use TCP port 53 to do that.
241
00:15:38,046 --> 00:15:49,636
Port 80, the most well-known port in the world,
HTTP, port 110 POP3, that's client email.
242
00:15:49,636 --> 00:15:53,716
So if you're downloading email
from an email server, you use POP3.
243
00:15:53,976 --> 00:15:57,256
On the same token port, what is it?
244
00:15:57,256 --> 00:16:05,906
143, IMAP4 which that same thing, a client email
but instead of downloading it from the server,
245
00:16:05,906 --> 00:16:09,896
it leaves it on the server so that way,
the client doesn't hold the email at all,
246
00:16:09,896 --> 00:16:11,626
it stays on the server, so IMAP4.
247
00:16:11,626 --> 00:16:15,696
And then the only other one
that I could foresee popping
248
00:16:15,696 --> 00:16:20,486
up at you is port 443 and that is HTTPS or SSL.
249
00:16:20,486 --> 00:16:24,446
So, encrypted or secured
HTTP uses that port number.
250
00:16:24,936 --> 00:16:28,836
Now I know, you're like "Ooh, that's a lot of
port numbers to know off the top of my head."
251
00:16:29,056 --> 00:16:33,006
Yes, the vast majority of them
are in TCP because that's what all
252
00:16:33,006 --> 00:16:35,826
of our data applications use, correct?
253
00:16:35,826 --> 00:16:40,976
Now UDP, there are some but very
few, UDP, you really only want
254
00:16:40,976 --> 00:16:45,546
to know port 53 which is DNS client.
255
00:16:46,636 --> 00:16:51,986
So when, for instance, your computer at home
goes to google.com or cbtnuggets.com and tries
256
00:16:51,986 --> 00:16:55,526
to resolve that name to an IP
address, it sends out a UDP request.
257
00:16:55,526 --> 00:16:57,966
It's just a-- that's the normal DNS lookup.
258
00:16:58,306 --> 00:17:02,156
And then port 69 which is TFTP.
259
00:17:03,516 --> 00:17:05,486
Our Cisco devices use that for a lot
260
00:17:05,486 --> 00:17:08,976
of configuration backups or
upgrading the IOS software.
261
00:17:08,976 --> 00:17:11,216
So, those are really the only two on UDP.
262
00:17:11,216 --> 00:17:16,646
ICMP doesn't really use port numbers, it
uses protocol numbers or protocol name
263
00:17:16,646 --> 00:17:21,556
so the only two you'll want to
know there is echo and echo-reply.
264
00:17:22,336 --> 00:17:26,926
And if you combine both of
those together, what do you get?
265
00:17:27,476 --> 00:17:32,446
A ping. That's when you ping something, it
sends an echo and the other side sends back
266
00:17:32,446 --> 00:17:35,016
and an echo reply so that's how we do that.
267
00:17:35,016 --> 00:17:39,096
So, I would suggest and now this is-- well, you
know, I was going to say, if you're studying
268
00:17:39,096 --> 00:17:41,826
for the exam, but I would say real world.
269
00:17:41,826 --> 00:17:46,146
Yeah, I mean, you use those all the time 'cause
those are the major services that you end
270
00:17:46,146 --> 00:17:50,996
up supporting as a Cisco firewall administrator
or you know, whatever you're doing with those,
271
00:17:50,996 --> 00:17:56,026
you constantly run across those service, so
it's for good reason that Cisco allows those.
272
00:17:56,026 --> 00:18:04,396
So, okay, now back to the objective,
block 192.168.1.50 from reaching this guy,
273
00:18:04,396 --> 00:18:07,816
who's probably a web server, on port 80 and 443.
274
00:18:08,236 --> 00:18:12,586
This is going to be awesome, I just-- I
paused and I was like, "I've got an idea."
275
00:18:12,746 --> 00:18:17,716
I want to take this opportunity to
show you how to edit an access list,
276
00:18:17,716 --> 00:18:20,676
because see here's the deal we
already have, in scenario one,
277
00:18:20,976 --> 00:18:24,786
blocked this guy from reaching
out over here on everything.
278
00:18:24,786 --> 00:18:30,786
So now we're saying, "Okay, in addition to that,
I want to block this guy, that one IP address
279
00:18:30,786 --> 00:18:36,336
on the network, from reaching
to this guy on port 80 and 443."
280
00:18:36,606 --> 00:18:40,096
I know that because I, you know,
just did the quick correlation,
281
00:18:40,096 --> 00:18:42,846
HTTP and HTTPS are there in that list.
282
00:18:42,846 --> 00:18:48,196
So, we've already got an access list
applied inbound right here that we can edit
283
00:18:48,196 --> 00:18:50,556
to add those restrictions to, so let's do it.
284
00:18:51,036 --> 00:18:52,736
So, where am I?
285
00:18:52,736 --> 00:18:57,156
Router 1, come right there, so
there's our existing access list.
286
00:18:57,156 --> 00:18:59,486
Now you notice that we've got
these sequence numbers right there.
287
00:18:59,906 --> 00:19:03,376
So that's going to leave us
in a little bit of a pickle
288
00:19:03,666 --> 00:19:07,106
because if we-- yes, I did just say pickle.
289
00:19:07,106 --> 00:19:12,286
So if we use our normal access list
command, if I say access list--
290
00:19:12,286 --> 00:19:20,046
access list, you know 100 and I keep going
down and I say, you know, permit IP--
291
00:19:20,046 --> 00:19:22,646
or TCP and I start squeezing in all the stuff,
292
00:19:22,646 --> 00:19:24,676
it's going to keep adding on
to the bottom of the list.
293
00:19:24,676 --> 00:19:26,406
No, no, no I can't do that.
294
00:19:26,406 --> 00:19:28,056
I want to squeeze stuff in.
295
00:19:28,676 --> 00:19:32,406
Now, do any of you remember
where we saw that little--
296
00:19:32,406 --> 00:19:36,386
in the last Nugget, I had the question mark and
we say the option to type in a sequence number?
297
00:19:36,606 --> 00:19:40,916
So I can say, "Well, squeeze in sequence 15
in between these two," or something like that.
298
00:19:41,126 --> 00:19:41,986
Remember where that was?
299
00:19:42,476 --> 00:19:45,906
It was in the named access list,
so let's back up a little bit.
300
00:19:45,906 --> 00:19:47,946
If I type in-- how to get
to the named access list?
301
00:19:48,376 --> 00:19:51,756
IP access list, right?
302
00:19:51,876 --> 00:19:55,086
And I'll say this is going to
be instead of using number 100
303
00:19:55,086 --> 00:19:59,756
and all that to specify it's extended, I'm
going to say, "This is an extended access list,
304
00:19:59,756 --> 00:20:03,976
but now, it lets me type in, oh, which one are
you editing or which one are you creating?"
305
00:20:04,166 --> 00:20:06,246
You can do both with this command.
306
00:20:06,246 --> 00:20:09,756
So we'll say extended and we'll say number 100.
307
00:20:10,306 --> 00:20:12,346
Now, you noticed it says, "Okay,
go ahead and press Enter."
308
00:20:12,526 --> 00:20:16,836
Thanks, I'm now in the configuration
mode, editing that access list.
309
00:20:16,836 --> 00:20:26,136
So now, what I can do is specify a sequence
number to squeeze in the commands I'm
310
00:20:26,136 --> 00:20:29,126
about to do before we get
to that permit IP any any.
311
00:20:29,946 --> 00:20:32,916
So, what do we do?
312
00:20:32,966 --> 00:20:39,296
Okay, so we're, first off, needing to
block HTTP and then we'll block HTTPS
313
00:20:39,296 --> 00:20:41,766
which we'll be really easy
once we get the first command.
314
00:20:41,766 --> 00:20:47,516
First off, I'm going to say, "Okay,
previously, we had sequences 10 and 20,
315
00:20:47,716 --> 00:20:51,386
so I need to squeeze it in," so I was
saying 15, but why go right in the middle?
316
00:20:51,386 --> 00:20:52,566
Why not just use 11?
317
00:20:52,566 --> 00:20:52,966
How is that?
318
00:20:52,966 --> 00:20:57,336
So, sequence number 11 will
add the line between 10 and 20.
319
00:20:57,946 --> 00:21:02,376
It's like-- any of you-- my roots go
back to the Commodore Amiga Computer.
320
00:21:02,376 --> 00:21:05,936
That's were I really got
my first taste of computing
321
00:21:06,206 --> 00:21:09,526
and I remember [laughs] trying
to learn programming.
322
00:21:09,526 --> 00:21:10,916
Now this is many, many moons ago.
323
00:21:10,916 --> 00:21:12,266
I was much, much, much younger.
324
00:21:12,606 --> 00:21:15,526
And I got into basic programming
thinking, I'm going to--
325
00:21:15,526 --> 00:21:19,166
you know, what's every kid dream of
when they're getting into computers,
326
00:21:19,166 --> 00:21:21,246
I want to be a video game programmer, right?
327
00:21:21,246 --> 00:21:24,936
And so I got in the basic and, you know,
got the book and out and says, "Okay,
328
00:21:25,256 --> 00:21:29,016
type in line 10, echo, hello world."
329
00:21:29,076 --> 00:21:34,976
And then you-- so you typed that into the
basic compiler 10 Echo, you know, hello world.
330
00:21:35,086 --> 00:21:40,916
And then you do a line 20, go to 10, and you
run the program and you just get a screen full
331
00:21:40,916 --> 00:21:45,516
of hello world and that's about as far as
I got and I'm like, "Well, that was lame.
332
00:21:45,516 --> 00:21:49,586
I'm a long way away from creating, you
know, Defender of the Crown kind of games,"
333
00:21:49,586 --> 00:21:52,756
[laughs] you know, like which was of
course the game of the year back then.
334
00:21:52,756 --> 00:21:57,286
So, what was I talking-- so that-- so
yeah, this is very similar to that.
335
00:21:57,286 --> 00:22:00,046
We just got these sequence numbers
to keep everything straight.
336
00:22:00,046 --> 00:22:03,466
So, I'm going to say sequence
11 to squeeze it in there,
337
00:22:03,726 --> 00:22:05,806
now we can put it in our
permit and deny statements.
338
00:22:05,836 --> 00:22:07,356
So I'm going to say, "Deny.
339
00:22:07,356 --> 00:22:12,436
We're blocking them from--
" So saying, "Deny what?"
340
00:22:12,436 --> 00:22:17,406
Well, HTTP is a TCP-based protocol, right?
341
00:22:18,386 --> 00:22:21,926
So I'm going to say "Deny TCP."
342
00:22:21,926 --> 00:22:24,346
It's the-- TCP is the protocol
that I'm blocking.
343
00:22:24,516 --> 00:22:26,496
Now it's saying, "Who are you denying?"
344
00:22:26,696 --> 00:22:31,346
Well, it's nice and easy here so I can say--
well, there's two ways, I can either say host
345
00:22:31,346 --> 00:22:38,126
and type in the IP address or I can type in
the IP address, let's do 192.168.1.50, right?
346
00:22:38,236 --> 00:22:40,456
The two we're-- let's this
squeeze this a little bit.
347
00:22:40,606 --> 00:22:46,556
The two we're blocking 192.168.1.50 from-- and
then so I'll hit the question mark says, "Okay,
348
00:22:46,556 --> 00:22:48,696
what's your wildcard bits, 0.0.0.0."
349
00:22:48,696 --> 00:22:51,666
So if I would have used the host
keyword, I could have skipped doing
350
00:22:51,666 --> 00:22:52,906
that 'cause it would assume that.
351
00:22:52,966 --> 00:22:56,306
So, now it's going to say, okay, what is your--
352
00:22:56,576 --> 00:23:00,776
okay what is your-- so I've
got this mouse, right?
353
00:23:00,776 --> 00:23:04,756
And the scroll-- it doesn't have a scroll wheel,
it's invisible, like if you just kind of move
354
00:23:04,756 --> 00:23:08,506
over the mouse, it scrolls for you so
that's why I'm doing all that time.
355
00:23:08,506 --> 00:23:15,266
So, it's saying, "Okay, this is your source
now into your destination," but wait, but wait.
356
00:23:15,826 --> 00:23:19,466
This is actually a point where
a lot of confusion comes in,
357
00:23:20,036 --> 00:23:22,396
because somebody hits the
question which we all do.
358
00:23:22,396 --> 00:23:25,336
This is-- hitting the question mark
is something you always do in Cisco.
359
00:23:25,716 --> 00:23:31,046
And we see-- oh wait, wait, match packets on
a port number or greater than a port number
360
00:23:31,046 --> 00:23:35,446
or less than a port number or
not equal to a port number.
361
00:23:35,606 --> 00:23:37,886
That's NEQ, not equal to or range of port.
362
00:23:37,886 --> 00:23:42,086
So we're like, "Oh okay, so this is
where I type in my port number, right?"
363
00:23:43,126 --> 00:23:48,506
Major area where access list get
kind of messed up and this goes back
364
00:23:48,506 --> 00:23:50,366
to what I was just showing
you on the last example.
365
00:23:50,586 --> 00:23:55,476
Remember, the access list is always
comprised of three main pieces.
366
00:23:55,806 --> 00:24:01,506
You say, I want to allow or deny the
protocol, which we chose as TCP, the source,
367
00:24:01,506 --> 00:24:04,586
you put in your source information,
then the destination.
368
00:24:05,856 --> 00:24:08,076
Now you might be saying, "Well yeah,
that's what we're doing, right?"
369
00:24:08,076 --> 00:24:09,236
And we said, port 80.
370
00:24:09,236 --> 00:24:11,686
Well, if we type in the port number right here--
371
00:24:11,686 --> 00:24:17,626
not there, right here, if we type in the port
number and we say, "Okay, equal to port 80,"
372
00:24:18,016 --> 00:24:22,176
then we're actually choosing the source
port and that's not what we want.
373
00:24:22,376 --> 00:24:26,436
I mentioned this way early on in the
series so I want to talk about it again.
374
00:24:26,656 --> 00:24:30,856
When a computer creates a connection to,
well, let's just say this web server,
375
00:24:32,146 --> 00:24:34,836
it'll always creates what's known as a socket
376
00:24:35,016 --> 00:24:41,476
and what a socket is-- this
guy is 192.168.2.50, right?
377
00:24:41,476 --> 00:24:45,206
And this guy is 192.168.1.50.
378
00:24:45,526 --> 00:24:48,576
So a socket is when he says, "I
want to talk you web server."
379
00:24:48,656 --> 00:24:51,076
And the web server is like, "Well,
I actually do a lot of stuff.
380
00:24:51,076 --> 00:24:51,856
I'm a web server.
381
00:24:51,856 --> 00:24:52,766
I'm an email server.
382
00:24:52,906 --> 00:24:57,976
I'm a [laughs]-- like what else--
oh, I'm an online gaming server.
383
00:24:58,116 --> 00:25:02,896
I'm a database server," I mean, he's like,
"So what service on me do you want to talk to?
384
00:25:03,196 --> 00:25:06,746
You can't just say you want to talk me, you
got to tell me what on me you want to talk to,"
385
00:25:06,946 --> 00:25:08,556
so that's why this guy creates a socket.
386
00:25:08,556 --> 00:25:15,036
He says, "Well actually, I want
to talk to you, 192.168.2.50.
387
00:25:15,036 --> 00:25:20,006
I want to talk to you on a
socket of 192.168.2.50:80,"
388
00:25:20,286 --> 00:25:22,386
which now when he gets that he goes, "Oh, okay.
389
00:25:22,386 --> 00:25:27,536
You're trying to access my web server,"
because that's assigned to port 80 on here.
390
00:25:27,866 --> 00:25:33,936
But at the same token, this guy also creates
a source socket, to where he says, "Oh,
391
00:25:33,936 --> 00:25:43,526
coming from 192.168, you know, when you talk
back to me, I'm coming from 192.168.1.50 colon."
392
00:25:43,766 --> 00:25:44,386
What is it?
393
00:25:44,386 --> 00:25:47,156
How's 5196?
394
00:25:47,636 --> 00:25:51,296
[laughs] We don't know because
Windows makes that up.
395
00:25:51,386 --> 00:25:52,856
When I open-- you remember this?
396
00:25:52,856 --> 00:25:58,706
When I open a web browser, I open, you
know, Google and go cbtnuggets.com,
397
00:25:59,306 --> 00:26:03,346
the operating system-- we did
this early on, we do netstat.
398
00:26:03,696 --> 00:26:08,636
It comes in and says, okay, well, I'm creating
all these little source ports, you know,
399
00:26:08,636 --> 00:26:11,786
this is my source IP address and I'm going--
400
00:26:11,786 --> 00:26:15,196
you know, coming from this source port
which identifies, you know, Google Chrome
401
00:26:15,196 --> 00:26:19,596
or whatever app and now I've got other stuff
right here like wow, that's a lot of stuff.
402
00:26:19,596 --> 00:26:21,316
Well, I've got a lot of stuff running on here.
403
00:26:21,506 --> 00:26:25,506
But you know, these, I can tell
you, are all related to CBT Nuggets
404
00:26:25,506 --> 00:26:31,926
because CBT Nuggets stores their data
in Amazon AWS which uses EC2 services
405
00:26:31,926 --> 00:26:34,976
which is-- that's another great series.
406
00:26:35,126 --> 00:26:39,556
If you're ever interested in that, CBT
Nuggets has a series on AWS, it's amazing.
407
00:26:40,496 --> 00:26:41,046
[laughs] Amazing.
408
00:26:41,166 --> 00:26:43,046
So, moving on.
409
00:26:43,266 --> 00:26:46,556
So, this, you know, is going to be
made up by the operating system.
410
00:26:46,556 --> 00:26:51,286
So if-- going back to where we're
at, let's see, we were on router 1.
411
00:26:51,706 --> 00:26:57,266
If we type in equal next to the source, we're
going to be saying, "I want to deny based
412
00:26:57,266 --> 00:27:00,836
on the source port number," which we
don't know what that's going to be.
413
00:27:00,836 --> 00:27:04,226
We rarely if ever are going to know
what the source port are going to be--
414
00:27:04,396 --> 00:27:09,616
is going to be, so rather, I'm just
going to go right into the destination.
415
00:27:09,616 --> 00:27:12,876
I'm going to say, "Okay, I've specified this.
416
00:27:13,056 --> 00:27:16,496
I've specified my source and I'm not
going to specify a source port number
417
00:27:16,496 --> 00:27:17,626
because I don't know what it's going to be.
418
00:27:17,796 --> 00:27:19,386
I'm just going to move on to the destination."
419
00:27:20,026 --> 00:27:24,436
So watch this, come back here--
oh, I just pasted that in.
420
00:27:25,116 --> 00:27:27,616
And now I'm going to say, "Okay destination."
421
00:27:27,616 --> 00:27:37,526
Well, the destination host is 192.168.2.50,
hit the questions mark, wildcard bits 0.0.0.0.
422
00:27:38,376 --> 00:27:38,926
There we go.
423
00:27:38,926 --> 00:27:45,426
So we've got-- I'm denying a TCP from this
source, no port number, to this destination,
424
00:27:45,836 --> 00:27:49,826
and now, now, we specify the port number.
425
00:27:49,826 --> 00:27:51,516
Now notice, equal to a port number.
426
00:27:51,516 --> 00:27:55,896
Now, we get a ton of other options like,
you know, match flags, log, [inaudible],
427
00:27:55,896 --> 00:27:57,556
I mean, it just goes on and on and on.
428
00:27:57,556 --> 00:28:00,266
But really, the main one
that we use is equal to.
429
00:28:00,506 --> 00:28:06,206
So I'm going to say, "I want to deny TCP on
ports equal to and I'll hit the question mark."
430
00:28:06,206 --> 00:28:09,106
I know I'm reaching the edge
of my screen there-- equal to--
431
00:28:09,106 --> 00:28:14,386
and now look at this CISCO says, "You can
just type in the port number which I prefer."
432
00:28:14,806 --> 00:28:17,896
You can just type it in right there and
we'll take whatever port number you specify
433
00:28:17,896 --> 00:28:22,036
or Cisco's like, "I know sometimes you
forget a lot of the common port number
434
00:28:22,036 --> 00:28:28,006
so we created a list of-- and I'm
putting in quotes, "common" port numbers
435
00:28:28,156 --> 00:28:31,296
that we haven't updated since 1985.
436
00:28:31,296 --> 00:28:33,946
I mean, it's like seriously,
this-- I mean, look at this list.
437
00:28:33,946 --> 00:28:34,946
I mean, gopher.
438
00:28:35,216 --> 00:28:40,086
Does anyone remember Windows 3.1, where
you had the original like a little gopher--
439
00:28:40,086 --> 00:28:45,016
it had little teeth that-- it was
like-- it was FTP before there was FDS.
440
00:28:45,016 --> 00:28:50,106
So, I mean, if you want to remember this archaic
list, then go for it, but I'm telling you,
441
00:28:50,106 --> 00:28:52,736
just stick to the port number, you know.
442
00:28:52,816 --> 00:28:55,566
So let's go on, so you can see the list.
443
00:28:55,566 --> 00:28:56,626
Now, notice this.
444
00:28:57,046 --> 00:28:59,366
It's not even HTTP that they chose as the name.
445
00:28:59,366 --> 00:29:03,266
They said www which again, it's
been that way since long, long ago.
446
00:29:03,266 --> 00:29:07,196
So, we'll just put equal to 80, how about that?
447
00:29:07,196 --> 00:29:09,316
Whoa, you see what just happened there?
448
00:29:09,426 --> 00:29:11,516
It just kind of scooted over
and put a dollar sign.
449
00:29:11,826 --> 00:29:16,626
Remember way early on in the series, I said,
if you ever type a line that's really long,
450
00:29:16,966 --> 00:29:20,556
the iOS is like, "Okay, I'm going
to put a dollar sign representing
451
00:29:20,556 --> 00:29:22,056
that you've reached the end of that line."
452
00:29:22,056 --> 00:29:25,666
So-- or I should say, there's
more to the left here
453
00:29:25,666 --> 00:29:28,116
so you can scroll back to see the entire thing.
454
00:29:28,116 --> 00:29:32,406
So, I'll hit the enter key
and now I've got in there.
455
00:29:32,606 --> 00:29:33,666
Now watch this.
456
00:29:33,666 --> 00:29:38,356
I'm going to a show ip access list
so we can verify that command.
457
00:29:38,666 --> 00:29:43,306
So notice, first off, sequence 11 so it squeezed
it in between 10 and 20, that was successful.
458
00:29:43,566 --> 00:29:46,886
Notice as well that the Cisco
IOS recognize, it goes, "Oh,
459
00:29:46,886 --> 00:29:48,526
you're using a wildcard mask of all zeros.
460
00:29:48,526 --> 00:29:51,816
Tell you what, how about we make that a host?"
461
00:29:51,986 --> 00:29:54,676
So, remember, I said you
can type it one or two ways.
462
00:29:54,846 --> 00:29:58,186
Well, you can, but the Cisco
IOS is like, "I prefer this way.
463
00:29:58,186 --> 00:29:59,616
It's a little prettier that way."
464
00:29:59,616 --> 00:30:00,146
So let's do that.
465
00:30:00,146 --> 00:30:00,976
So it converts back it to you.
466
00:30:01,046 --> 00:30:06,386
And also notice, it recognized port 80,
he goes, "Oh, well, you really mean www."
467
00:30:06,506 --> 00:30:08,286
Does that mean that we have to know that?
468
00:30:08,846 --> 00:30:10,846
No, it just means that, you know, there's a--
469
00:30:10,846 --> 00:30:15,756
you know, the IOS does a lot of stuff
behind the scenes and that's fine.
470
00:30:15,756 --> 00:30:16,816
We'll let it do that.
471
00:30:16,816 --> 00:30:23,926
So, that now allows or I should say denies TCP
from this source, on any source port number,
472
00:30:24,186 --> 00:30:27,656
to this host using the destinate--
remember, when we're talking about socket.
473
00:30:27,656 --> 00:30:31,176
This is a destination port
number, destination port of 80.
474
00:30:31,256 --> 00:30:32,836
Now, what about HTTPS?
475
00:30:33,076 --> 00:30:34,776
That is just an up arrow away.
476
00:30:34,776 --> 00:30:39,356
I hit the up arrow and say, okay, well--
actually, I'll go back to the beginning and say,
477
00:30:39,356 --> 00:30:41,656
"This will be line 12, sequence 12."
478
00:30:41,996 --> 00:30:46,146
Otherwise, it will-- but you may go,
"Well, what happens if you put 11?"
479
00:30:46,146 --> 00:30:49,676
Some IOS versions, it all squeeze
it in and bump the other one down.
480
00:30:49,816 --> 00:30:53,376
A lot of other ones will say, it
will either overwrite it or it will--
481
00:30:53,376 --> 00:30:57,486
it's IOS dependent or it will just say,
"Sorry, there's something else at sequence 11.
482
00:30:57,686 --> 00:30:59,226
You can't create it there."
483
00:30:59,226 --> 00:31:02,896
So it's usually best just, you know,
don't try and figure out which you got.
484
00:31:02,896 --> 00:31:04,996
Just go in and specify a unique sequence number.
485
00:31:05,126 --> 00:31:07,576
So I'll put 443.
486
00:31:07,576 --> 00:31:08,666
That's HTTPS.
487
00:31:08,666 --> 00:31:09,676
Hit the up arrow.
488
00:31:09,996 --> 00:31:16,506
With that, we've now got two lines in there
that's denying or saying, "Deny this source host
489
00:31:16,506 --> 00:31:20,196
to this destination host on this
destination port for both of them."
490
00:31:20,196 --> 00:31:21,126
Okay. Great.
491
00:31:21,296 --> 00:31:24,166
Now this-- so we edited the
existing access list.
492
00:31:24,166 --> 00:31:27,206
The beauty is it still applied to the interface.
493
00:31:27,446 --> 00:31:31,216
So I still have the ability
to go in there and test it.
494
00:31:31,216 --> 00:31:33,056
I don't have to reapply it
or anything like that.
495
00:31:33,056 --> 00:31:34,326
Now, you've got to be careful.
496
00:31:34,326 --> 00:31:37,916
It's a little dangerous 'cause these
commands are going into action right away.
497
00:31:38,166 --> 00:31:43,506
So if you mess up, it's not like, "Oh,
whoops," you know, like this is, while it's--
498
00:31:43,506 --> 00:31:47,426
well, the router is working, so these are
immediately active when you press the enter key.
499
00:31:47,426 --> 00:31:48,096
So let's test it.
500
00:31:48,216 --> 00:31:49,526
How do I test this?
501
00:31:50,426 --> 00:31:56,036
Okay. One way that we can test access list, now
obviously this is a router that's simulating
502
00:31:56,036 --> 00:32:00,566
as if I was a PC and does a very good job
at that, but there's no web browser on here.
503
00:32:00,566 --> 00:32:07,386
So I can't open a website and test it there
and nor is this device really a web server.
504
00:32:07,386 --> 00:32:11,676
But one of the things I can do is
use the Telnet command to test.
505
00:32:11,726 --> 00:32:15,956
I might say, well, Telnet--
wait a sec, that uses port 23.
506
00:32:16,326 --> 00:32:18,516
It does, but watch this.
507
00:32:18,516 --> 00:32:26,286
I'm going to type in Telnet 192.168.2.50
and I'm going to follow up here
508
00:32:26,286 --> 00:32:29,956
and see that it gives me the
option to type a port number.
509
00:32:30,526 --> 00:32:34,646
So, I can say, well Telnet-- if I just hit the
enter key, it will Telnet and I can say, "Oh,
510
00:32:34,646 --> 00:32:36,176
hey, I can Telnet to that device.
511
00:32:36,176 --> 00:32:36,856
That's great."
512
00:32:36,856 --> 00:32:38,606
Okay. So I'm going to get pass that.
513
00:32:38,606 --> 00:32:42,686
So that verifies to me that port 23 is working,
but when I go back and I'll say, "Well,
514
00:32:42,686 --> 00:32:44,916
I want to specify Telnet to port 80."
515
00:32:45,076 --> 00:32:46,626
It immediately comes back.
516
00:32:46,626 --> 00:32:47,636
It's like, deny.
517
00:32:47,636 --> 00:32:48,426
Now, okay.
518
00:32:48,906 --> 00:32:52,836
Did that happen because this guy isn't
running a web server or did it happen
519
00:32:52,836 --> 00:32:54,936
because the access list really did block that?
520
00:32:55,356 --> 00:32:56,406
Well, how do you think we can see?
521
00:32:56,936 --> 00:32:58,796
Go to router 1.
522
00:32:59,966 --> 00:33:02,556
Hit the up arrow and see did we have any hits?
523
00:33:02,986 --> 00:33:04,376
And we did.
524
00:33:04,376 --> 00:33:11,256
Essentially, PC1 sent three attempts to try
and open that www port, it tried to get there
525
00:33:11,446 --> 00:33:13,076
and the router was like, "You're denied.
526
00:33:13,076 --> 00:33:13,646
You're denied.
527
00:33:13,646 --> 00:33:14,106
You're denied."
528
00:33:14,106 --> 00:33:17,656
So, okay let's try this, let's
hit the up arrow and try 443.
529
00:33:17,856 --> 00:33:20,086
Hit the up arrow.
530
00:33:20,086 --> 00:33:20,956
Look at that.
531
00:33:20,956 --> 00:33:22,376
Now we have three matches on that.
532
00:33:22,376 --> 00:33:26,426
So that will-- I mean, without actually
having a computer with a web server to--
533
00:33:26,426 --> 00:33:30,266
or a web server setup and a web
client to test, what a great--
534
00:33:30,266 --> 00:33:32,186
and by the way, everybody does this.
535
00:33:32,186 --> 00:33:37,816
This is a very common thing in the real realm
of Cisco that you're constantly using Telnet
536
00:33:38,016 --> 00:33:41,516
to really test if your port
restrictions are working or not.
537
00:33:41,606 --> 00:33:44,066
In this case, we can see
they are working like a gem.
538
00:33:45,286 --> 00:33:51,876
Now, I'd like you to pause the Nugget and
see if you can do number 3 on your own.
539
00:33:51,876 --> 00:33:56,306
Even if you don't have a Cisco IOS in front
of you, whether it's GNS3 or a real router,
540
00:33:56,506 --> 00:33:58,296
still just write it down on paper.
541
00:33:58,426 --> 00:34:01,286
That's where you really get used to the syntax.
542
00:34:01,336 --> 00:34:04,016
Write it down and see if you can figure
out the commands that you would use.
543
00:34:04,016 --> 00:34:06,926
Now, I will tell you, it's a little challenging.
544
00:34:06,926 --> 00:34:10,626
It goes a little different mindset
than what we've done so far.
545
00:34:11,026 --> 00:34:13,326
Okay. So pause and let's do it.
546
00:34:13,326 --> 00:34:19,136
Okay, so permit 192.168.2.0 to access 10.1.1.1.
547
00:34:19,136 --> 00:34:20,026
Let's identify the player.
548
00:34:20,026 --> 00:34:27,436
So I'm saying, permit this whole subnet,
192.168.2.0 that's the network ID slash 25.
549
00:34:27,466 --> 00:34:30,416
So that whole subnet and we figure
that out in the last Nugget,
550
00:34:30,416 --> 00:34:36,336
that's really 192.168.2.0 through 127.
551
00:34:36,616 --> 00:34:38,606
This being the broadcast,
that being the network.
552
00:34:38,606 --> 00:34:42,226
So, you know, that first one is usable when
all the-- we figured out the range for that.
553
00:34:42,226 --> 00:34:48,666
So we're saying that whole range can
access this guy only using Telnet and SSH.
554
00:34:49,006 --> 00:34:51,406
Now, again, this IP address right here, okay?
555
00:34:51,696 --> 00:34:52,986
So, where are we at?
556
00:34:53,366 --> 00:34:56,586
Most efficient close to the source
as possible is going to be router 2.
557
00:34:56,906 --> 00:35:04,776
Okay? So, I'm going to go in router 2 and let's
just clear the screen from the previous Nuggets.
558
00:35:04,776 --> 00:35:06,876
So let's clear the screen off that.
559
00:35:07,146 --> 00:35:11,526
Router 2, and I'm going to shrink this down
just so we can keep things in front of us.
560
00:35:12,026 --> 00:35:12,396
All right.
561
00:35:12,396 --> 00:35:17,516
So, I've got permit 192.168.2-- there we go.
562
00:35:17,516 --> 00:35:18,176
How about right here?
563
00:35:18,176 --> 00:35:22,056
Permit 192.168.2.0 to access it.
564
00:35:22,056 --> 00:35:28,746
So I'm going to go in and let's use this
opportunity, use a named access list.
565
00:35:28,746 --> 00:35:29,846
Again, you can use number.
566
00:35:29,846 --> 00:35:33,366
That's fine if you did this beforehand, but
I'm going to use a named one 'cause it kind
567
00:35:33,366 --> 00:35:35,196
of gets you experience with that side as well.
568
00:35:35,596 --> 00:35:40,376
Anytime you want to use a named
access list, it is ip access-list
569
00:35:40,526 --> 00:35:41,426
and then we hit the question mark.
570
00:35:41,426 --> 00:35:42,086
We say, "Okay.
571
00:35:42,086 --> 00:35:43,246
Extend it."
572
00:35:43,366 --> 00:35:44,686
We're in the extended world now.
573
00:35:44,986 --> 00:35:46,676
And what name do you want to do?
574
00:35:46,776 --> 00:35:55,836
We'll just say, let's just say,
R3 Telnet SSH, how is that?
575
00:35:56,596 --> 00:35:58,626
Just a unique name.
576
00:35:59,666 --> 00:36:04,126
Okay, so I'm going to come
in here and do a permit.
577
00:36:04,786 --> 00:36:07,426
Now again, we could specify sequence
numbers and all that, but I'm--
578
00:36:07,426 --> 00:36:11,036
this is a new access-list so I'm just going
to let it kind of generate those for me.
579
00:36:11,036 --> 00:36:21,816
So I'll do permit and we're going to say the
protocol, so we'll say, TCP as the protocol.
580
00:36:21,816 --> 00:36:25,566
Permit TCP 'cause Telnet
and SSH are both TCP based.
581
00:36:25,566 --> 00:36:27,106
That's port 22 and port 23.
582
00:36:27,106 --> 00:36:35,926
So permit TCP from the source of 192.168.2.0
with a wildcard mask and you know,
583
00:36:35,926 --> 00:36:37,246
we've figured this out a couple of times.
584
00:36:37,246 --> 00:36:43,806
It's actually 0.0.0.127 is that custom
wildcard mask for the slash 25, right?
585
00:36:43,806 --> 00:36:49,926
So that is what-- that's how the router knows
its-- all of these IP addresses, 0 through 127.
586
00:36:49,926 --> 00:36:50,926
So, I'll hit the question mark.
587
00:36:50,926 --> 00:36:51,546
It says, "Okay.
588
00:36:51,726 --> 00:36:54,956
You can either type in a destination
address or put in port numbers."
589
00:36:54,956 --> 00:36:57,076
Now, again, we're not going
to make that mistake.
590
00:36:57,396 --> 00:37:01,076
If we type in a port number here, it's the
source port number and we're not doing that.
591
00:37:01,076 --> 00:37:05,386
We don't-- we're caring if it's
going to the Telnet and SSH protocol.
592
00:37:05,386 --> 00:37:10,546
It's going to this device on port 22
or 23 not coming from port 22 or 23.
593
00:37:10,776 --> 00:37:22,946
So I'm going to say, it's going to the host
10.1.1.1 'cause we're only permitting access
594
00:37:22,946 --> 00:37:24,996
to this one using those port numbers.
595
00:37:25,636 --> 00:37:27,746
So, let me-- now, okay.
596
00:37:27,746 --> 00:37:32,866
So we've got the source so this is the
source information, this is the destination
597
00:37:32,866 --> 00:37:34,416
and now we can put in the port number.
598
00:37:34,416 --> 00:37:36,156
So I'll say equal to.
599
00:37:36,156 --> 00:37:39,286
Oh, there's another way I could do
this, but I'm not going to do that yet.
600
00:37:39,456 --> 00:37:42,626
So, we're going to say equal to 22, enter.
601
00:37:43,376 --> 00:37:45,706
And then I'm just-- I mean, now it's easy.
602
00:37:45,706 --> 00:37:47,756
I hit the up arrow and say equal to 23.
603
00:37:48,036 --> 00:37:51,756
That is SSH, that's port
22, and Telnet is port 23.
604
00:37:52,716 --> 00:37:56,726
Now, what I was brainstorming is I was
saying you could also come in here.
605
00:37:56,916 --> 00:37:58,456
I mean, the options are endless.
606
00:37:58,456 --> 00:38:00,376
I could type in-- not reflect.
607
00:38:00,576 --> 00:38:08,406
I could type in reflect, but I'm going
to say range and I could say 22 to 23.
608
00:38:09,016 --> 00:38:11,816
That would do it in one line if
you want doing an access-list.
609
00:38:11,816 --> 00:38:16,446
So, it's saying both of those port
numbers from-- or I could 22 through 1024.
610
00:38:16,446 --> 00:38:19,136
I mean, you can put in whatever is the end port.
611
00:38:19,136 --> 00:38:23,266
So that would be another
option, but we're not doing that.
612
00:38:23,436 --> 00:38:24,776
So, delete list.
613
00:38:24,776 --> 00:38:29,596
Okay. So let's do a show ip
access list on the source.
614
00:38:29,596 --> 00:38:31,846
So we've got-- okay, the core of this is done.
615
00:38:32,066 --> 00:38:35,726
We're permitting this and this.
616
00:38:36,496 --> 00:38:39,116
And so initially, like, okay.
617
00:38:39,116 --> 00:38:39,956
I think we're good.
618
00:38:39,956 --> 00:38:41,186
We can apply it, right?
619
00:38:41,696 --> 00:38:45,476
No. Because what that will
do is that says, "Okay.
620
00:38:45,476 --> 00:38:49,496
You're permitted to access
this on port 22 and 23,
621
00:38:49,716 --> 00:38:52,856
but everything else hits
the implicit deny, right?"
622
00:38:53,306 --> 00:38:54,576
And that would say, "Okay.
623
00:38:54,576 --> 00:38:56,516
I can't access anything over here.
624
00:38:56,516 --> 00:38:57,556
I can't get to this guy."
625
00:38:57,556 --> 00:39:02,196
I mean, so you might-- you know, this
was said, only block access to that,
626
00:39:02,606 --> 00:39:04,896
not all of the other pieces that are in here.
627
00:39:04,896 --> 00:39:08,286
So, we've got to be a little
more-- do a little more than that.
628
00:39:08,376 --> 00:39:11,716
So I'm going to come back here
and we're going to say, okay, so,
629
00:39:11,716 --> 00:39:15,096
I need to say these two are permitted.
630
00:39:15,096 --> 00:39:20,746
Everything else to this guy has to be denied
to that IP address 'cause it says only
631
00:39:20,746 --> 00:39:23,286
as it tells us, but then I need
to permit everything else, right?
632
00:39:23,426 --> 00:39:26,816
Everything else should be allowed
and that's exactly what we'll do.
633
00:39:27,076 --> 00:39:27,996
So come back in here.
634
00:39:28,776 --> 00:39:34,366
I'm still in the named access list so I'm going
to say, deny, with caps lock, with authority.
635
00:39:34,706 --> 00:39:40,056
Deny and I'll say-- and this is a very
common mistake, it's easy to say, TCP.
636
00:39:40,056 --> 00:39:42,596
You know, just kind of copy and
paste this whole thing again.
637
00:39:42,836 --> 00:39:44,936
But remember, TCP is just TCP.
638
00:39:44,936 --> 00:39:47,926
There're all kinds of other stuff
so I'm going to say, deny IP.
639
00:39:47,926 --> 00:39:54,016
So everything else from-- now we can
copy-paste actually this whole thing,
640
00:39:55,286 --> 00:40:01,976
everything else from this source to
this destination is now denied, right?
641
00:40:02,046 --> 00:40:03,936
So, hang on, let's look at the access list now.
642
00:40:04,216 --> 00:40:09,606
It says, "Okay, this is allowed so I can
SSH, I can Telnet," then everything else
643
00:40:09,606 --> 00:40:16,286
from this source to this destination is now
denied, which is achieving our goal, but then--
644
00:40:16,446 --> 00:40:23,076
but I want to say, but beyond that,
everything else is allowed, how do I do that?
645
00:40:23,076 --> 00:40:23,476
Permit IP.
646
00:40:23,476 --> 00:40:27,716
[laughs] I was thinking I
was like, "I think I forgot."
647
00:40:27,836 --> 00:40:29,156
Permit IP any any.
648
00:40:29,156 --> 00:40:32,316
So now, that allows everything else.
649
00:40:32,736 --> 00:40:36,626
So, here's what I want to--
here's a couple of things.
650
00:40:36,626 --> 00:40:42,776
So, okay-- so, let me finish the
config and then we'll expound on it.
651
00:40:42,776 --> 00:40:45,796
So now I want to go in to
interface Serial0/1, right?
652
00:40:46,176 --> 00:40:51,326
Now, this is going to be where we apply it
as things are going out of that interface.
653
00:40:51,326 --> 00:40:54,496
Ooh, is that the most efficient?
654
00:40:54,496 --> 00:40:55,056
Actually, no.
655
00:40:56,156 --> 00:40:57,916
Man, I almost busted myself.
656
00:40:58,126 --> 00:41:00,806
The most efficient would be inbound right here.
657
00:41:01,116 --> 00:41:05,196
This is really efficient, you could
say as it's coming out this interface
658
00:41:05,226 --> 00:41:09,176
but you could be even-- you could-- but the
router would then have to accept it, process it,
659
00:41:09,176 --> 00:41:10,826
and get it to here just to find it was denied.
660
00:41:10,826 --> 00:41:15,556
So, we can even save a couple more
processor nanocycles by saying, you know,
661
00:41:15,556 --> 00:41:20,496
as it comes in right here, I want to say, "Are
you going right here, using anything other
662
00:41:20,496 --> 00:41:22,226
than Telnet and SSH 'cause
you're going to be denied."
663
00:41:22,266 --> 00:41:24,636
So, this will be our good application point.
664
00:41:24,636 --> 00:41:30,736
So, I'm going to go into not serial--
FastEthernet0/0 and I'll do IP access--
665
00:41:30,876 --> 00:41:38,726
write that down, IP access
group R3 Telnet SSH in.
666
00:41:40,336 --> 00:41:44,266
Ooh, we've now applied that
in the inbound direction.
667
00:41:44,766 --> 00:41:49,466
Okay, so here's something-- I want to
show you something that I find a lot
668
00:41:49,466 --> 00:41:53,516
of folks get stuck on, I got stuck on
it when I first learned access list.
669
00:41:53,516 --> 00:41:58,136
So, I know a lot of people run into
this as well 'cause as I see it.
670
00:41:58,136 --> 00:42:05,876
So, we just said, deny everything
to 10.1.1.1, right?
671
00:42:05,876 --> 00:42:08,896
Except for-- yeah, I know-- I
know except for port 22 and 23,
672
00:42:09,126 --> 00:42:11,796
that's permitted, that's Telnet and SSH.
673
00:42:11,796 --> 00:42:18,226
So the question is, if everything is denied
right here, can this host still make it
674
00:42:18,226 --> 00:42:20,816
through here and access that guy?
675
00:42:21,736 --> 00:42:27,696
You know, option A, yes, option
B-- you know, here's your exam, no,
676
00:42:27,856 --> 00:42:31,036
option C none of the above, whatever, you know,
677
00:42:31,036 --> 00:42:33,846
this would be a good exam
question, will it make it through?
678
00:42:34,416 --> 00:42:39,706
The answer is actually absolutely
yes, no problem, because remember,
679
00:42:39,846 --> 00:42:51,096
this guy is 192.168.2.50 and he-- let's say
he's trying to access 192.168.2.150, right?
680
00:42:51,366 --> 00:42:53,386
So, let's just say he pings from here to here.
681
00:42:53,486 --> 00:43:00,516
Well, all IP is denied to 10.1.1.1, so
the packet will actually fly along--
682
00:43:00,516 --> 00:43:05,126
well actually, we put the filer right here,
but let's just pretend we put it right there.
683
00:43:05,216 --> 00:43:08,716
The packet would fly along and as it
comes in here, it would say, "Okay,
684
00:43:09,016 --> 00:43:13,726
are you 192.168.2.0, are
you part of this subnet?"
685
00:43:13,726 --> 00:43:14,896
And he would say, "Yes, I am."
686
00:43:14,896 --> 00:43:17,356
And he would say, okay, are you
trying to access, you know--
687
00:43:17,356 --> 00:43:22,886
let's look at the access list, it would
say, are you trying to acces-- where am I?
688
00:43:23,896 --> 00:43:27,916
Oh, right here, "Are you trying to
access this IP address using port 22?"
689
00:43:28,246 --> 00:43:29,726
And he would say, "No, actually I'm not."
690
00:43:29,726 --> 00:43:33,956
He's going to say, "Okay, okay, are you trying
to access this IP address using Telnet?"
691
00:43:33,956 --> 00:43:36,616
And the packet would say,
"No, actually I'm not."
692
00:43:36,616 --> 00:43:39,636
And then he would say, "Okay, then you're
not permitted on either one of those."
693
00:43:39,636 --> 00:43:42,136
He goes, "Okay, now wait a
sec, are you this person trying
694
00:43:42,136 --> 00:43:44,746
to access this IP address
in any way whatsoever?"
695
00:43:45,196 --> 00:43:48,786
And the answer is, "No, I'm not.
696
00:43:48,786 --> 00:43:53,686
I'm not interested in you at all, I don't even
know you exist," from this guy's perspective.
697
00:43:53,776 --> 00:43:59,326
I created a packet which was a ping and I
said, "It's coming from the source IP address
698
00:43:59,326 --> 00:44:07,616
of 192.168.250 going to the
destination IP address of 192.168.2.150."
699
00:44:07,616 --> 00:44:09,666
So, when this packet gets here, he
goes, "Okay well, you know what,
700
00:44:09,666 --> 00:44:13,846
as long as your destination IP address
is not 10.1.1.1 'cause if it were,
701
00:44:13,846 --> 00:44:14,996
man, you're busted, you're dropped.
702
00:44:15,566 --> 00:44:21,196
But since your destination IP address
is not 10.1.1.1, then I'm going to say,
703
00:44:21,336 --> 00:44:24,666
this is not a match because
you're not trying to access--
704
00:44:24,666 --> 00:44:27,306
even though you're going through that IP
address, you don't know you're going through it,
705
00:44:27,306 --> 00:44:29,496
you're not trying to access that IP address.
706
00:44:29,496 --> 00:44:33,886
So, that line doesn't match and you hit
the permit IP any any at the bottom."
707
00:44:34,976 --> 00:44:36,276
Are you feeling it yet?
708
00:44:36,276 --> 00:44:40,136
Are you looking at these access lists and
starting to feel little warm and cozy with them?
709
00:44:40,446 --> 00:44:42,466
Let's do two more, I want to solidify this down.
710
00:44:42,866 --> 00:44:50,986
Number one, block 192.168.1.0/24, that's
these guys from accessing any WAN IP address,
711
00:44:51,026 --> 00:44:55,076
so that's this and this, those
are our Wide Area Networks links.
712
00:44:55,076 --> 00:44:58,556
Okay, so there's two ways we could approach
this, first off it says, from reaching any--
713
00:44:58,556 --> 00:45:02,456
from reaching, that's a keyword there,
because that means block everything,
714
00:45:02,516 --> 00:45:04,436
don't-- TCP, UDP, everything, right?
715
00:45:04,686 --> 00:45:09,186
So, from reaching, okay, second thing
is there's two approaches we could take,
716
00:45:09,186 --> 00:45:13,516
there's I'm sure plenty more of that
but two main ones, one we could say deny
717
00:45:13,516 --> 00:45:17,506
to that IP address, deny to
this IP address, deny to this--
718
00:45:17,506 --> 00:45:21,016
you know, do the individual host
route and deny to each one of those,
719
00:45:21,016 --> 00:45:23,946
we could do that in four ACL statements.
720
00:45:24,186 --> 00:45:30,026
We could also go in there and say, deny
to this network, deny to this network
721
00:45:30,026 --> 00:45:35,546
and we could do the same thing into ACL
statements, rule of thumb, less is more.
722
00:45:35,706 --> 00:45:40,706
The shorter your access list the better
it is because it takes less to process
723
00:45:40,706 --> 00:45:42,796
that kind of access list on your router.
724
00:45:42,796 --> 00:45:45,076
It's more efficient and it's
just the best practice.
725
00:45:45,126 --> 00:45:46,736
Fewer lines is better access list.
726
00:45:46,736 --> 00:45:48,366
So, that's the way we want to go with it.
727
00:45:48,576 --> 00:45:54,256
So, what I'm going to do just so we don't get
any old access list in the way from our test,
728
00:45:54,256 --> 00:45:57,826
let's first off go to router
1, and I'm just going
729
00:45:57,826 --> 00:46:01,446
to remove any access list
that we have in action.
730
00:46:01,446 --> 00:46:07,986
Let me do a show-- let's just do a show run and
I'll do section interface, show me the config
731
00:46:07,986 --> 00:46:12,206
for all the interfaces, oop there is
one, we got one on the FastEthernet0/0.
732
00:46:12,206 --> 00:46:16,806
So, that's-- looks like that is the only
one, I'm going to do interface, fe0/0,
733
00:46:16,806 --> 00:46:22,246
no IP access group 100 in, that
section command is pretty nice, huh?
734
00:46:22,306 --> 00:46:25,186
So, you can see just those
sections of the configuration.
735
00:46:25,266 --> 00:46:28,066
You can do that with just about
anything in the running config.
736
00:46:28,676 --> 00:46:34,196
So that's out, okay now let's look at this,
block 192.168, so let me just scoot this
737
00:46:34,196 --> 00:46:35,726
over here, from any WAN IP address.
738
00:46:35,726 --> 00:46:40,086
So, first thing we want to do is
go in and set up the access list.
739
00:46:40,086 --> 00:46:43,226
So, let's use the named one, now
that we know the named access list,
740
00:46:43,226 --> 00:46:44,576
that's all I use nowadays.
741
00:46:44,576 --> 00:46:53,106
So, I'll say IP access list extended and I'll
say the name of it is NO WAN, NO WAN FOR YOU.
742
00:46:54,276 --> 00:46:58,966
[laughs] So, the NO WAN FOR YOU access
list is going to say, rule number one,
743
00:46:59,166 --> 00:47:03,706
deny or sequence-- you know, first
sequence, deny, who are we denying?
744
00:47:03,706 --> 00:47:04,546
What's the source?
745
00:47:04,726 --> 00:47:07,126
Oop, what protocol are we denying?
746
00:47:07,236 --> 00:47:09,266
It's going to be IP because
it's everything, right?
747
00:47:09,266 --> 00:47:10,466
TCP, UDP, et cetera.
748
00:47:10,706 --> 00:47:11,616
What source?
749
00:47:11,616 --> 00:47:16,186
It's going to be 192.168.1.0,
what wildcard mask?
750
00:47:16,186 --> 00:47:18,916
0.0.0.255, right?
751
00:47:19,336 --> 00:47:20,116
Good so far?
752
00:47:20,116 --> 00:47:21,516
Identified the first three octets.
753
00:47:21,516 --> 00:47:24,606
Next one, it says, "Okay, what
is your destination address?"
754
00:47:24,606 --> 00:47:29,246
Okay, let's look at-- scrunch
this down a little bit,
755
00:47:29,246 --> 00:47:30,826
destination-- I want to deny these networks.
756
00:47:30,826 --> 00:47:38,926
Okay, we need a little pen work here, 10.1.1.1/0
or dot zero slash 30 and dot 4 slash 30.
757
00:47:39,146 --> 00:47:42,936
We want to find out what those mean and
again, I just want to emphasize, you know,
758
00:47:42,936 --> 00:47:48,306
slash 30 equals, if we were to convert that
to decimal, you know, would be eight ones,
759
00:47:48,646 --> 00:47:55,666
eight ones, eight ones and then so that'd
be 24, 25, 26, 27, 28, 29, 30, so we got--
760
00:47:56,526 --> 00:47:58,506
I count that right, six ones,
yup and the last [inaudible].
761
00:47:58,506 --> 00:48:05,506
So, that's 255.255.255.252, kind of get back
to that decimal form 'cause we can see it,
762
00:48:05,506 --> 00:48:10,956
it makes sense to us and that 252 is represented
right there, it is six ones and two zeros.
763
00:48:10,956 --> 00:48:12,636
So, I'm going to say, what is my increment?
764
00:48:12,636 --> 00:48:15,486
It is a four, that's 1, 2, 4.
765
00:48:15,486 --> 00:48:18,526
So, the increment when we-- they came
up with these subnets was a four,
766
00:48:18,526 --> 00:48:25,106
so the ranges is actually 10.1.1.0.4.8.,
this is our typical WAN link range.
767
00:48:25,106 --> 00:48:28,806
I know, I know, some of you are like,
"I got that," but some people don't.
768
00:48:28,806 --> 00:48:31,776
So, I want to show the reverse
engineering of this along the way.
769
00:48:32,006 --> 00:48:36,136
So, now we want to say, "Okay, well I'm going
to say this destination and this destination
770
00:48:36,136 --> 00:48:40,316
on the block, but I have to use
a custom wildcard mask for that."
771
00:48:40,316 --> 00:48:44,106
So again, just like we saw
previously, for a custom wildcard mask,
772
00:48:44,106 --> 00:48:48,936
we can either reverse all the ones and make them
all zeros, zero, zero, zero, and then, you know,
773
00:48:48,936 --> 00:48:54,196
one, two, three, four, five, six, one, one,
and do it that way or you can take this
774
00:48:54,196 --> 00:49:01,286
and subtract it from all 255s,
you know, 255.255.255.255
775
00:49:01,286 --> 00:49:08,596
and our ending wildcard mask would be
0.0.0.3 and get the same thing, you know,
776
00:49:08,596 --> 00:49:16,266
it's either a 1 plus 2, that's 3, or just
subtracting 252 from 255 gives you a 3.
777
00:49:16,506 --> 00:49:26,956
So our wildcard mask and it is wild looking
for those WAN links will be 0.0.0.3.
778
00:49:26,956 --> 00:49:37,826
So, first off destination address, so WAN link
number one, there, wildcard mask, 0.0.0.3, good.
779
00:49:37,886 --> 00:49:44,866
WAN link number two, now this we can just hit
the up arrow 4 and say 10.1.1.4, okay good.
780
00:49:44,866 --> 00:49:48,396
Let's look at our progress so far,
I'm going to do a show IP access list.
781
00:49:48,396 --> 00:49:50,936
We've got two of them, this one we've removed
782
00:49:50,936 --> 00:49:54,376
from the interface, so it's
not interfering anymore.
783
00:49:54,376 --> 00:49:55,916
We've got the NO WAN FOR YOU access.
784
00:49:55,916 --> 00:49:57,896
You can't even say it, "Yeah, no
WAN for you," we have to say it
785
00:49:57,926 --> 00:49:58,796
like the Soup Nazi from Seinfeld.
786
00:49:58,826 --> 00:50:00,416
So, we've got the source subnet
going to this and going to that,
787
00:50:00,446 --> 00:50:01,406
so now we've got all denies, that's great.
788
00:50:01,436 --> 00:50:01,946
So, we need a permit.
789
00:50:01,976 --> 00:50:03,566
So I'm going to hit the up arrow
and let's-- well I'll just do a--
790
00:50:03,596 --> 00:50:04,976
wait a second, I'm still in
the named acces list mode.
791
00:50:05,156 --> 00:50:08,116
So I'll do permit ip any any.
792
00:50:08,636 --> 00:50:13,946
Looks good to me, yeah, all right.
793
00:50:13,946 --> 00:50:16,946
So, now where do I apply this?
794
00:50:16,946 --> 00:50:24,176
I'm going to-- I would say-- well, if it
applies to 192.168.1.0, the best possible way,
795
00:50:24,176 --> 00:50:28,116
the most efficient possible way
would be inbound right here, okay?
796
00:50:28,436 --> 00:50:33,936
We could do it outbound right here,
however, we would have to process it more
797
00:50:33,936 --> 00:50:35,386
to actually send it out and deny it.
798
00:50:35,386 --> 00:50:36,536
So this is the most efficient way.
799
00:50:36,536 --> 00:50:39,616
So in FastEthernet0/0.
800
00:50:39,726 --> 00:50:41,976
So get back there.
801
00:50:42,516 --> 00:50:52,696
[ Pause ]
802
00:50:53,196 --> 00:50:56,986
Done. IP access group, NO WAN FOR YOU in.
803
00:50:57,176 --> 00:51:02,826
So to test, let's go over to the PC number
1 to make sure this thing is working here.
804
00:51:03,226 --> 00:51:09,436
PC number 1, let's do a ping, let's just
make sure we can ping anything 10 dot--
805
00:51:09,436 --> 00:51:13,116
192.168.1.1, that's my default gateway.
806
00:51:13,116 --> 00:51:15,976
And now, even though-- and another great
example of what I was just telling you
807
00:51:15,976 --> 00:51:23,466
from the previous slide, even though they're
denied-- my pen is doing something very odd.
808
00:51:24,156 --> 00:51:24,406
There we go.
809
00:51:24,616 --> 00:51:26,946
Even though they're denied
from accessing these WAN links,
810
00:51:26,946 --> 00:51:29,346
they can't ping the WAN links themselves,
811
00:51:29,546 --> 00:51:32,316
that doesn't mean they can't go
through those WAN links, right?
812
00:51:32,466 --> 00:51:35,066
Because again, it's coming from this
source going to this destination,
813
00:51:35,066 --> 00:51:37,856
that doesn't violate any access list at all.
814
00:51:37,856 --> 00:51:40,586
So I should be able to have no
problem on router PC1 I should say,
815
00:51:40,586 --> 00:51:44,816
pinging 192.168, let's just go 2 dot 129.
816
00:51:44,816 --> 00:51:48,796
Let's go in all the way over there to the
right hand side and that's pinging just fine.
817
00:51:48,796 --> 00:51:52,026
So let's now ping the WAN links.
818
00:51:52,026 --> 00:51:55,596
Let's go 10.1.1.1.
819
00:51:55,596 --> 00:51:56,856
Unreachable, that's what we want to see.
820
00:51:56,856 --> 00:52:01,336
The use indicate access list
are stepping in to intervene.
821
00:52:01,786 --> 00:52:09,846
Let's go back into our show ip access
and I'm seeing-- I'm seeing some--
822
00:52:09,846 --> 00:52:11,566
a lot-- matches on that first one.
823
00:52:11,596 --> 00:52:13,046
That's the first subnet.
824
00:52:13,046 --> 00:52:20,096
So let's just ping the second subnet so let's go
to-- let's go to-- I scribbled it all, 10.1.1.5,
825
00:52:20,096 --> 00:52:22,986
that's going to be router 2, 10.1.1.5.
826
00:52:23,206 --> 00:52:28,566
And again, unreachables being seen--
oop, I don't know what I've done there.
827
00:52:28,566 --> 00:52:31,696
So let me just hit the up
arrow here and I can see
828
00:52:31,696 --> 00:52:35,856
that now both statements have 11
matches whereas before it was just one.
829
00:52:35,856 --> 00:52:38,086
So we are looking good on that.
830
00:52:38,086 --> 00:52:42,026
Okay, so good, check everybody onboard?
831
00:52:42,326 --> 00:52:48,096
Great. Last one, permit 192.168.2.50-- permit--
832
00:52:48,096 --> 00:52:56,246
okay, okay permit access to 192.168.2.50
using only SMTP, POP3 and IMAP4 from anywhere.
833
00:52:56,876 --> 00:53:01,596
So clear off all the chicken scratch
and this is the computer in question.
834
00:53:01,596 --> 00:53:10,246
So we're saying, permit anybody to access
that using SMTP-- only SMTP, POP3 and IMAP4.
835
00:53:10,296 --> 00:53:15,076
You see, while knowing those port numbers is
so critical, these are all TCP-based protocol,
836
00:53:15,136 --> 00:53:21,456
SMTP 25, POP3 110, IMAP4 143, so you immediately
can fill in the gaps on your firewall.
837
00:53:21,456 --> 00:53:23,016
So only those ports are allowed in.
838
00:53:23,276 --> 00:53:26,586
I want to show you another use
of access list while we're here.
839
00:53:26,586 --> 00:53:30,036
It is the last example so I figure, why not.
840
00:53:30,376 --> 00:53:32,666
Have you ever heard of a debug IP packet?
841
00:53:33,216 --> 00:53:36,026
If somebody tells you to type it, don't.
842
00:53:36,256 --> 00:53:38,666
But what it is, is it's the ability to--
843
00:53:38,666 --> 00:53:42,696
you know, the ability to see just about
every single thing passing through.
844
00:53:42,696 --> 00:53:46,676
So for example, let me just--
now I'm in a lab environment.
845
00:53:46,676 --> 00:53:52,426
By the way, this will likely take down a
production router if I type in debug IP packet.
846
00:53:52,656 --> 00:53:56,436
What it's going to do is show me the
output of every single packet that is going
847
00:53:56,436 --> 00:53:58,206
through my router at this time to the screen.
848
00:53:58,456 --> 00:54:00,946
Now, not that you know, like,
well, that was exciting.
849
00:54:01,106 --> 00:54:05,096
Because this router is literally
sitting idle, that's very rare.
850
00:54:05,536 --> 00:54:12,616
But for instance, [inaudible] say
ping, let's just ping 192.168.2.1.
851
00:54:12,616 --> 00:54:16,576
I can see that-- I see five exclamation
points and then it shows to my screen.
852
00:54:16,816 --> 00:54:22,266
Okay, it looks like here is packet one, this
source went to this destination, I sent it out
853
00:54:22,266 --> 00:54:27,066
and then this destination responded to
this source, you know, I received it in.
854
00:54:27,066 --> 00:54:29,896
So you're actually able to
see every single packet
855
00:54:30,086 --> 00:54:32,526
that is being sent to and from this device.
856
00:54:32,526 --> 00:54:36,556
You can imagine why in a production
network-- I mean, that was what you see,
857
00:54:36,556 --> 00:54:38,746
it filled the screen was five pings.
858
00:54:38,866 --> 00:54:41,916
So in production, when you have
thousands of packets every single second,
859
00:54:41,916 --> 00:54:45,366
if you were to turn this on, a lot of
times the routers just literally lock.
860
00:54:45,606 --> 00:54:51,006
So what's done often is access
list are applied to filter it down.
861
00:54:51,006 --> 00:54:53,756
Let me show you what we can do.
862
00:54:53,756 --> 00:55:01,566
So I want to create a filter for PC2 so
I can do a debug, let's do undebug all
863
00:55:01,566 --> 00:55:05,166
that turns off all the debugs and-- 'cause
we don't want to get flooded by any means.
864
00:55:05,526 --> 00:55:10,706
But I want to do a debug where I can see if any
of these protocols are coming in to my router
865
00:55:10,856 --> 00:55:12,616
or going through my router or whatever.
866
00:55:12,616 --> 00:55:17,766
So I can go in there and I can do access
list, a lot of times I use numbered ones
867
00:55:17,766 --> 00:55:22,576
for these 'cause they're always
temporary, I'll just do 170.
868
00:55:22,896 --> 00:55:29,316
Permit, now I'm looking for three TCP protocol,
so I'll say, permit TCP from any source
869
00:55:29,316 --> 00:55:33,886
to any destination equal to port 25, see that?
870
00:55:34,136 --> 00:55:39,446
Equal to port 110, equal to port 143, I'm
creating this custom filter that says,
871
00:55:39,646 --> 00:55:45,816
if any source sends anything, me being anything,
traffic on this port or this port or this port,
872
00:55:45,816 --> 00:55:48,756
which is those three protocols,
then I want to know about it.
873
00:55:48,756 --> 00:55:53,716
Now again creating access list all day they
don't do anything until I do an application,
874
00:55:53,716 --> 00:55:56,546
so here's another-- we don't
always have to apply an access list
875
00:55:56,546 --> 00:55:58,036
to an interface, that's only for security.
876
00:55:58,036 --> 00:56:03,746
So here's another use, I can do a debug IP
packet but Cisco knows you'll crash your router
877
00:56:03,746 --> 00:56:06,506
if you put that with too much
traffic so they always allow you
878
00:56:06,506 --> 00:56:09,456
to filter it down using an access list.
879
00:56:09,456 --> 00:56:14,176
Now also notice, they don't let you
us a named access list to do this.
880
00:56:14,736 --> 00:56:17,596
Some things-- there are some
things still to this day in Cisco
881
00:56:17,596 --> 00:56:20,846
that you must use a numbered access list
for it, that's why they're still around.
882
00:56:20,846 --> 00:56:25,126
So debug IP packet, filter it using 170, okay.
883
00:56:25,666 --> 00:56:33,046
So now, if I do a ping, you know, I do that
same ping, I can see the ping and notice,
884
00:56:33,046 --> 00:56:37,126
no messages were displayed because it's
like, well, a ping doesn't use port 25,
885
00:56:37,356 --> 00:56:40,616
110 or 143, so let's go a little further.
886
00:56:40,616 --> 00:56:44,246
Let's-- here's what I'm going to do,
I'm going to go to router 2 and attempt
887
00:56:44,246 --> 00:56:47,336
to access this host on one
of those port numbers, right?
888
00:56:47,526 --> 00:56:54,306
So let's bring up PC2 and then let's go
to router 2 and the way that I'm going
889
00:56:54,306 --> 00:56:57,426
to access them on one of those port
numbers, is by using Telnet just
890
00:56:57,426 --> 00:56:59,066
like we did previously to test this.
891
00:56:59,066 --> 00:57:03,556
So, do Telnet to-- what is the IP address?
892
00:57:03,556 --> 00:57:06,756
Let's find out, show ip interface
brief, I think it's dot 50.
893
00:57:07,176 --> 00:57:09,066
I know it's dot 50, but I've typed the command.
894
00:57:09,476 --> 00:57:15,846
So Telnet to 192.168.2.50 and
then I'm going to put port 25.
895
00:57:16,016 --> 00:57:18,596
Look at that.
896
00:57:19,156 --> 00:57:21,006
Connection was refused by host, that's fine.
897
00:57:21,576 --> 00:57:23,266
It's not an email server, it's a router.
898
00:57:23,436 --> 00:57:27,496
But I'm able to verify, look at that, I
just received a packet from that person
899
00:57:27,496 --> 00:57:30,636
and I'm able to see what's going on.
900
00:57:30,636 --> 00:57:33,406
You can say well, show me port 110.
901
00:57:33,816 --> 00:57:37,496
See that right there?
902
00:57:37,496 --> 00:57:40,676
Show me port 23, not part
of my access list, right?
903
00:57:40,676 --> 00:57:45,206
I'm able to get in there and you know,
no messages are displayed, whereas,
904
00:57:45,206 --> 00:57:47,776
if I wouldn't have had that
access list, let's check this out.
905
00:57:48,086 --> 00:57:51,376
Hang on, let me just bail out here.
906
00:57:51,376 --> 00:57:57,396
So let's just do-- here, I'll do a u all, that's
a shortcut for undebug all and then I'm going
907
00:57:57,396 --> 00:58:04,666
to do a debug ip packet and now watch
what happens when I do that same Telnet.
908
00:58:05,016 --> 00:58:07,946
It's like, that's just for that Telnet session.
909
00:58:07,946 --> 00:58:11,906
So you can see how valuable it is to
be able to filter it down to just--
910
00:58:11,906 --> 00:58:14,526
again, just another perfect
use of an access list.
911
00:58:14,526 --> 00:58:15,706
Now let's accomplish our goal.
912
00:58:15,986 --> 00:58:21,676
We need to permit access to this guy using
only SMTP, POP3 and IMAP4 from anywhere.
913
00:58:21,986 --> 00:58:24,086
So already, again we're thinking ahead, right?
914
00:58:24,086 --> 00:58:27,186
We have to create the access
list, we have to configure it,
915
00:58:27,466 --> 00:58:30,816
but we don't know where to configure it
yet because we first have to determine
916
00:58:31,006 --> 00:58:34,276
where it's going to be applied,
where am I going to apply this?
917
00:58:34,416 --> 00:58:35,686
Now this kind of reverse it.
918
00:58:35,686 --> 00:58:41,536
Remember I said, "It's best to apply extended
access-list as close to the source as possible."
919
00:58:42,436 --> 00:58:46,716
Well, the problem is we don't
know the source, it could--
920
00:58:46,716 --> 00:58:50,646
you know, it's saying, "Permit access
using only these ports from anywhere,"
921
00:58:50,646 --> 00:58:54,346
so the source could be over here, it could
be over here, there could be some cloud here
922
00:58:54,346 --> 00:58:59,906
with you know raining dogs-- anywhere is
a big name so it could come from anywhere.
923
00:58:59,906 --> 00:59:03,466
So there's no way I can say, "Okay, I'm going to
put it there to catch them as soon as possible."
924
00:59:03,946 --> 00:59:07,516
Now I have to put it as close
to the destination as possible
925
00:59:07,516 --> 00:59:08,996
because I'm filtering it from anywhere.
926
00:59:09,256 --> 00:59:10,066
See what I mean?
927
00:59:10,156 --> 00:59:13,746
With that anywhere argument, it kind
of changes the story a little bit.
928
00:59:14,356 --> 00:59:17,076
So, what I'm going to do is I'm
going to hang out on router 2,
929
00:59:17,076 --> 00:59:22,716
that's where the filtering is going to happen,
I'm going to go in and-- oh, I was Telneting.
930
00:59:23,906 --> 00:59:30,716
So back on router 2, there we go, go in to
global, let's do ip access-list, I don't know,
931
00:59:30,716 --> 00:59:36,906
what do you want to call it, extended, we'll
call it port filter and then we will say, well,
932
00:59:36,906 --> 00:59:41,716
actually you know what, better
name EMAIL FILTER.
933
00:59:42,406 --> 00:59:45,076
Those are all email protocols so
maybe that is an email server.
934
00:59:45,076 --> 00:59:49,306
So we will do permit, so what are we permitting?
935
00:59:49,306 --> 00:59:52,126
We're permitting TCP-based traffic, right?
936
00:59:52,126 --> 00:59:56,266
Not IP, that's everything, TCP 'cause all
those are TCP-based protocols, from where?
937
00:59:56,946 --> 00:59:58,866
Well, it's in a box, below the screen.
938
00:59:59,096 --> 01:00:00,976
Anywhere, to where?
939
01:00:01,416 --> 01:00:03,546
Well, this is where we can
get a little more specific.
940
01:00:03,546 --> 01:00:09,346
We could say, "Okay, this is going
to the host 192.168.2.50 and you know
941
01:00:09,346 --> 01:00:19,626
that we could have also left host off and done
192.168.2.50 with a wildcard of 0.0.0.0.0,
942
01:00:19,916 --> 01:00:22,416
that's fine so we've got permit,
protocol, source, destination
943
01:00:22,416 --> 01:00:23,606
and now the destination port number.
944
01:00:23,606 --> 01:00:37,206
Destination port will be equal to so I put eq to
25 and now it's as easy and up arrow 110, 143.
945
01:00:37,206 --> 01:00:40,586
And so now, we look back here and so--
okay, well where am I going to apply this?
946
01:00:40,766 --> 01:00:44,446
Again from anywhere means it could be
coming in here, it could be coming in here,
947
01:00:44,446 --> 01:00:46,506
it could be coming from some
mysterious interface
948
01:00:46,506 --> 01:00:48,406
that hasn't been added yet, but will be someday.
949
01:00:48,626 --> 01:00:53,616
So, I think it would be best since it's always
from anywhere to catch it as it's going out.
950
01:00:53,846 --> 01:00:58,166
So as things are coming in here, they're
not filtered, but once they go out to try
951
01:00:58,166 --> 01:01:01,266
and get to that server that's
where I'm going to smack them down.
952
01:01:01,346 --> 01:01:05,336
I'm going to say, "No, you've got to use these
ports, otherwise you will be denied access."
953
01:01:05,606 --> 01:01:14,746
So, let's go to router 2 right there
and to interface FastEthernet0/0
954
01:01:15,076 --> 01:01:22,496
and we will do IP access group and
it is-- oh, it's the email server?
955
01:01:22,836 --> 01:01:23,526
Email server, right?
956
01:01:24,366 --> 01:01:28,726
Email filter, I'm glad I
looked, email filter outbound.
957
01:01:31,456 --> 01:01:37,666
Good. Now we've got an action, let's test
it, let's go-- let's camp of it at router 1.
958
01:01:38,916 --> 01:01:47,636
So we'll attempt to access that host from
router 1, so-- good I just-- good grief.
959
01:01:48,386 --> 01:01:49,756
I just caused an outage.
960
01:01:50,156 --> 01:01:53,566
[laughs] Some-- I just took down the network,
961
01:01:53,566 --> 01:02:00,226
see how and I did so on purpose
because I wanted to demonstrate.
962
01:02:00,226 --> 01:02:03,876
I just-- you see how easy it
is to where I said, you know,
963
01:02:03,876 --> 01:02:10,046
allow access to that host
using those port numbers.
964
01:02:10,046 --> 01:02:13,216
Let's do a show access list
okay, I didn't do it on purpose
965
01:02:13,216 --> 01:02:15,536
but man that would-- that
would've been devastating.
966
01:02:15,536 --> 01:02:19,706
So what this did is it says, "Okay, permit
any host to access this guy using this,
967
01:02:19,926 --> 01:02:23,976
this and this," and you know,
there's an implicit deny for that.
968
01:02:24,116 --> 01:02:27,076
Now, we might say, "Well,
isn't that what we want?"
969
01:02:27,586 --> 01:02:32,706
Well maybe, but isn't there more people
on that network than just dot 50?
970
01:02:32,706 --> 01:02:35,186
I know we can only see in
this little picture of dot 50.
971
01:02:35,406 --> 01:02:39,136
But if I've got a subnet here, I'm
assuming the reason I have a subnet,
972
01:02:39,136 --> 01:02:41,796
and not just like a crossover
cable going to a computer,
973
01:02:42,026 --> 01:02:43,716
is because there's other hosts on here.
974
01:02:44,246 --> 01:02:47,386
You know what, they just lost their access
completely because even if they're trying
975
01:02:47,386 --> 01:02:48,736
to come out, nothing can come back
976
01:02:48,736 --> 01:02:53,276
in because the only thing allowed
back in is these three port numbers.
977
01:02:53,276 --> 01:03:00,856
So, any of you catch that.
978
01:03:01,436 --> 01:03:08,706
ip access list extended email filter and
let's do-- now we need to add a statement,
979
01:03:08,706 --> 01:03:18,476
we will say, "Deny ip from any
source to the host 192.168.2.50."
980
01:03:18,476 --> 01:03:21,636
Now you're going, "Well, that
wasn't what I expected to do.
981
01:03:21,636 --> 01:03:26,196
I mean, do a show access-- do show IP access."
982
01:03:27,676 --> 01:03:30,626
So right here, wait a second,
why are you denying,
983
01:03:30,626 --> 01:03:32,226
I thought you said we've been too restrictive.
984
01:03:32,226 --> 01:03:36,016
Well, we have because nothing-- everything
else is denied because the same--
985
01:03:36,016 --> 01:03:40,656
and I'm going to follow this up
with is permit IP any any, right?
986
01:03:41,546 --> 01:03:51,386
So now, we've got these three ports allowed,
everything else is denied to that host
987
01:03:51,646 --> 01:03:53,966
but then everything beyond
that because we weren't told
988
01:03:53,966 --> 01:03:58,036
to put any restrictions beyond that,
everything beyond that is allowed.
989
01:03:58,606 --> 01:04:02,216
Okay well, it's already applied
so the damage had been done,
990
01:04:02,216 --> 01:04:06,606
but now connectivity has been
restored but, oh man, I'm kind of--
991
01:04:06,796 --> 01:04:11,866
I didn't do it on purpose but yes I'm kind of
glad I did because do you see how easy it is?
992
01:04:12,166 --> 01:04:16,386
You're like, oh I see my objective let me just
do this, apply it and I mean, right there,
993
01:04:16,386 --> 01:04:20,526
that would have been a complete network outage
for everybody else on that network except
994
01:04:20,656 --> 01:04:26,746
that one server but even that one server would
only be able to get those three ports coming in.
995
01:04:26,746 --> 01:04:35,636
So, good. Do you see now why I said that
extended access-lists are almost always used
996
01:04:35,636 --> 01:04:37,666
for filtering like we've been doing all along.
997
01:04:37,666 --> 01:04:42,496
There's just so much more flexibility
than a standard access list.
998
01:04:42,496 --> 01:04:46,106
So at this point, you might say,
well, I mean after seeing that,
999
01:04:46,106 --> 01:04:48,976
it seems like all I would ever
use is an extended access-list.
1000
01:04:48,976 --> 01:04:50,016
Where would I use the standard?
1001
01:04:50,156 --> 01:04:54,226
Standards are still used in
particular places but usually,
1002
01:04:54,456 --> 01:04:56,536
they're applied for a specific purpose.
1003
01:04:56,686 --> 01:05:02,066
I want to do one more demonstration to show
you a typical use of a standard access list.
1004
01:05:02,406 --> 01:05:06,056
It is for restricting access to Telnet in VTY.
1005
01:05:06,536 --> 01:05:08,386
Did I just say Telnet VTY?
1006
01:05:08,386 --> 01:05:12,536
Telnet and SSH which both come
in the VTY ports of your device.
1007
01:05:12,536 --> 01:05:14,576
So here's the problem.
1008
01:05:14,706 --> 01:05:18,386
A lot of times, we have our routers
connected directly to the internet that's one
1009
01:05:18,386 --> 01:05:20,966
of their key goals is to
take the internet connection
1010
01:05:20,966 --> 01:05:22,866
and route it in to our internal network.
1011
01:05:23,146 --> 01:05:27,216
Well, once we connect it to the internet,
it's going to have an IP address,
1012
01:05:27,216 --> 01:05:32,606
we'll just say 150.1.1.1 that
anybody out in the world can access.
1013
01:05:32,606 --> 01:05:33,196
And you know what?
1014
01:05:33,196 --> 01:05:37,136
Cisco, by default, does not have any kind
of password locking mechanisms or things
1015
01:05:37,136 --> 01:05:41,586
like that enabled so somebody out here in
the world could just run a little script
1016
01:05:41,586 --> 01:05:46,956
that runs all day everyday that tries
the Telnet or SSH into your device
1017
01:05:47,256 --> 01:05:51,286
and attempt different user names and different
passwords, it's called the brute force attack.
1018
01:05:51,606 --> 01:05:54,796
They're very inefficient because that's
what they have to do, they have to sit there
1019
01:05:54,926 --> 01:05:59,456
and just try and try and try until it happens
to come across some combination that works,
1020
01:05:59,526 --> 01:06:04,536
but the problem is in their persistence, this
guy can start a brute force attack and walk away
1021
01:06:04,626 --> 01:06:07,706
and allow it to run a year
later, it's still running.
1022
01:06:07,906 --> 01:06:12,066
I mean-- and by then, it's tried thousands
and millions of possible combinations
1023
01:06:12,066 --> 01:06:17,466
of passwords likely could stumble on yours
depending on the strength of your password
1024
01:06:17,466 --> 01:06:20,836
and so on, that's why we need good
strong password, but why run that risk?
1025
01:06:21,096 --> 01:06:25,596
Let's set it up to where only
particular IP addresses from the outside
1026
01:06:25,596 --> 01:06:28,846
or maybe no IP addresses
from the outside can get in.
1027
01:06:29,106 --> 01:06:32,866
Now, we don't want to apply an access list here
1028
01:06:33,176 --> 01:06:37,366
because that will now filter all
traffic that's going in to that device.
1029
01:06:37,366 --> 01:06:41,536
I just want to apply an access
list that filters access to VTY.
1030
01:06:42,556 --> 01:06:44,356
Well, there's a special command that allows you
1031
01:06:44,356 --> 01:06:49,126
to apply an access control
list to your VTY ports.
1032
01:06:49,536 --> 01:06:52,606
It is known as access class.
1033
01:06:52,966 --> 01:06:57,546
So what I can do is create a
standard access list, for instance,
1034
01:06:57,546 --> 01:07:03,906
let's just say my internal network is
10.1.1.0/24 and I only want my internal network
1035
01:07:03,906 --> 01:07:05,936
to be able to Telnet and SSH in here,
1036
01:07:06,196 --> 01:07:10,306
and I don't want anybody else,
nothing from the outside world.
1037
01:07:10,306 --> 01:07:15,386
So what I can do is let me just grab a
router, any router will do, how's router 3?
1038
01:07:16,376 --> 01:07:22,916
I'm going to go in and create a standard
access list, IP access list standard
1039
01:07:23,296 --> 01:07:27,576
and we will do, let's just say VTY ACL.
1040
01:07:28,936 --> 01:07:40,296
Now, once in here, I'm going to do a permit
10.1.1.0 wildcard mask 0.0.0.255 and hit enter.
1041
01:07:40,296 --> 01:07:42,356
After seeing extended access-list
1042
01:07:42,356 --> 01:07:45,756
so much doesn't simple-- or
standard just seem so simple?
1043
01:07:45,756 --> 01:07:48,426
It's just like-- it's like,
wow, was it really that easy?
1044
01:07:48,426 --> 01:07:49,686
So that's it.
1045
01:07:49,686 --> 01:07:52,666
So just permit those source IP addresses.
1046
01:07:52,666 --> 01:07:56,606
Now, instead of going in to
an interface, I go into--
1047
01:07:58,316 --> 01:08:06,546
line VTY zero space 4 and
do access-class followed
1048
01:08:06,546 --> 01:08:12,476
by what access list I'd like
to use, VTY ACL inbound.
1049
01:08:12,896 --> 01:08:17,556
So, essentially now, as people
are Telneting, you know,
1050
01:08:17,556 --> 01:08:22,706
in Telnet and SSH both uses the VTY lines,
as they're trying to Telnet into my device,
1051
01:08:22,706 --> 01:08:26,546
the VTY is going to say, "Are you from 10.1.1.0?
1052
01:08:26,716 --> 01:08:28,636
If you are, you're allowed, otherwise,
1053
01:08:28,636 --> 01:08:32,166
you are completely restricted
from Telneting to this device."
1054
01:08:32,166 --> 01:08:36,496
So standard access lists are great
when you can apply them in such a way
1055
01:08:36,496 --> 01:08:39,686
that it doesn't impact a bunch-- if
you just need to identify a whole bunch
1056
01:08:39,686 --> 01:08:45,016
of source addresses for quality of service or
for Telnet access or for again the millions
1057
01:08:45,016 --> 01:08:49,306
of other uses that you will learn in your
journey through Cisco, then absolutely,
1058
01:08:49,306 --> 01:08:51,726
standard access list is the
way to go, so much simpler.
1059
01:08:51,986 --> 01:08:55,056
I hope this has been informative for you
and I'd like to thank you for viewing.
105139
Can't find what you're looking for?
Get subtitles in any language from opensubtitles.com, and translate them here.