ACL (Access Control List)

ACLS’s are used for network security Conditions for controlling traffics through router is called ACL. Two conditions are:- 1. Permit2. Deny Two types are:-1. Standard (1-99)2. Extended (100-199)

Standard ACL

Range 1-99 Standard ACL is configured under destination Router Source IP is given for Standard ACL Entire TCP/IP protocol stack is blocked when Deny condition is applied

Configuring Standard ACL

Router(config)#access-list ‘no:’ deny host ‘destination address’ Router(config)#access-list ‘no:’ permit any

Filter Design

Filter is designed at the interface which is nearest to destination in standard ACL

ACL will only be accessible if filter is designed. Syntax:-Router(config-if)# ip access group ‘access list no:’ ‘in or out ‘

Verifying ACL’s

Router #show access-list

To remove:-Router(config)#no access-list ‘no:’Router(config-if)#no ip access group ‘access list no:’ ‘in or out’

Extended ACL

Range- 100-199 Extended ACL is configured under the source router. Source IP and Destination IP is given for Extended ACL Each or any protocols could be blocked when Deny condition is

applied

Configuring Extended ACL

Router(config)#access-list ‘no:’ deny ‘service’ host ‘address’ host ‘address’Router(config)#access-list ‘no:’ permit ‘service’ host ‘address’ network ‘address’ ‘mask’For blocking a network- Router(config)#access-list ‘no:’ deny ‘service’ host ‘address’ network ‘address’ ‘mask’For blocking TCP Router(config)#access-list ‘no:’ deny tcp host ‘address’ network ‘address’ ‘mask’ eq ‘port no:’

Named ACL

ACL’s with name are called Named ACLs. Syntax:- For StandardRouter(config)#ip access-list standard ‘access list name’Router(config-std-nacl)#deny host ‘address’Router(config-std-nacl)#permit anyFor ExtendedRouter(config)#ip access-list extended ‘access list name’Router(config-std-nacl)#deny ‘service’ host ‘address’ host ‘address’Router(config-std-nacl)#permit any any

Filter Design

Router(config-if)#ip access group ‘access list name:’ ‘in or out’

To verify:-Router#show ip access-list

NAT (Network Address Translation)

This service converts Private IP address to Public IP address To avoid IP wastage Implements Network Security. Types of NAT:-1. Static 2. Dynamic3. NAT Overloading or PAT (Port Address Translation)

Static NAT

One to one mapping Each private range IP is provided with each public range IP

Dynamic NAT

One to many mapping A pool is created inside the NAT service. In that it holds the information about public IP and its corresponding

Private IP Each private IP selects its own Public IP for communication with the

help of Router

NAT overloading or PAT (Port Address Translation) Each Private IP is Translated on one single Public IP. Each one is Provided with Port Numbers in order to avoid conflict.

Static NAT Configuration

Router(config)#Int fast Ethernet 0/0

Router(config-if)# IP NAT inside

Router(config)#Int s 1/0

Router(config-if)# IP NAT outside

Router(config-if)# Exit

Router(config)# ip NAT inside source static 10.0.0.1 200.0.0.1

To see the table

Router(config)#show ip nat translations

Router(config)#show ip nat statistics

Dynamic NAT Configuration

Access list creation- for grouping the private IP’s in our network Pool creation- Creating pool in which the translations are to be

included. Nat Activation

Create an Access ListRouter(config)# Access-list 1 permit 10.0.0.0 0.255.255.255

Configure NAT dynamic PoolRouter(config)# IP NAT pool pool1 200.0.0.1 200.0.0.254 netmask 255.255.255.0

Link Access List to PoolRouter(config)# IP NAT inside source list 1 pool pool1

PAT Configuration

Router#config tRouter(config)# int e 0Router(config-if)# ip nat insideRouter(config)# int s 0Router(config-if)# ip nat outsideRouter(config)#access-list 1 permit 10.0.0.0 0.255.255.255Router(config)#ip nat inside source list 1 interface s 0 overload

To see host to host ping configure static or dynamic routing

To check translation#show ip nat translations