Extended ACLs Configuration Example.
The practical steps for configuring extended ACLs are the same as for Standard ACLs, you first create the extended ACL and then activate it on an interface.
The figure below shows an example of how you might create an extended ACL specific to your network needs.
In this example, the network administrator needs to restrict Internet access to allow only website browsing. ACL 101 applies to traffic leaving the 192.168.2.0 network, and ACL 102 to traffic coming into the network.
Extended ACLs Configuration example;
R1(config)#access-list 101 permit tcp 192.168.2.0 0.0.0.255 any eq 80
R1(config)#access-list 101 permit tcp 192.168.2.0 0.0.0.255 any eq 443
R1(config)#access-list 102 permit tcp 192.168.2.0 0.0.0.255 any eq established
The above configuration on Router1 shows:
· ACL 101 allows requests to ports 80 and 443
· ACL 102 allows established HTTP and HTTPS replies.
ACL 101 accomplishes the first part of the requirement. It allows traffic coming from any address on the 192.168.2.0 network to go to any destination, subject to the limitation that traffic goes to ports 80 (HTTP) and 443 (HTTPS) only.
The nature of HTTP requires that traffic flow back into the network, in this case the network administrator wants to restrict that traffic to HTTP exchanges from requested websites. The security solution must deny any other traffic coming into the network. ACL 102 does that by blocking all incoming traffic, except for the established connections.
Notice that the example uses the established parameter. This parameter allows responses to traffic that originates from the 192.168.2.0 /24 network to return inbound on the s0/0/0. With the established parameter, the router will allow only the established traffic to come back in and block all other traffic.