IPv4 ACL Challange

Labb 2: Extended ACL      |      Sammanfattning ACL

I denna laboration kommer du att konfigurera olika typer av Access Control Lists (ACLs) på en router. Målet är att uppnå specifika kommunikations krav genom att använda både standard och extended ACLs. Du kommer också att konfigurera ACLs för att kontrollera åtkomst till nätverksenheters terminal samt placera ACLs i rätt riktning på routerns interface. Slutligen kommer du att verifiera att de konfigurerade ACL fungerar som avsett.

Adresserings-tabell

Device Interface IP Address
HQ G0/0/0 192.168.1.1/26
G0/0/1 192.168.1.65/29
S0/1/0 192.0.2.1/30
S0/1/1 192.168.3.1/30
Branch G0/0/0 192.168.2.1/27
G0/0/1 192.168.2.33/28
S0/1/1 192.168.3.2/30
PC-1 NIC 192.168.1.10/26
PC-2 NIC 192.168.1.20/26
PC-3 NIC 192.168.1.30/26
Admin NIC 192.168.1.67/29
Enterprise Web Server NIC 192.168.1.70/29
Branch PC NIC 192.168.2.17/27
Branch Server NIC 192.168.2.45/28
Internet User NIC 198.51.100.218/24
External Web Server NIC 203.0.113.73/24

Observera: Denna laboration behålls på engelska för att stämma överens med Ciscos officiella terminologi, kommandon och dokumentation.

Objectives

  • Configure a router with standard named ACLs.
  • Configure a router with extended named ACLs.
  • Configure a router with extended ACLs to meet specific communication requirements.
  • Configure an ACL to control access to network device terminal lines.
  • Configure the appropriate router interfaces with ACLs in the appropriate direction.
  • Verify the operation of the configured ACLs.

Background / Scenario

In this activity you will configure extended, standard named, and extended named ACLs to meet specified communication requirements.

Topology

Instructions

Step 1: Verify Connectivity in the New Company Network

Step 2: Configure Standard and Extended ACLs per Requirements

  • ACL 1 Requirements
    • Create ACL 101.
    • Explicitly block FTP access to the Enterprise Web Server from the internet.
    • No ICMP traffic from the internet should be allowed to any hosts on HQ LAN 1
    • Allow all other traffic.
  • ACL 2 Requirements
    • Use ACL number 111
    • No hosts on HQ LAN 1 should be able to access the Branch Server.
    • All other traffic should be permitted.
  • ACL 3: Requirements
    • Create a named standard ACL. Use the name vty_block. The name of your ACL must match this name exactly.
    • Only addresses from the HQ LAN 2 network should be able to access the VTY lines of the HQ router.
  • ACL 4: Requirements
    • Create a named extended ACL called branch_to_hq. The name of your ACL must match this name exactly.
    • No hosts on either of the Branch LANs should be allowed to access HQ LAN 1. Use one access list statement for each of the Branch LANs.
    • All other traffic should be allowed.

Step 3: Verify ACL Operation

HQ Router Configuration

  • HQ(config)# no ip domain-lookup
  • HQ(config)#ip domain-name diginto.se
  • HQ(config)#line vty 0 4
  • HQ(config-line)#login local
  • HQ(config-line)#transport input all
  • HQ(config-line)#exit
  • HQ(config)#crypto key generate rsa general-keys modulus 1024
  • HQ(config)#ip ssh version 2
  • !
  • HQ(config)# interface GigabitEthernet0/0/0
  • HQ(config-if)# description Connected to HQ LAN 1
  • HQ(config-if)# ip address 192.168.1.1 255.255.255.192
  • HQ(config-if)# duplex auto
  • HQ(config-if)# speed auto
  • HQ(config-if)# no shutdown
  • HQ(config)# interface GigabitEthernet0/0/1
  • HQ(config-if)# description Connected to HQ LAN 2
  • HQ(config-if)# ip address 192.168.1.65 255.255.255.248
  • HQ(config-if)# duplex auto
  • HQ(config-if)# speed auto
  • HQ(config-if)# no shutdown
  • HQ(config-if)# interface Serial0/1/0
  • HQ(config-if)# description Connected to internet
  • HQ(config-if)# ip address 192.0.2.1 255.255.255.252
  • HQ(config-if)# no shutdown
  • HQ(config)# interface Serial0/1/1
  • HQ(config-if)# description DCE Connected to Link Branch
  • HQ(config-if)# clock rate 2000000
  • HQ(config-if)# ip address 192.168.3.1 255.255.255.252
  • HQ(config-if)# no shutdown
  • HQ(config-if)# exit
  • HQ(config)# ip route 0.0.0.0 0.0.0.0 Serial0/1/0
  • HQ(config)# router ospf 10
  • HQ(config-router)# log-adjacency-changes
  • HQ(config-router)# passive-interface GigabitEthernet0/0/0
  • HQ(config-router)# passive-interface GigabitEthernet0/0/1
  • HQ(config-router)# network 192.168.1.0 0.0.0.63 area 0
  • HQ(config-router)# network 192.168.1.64 0.0.0.7 area 0
  • HQ(config-router)# network 192.168.3.0 0.0.0.3 area 0
  • HQ(config-router)# default-information originate
  • HQ(config-router)# end
  • HQ#

Branch Router Configurations

  • Branch(config)# no ip domain-lookup
  • Branch(config)# interface GigabitEthernet0/0/0
  • Branch(config-if)# description Connected to Branch LAN 1
  • Branch(config-if)# ip address 192.168.2.1 255.255.255.224
  • Branch(config-if)# duplex auto
  • Branch(config-if)# speed auto
  • Branch(config-if)# no shutdown
  • Branch(config-if)# interface GigabitEthernet0/0/1
  • Branch(config-if)# description Connected to Branch LAN 2
  • Branch(config-if)# ip address 192.168.2.33 255.255.255.240
  • Branch(config-if)# duplex auto
  • Branch(config-if)# speed auto
  • Branch(config-if)# no shutdown
  • Branch(config-if)# interface Serial0/1/1
  • Branch(config-if)# description Connected to Link HQ
  • Branch(config-if)# ip address 192.168.3.2 255.255.255.252
  • Branch(config-if)# no shutdown
  • Branch(config-if)# exit
  • Branch(config)# router ospf 10
  • Branch(config-router)# log-adjacency-changes
  • Branch(config-router)# passive-interface GigabitEthernet0/0/0
  • Branch(config-router)# passive-interface GigabitEthernet0/0/1
  • Branch(config-router)# network 192.168.3.0 0.0.0.3 area 0
  • Branch(config-router)# network 192.168.2.0 0.0.0.31 area 0
  • Branch(config-router)# network 192.168.2.32 0.0.0.15 area 0
  • Branch(config-router)# end
  • Branch#

ISP Router Configurations

  • ISP(config)# no ip domain-lookup
  • ISP(config-if)# interface G0/0/0
  • ISP(config-if)# ip address 198.51.100.1 255.255.255.0
  • ISP(config-if)# no shutdown
  • ISP(config-if)# interface G0/0/1
  • ISP(config-if)# ip address 203.0.113.1 255.255.255.0
  • ISP(config-if)# no shutdown
  • ISP(config-if)# interface S0/1/0
  • ISP(config-if)# description DCE Connected to Link HQ
  • ISP(config-if)# clock rate 2000000
  • ISP(config-if)# ip address 192.0.2.2 255.255.255.252
  • ISP(config-if)# no shutdown
  • ISP(config-if)# exit
  • ISP(config)# ip route 0.0.0.0 0.0.0.0 s0/1/0
  • ISP(config)# end
  • ISP#

Step 1: Verify Connectivity in the New Company Network

First, test connectivity on the network as it is before configuring the ACLs. All hosts should be able to ping all other hosts.

Step 2: Configure Standard and Extended ACLs per Requirements

Configure ACLs to meet the following requirements:

Important guidelines:

  • Do not use explicit deny any statements at the end of your ACLs.
  • Use shorthand (host and any) whenever possible.
  • Write your ACL statements to address the requirements in the order that they are specified here.
  • Place your ACLs in the most efficient location and direction.

ACL 1 Requirements

  • Create ACL 101.
  • Explicitly block FTP access to the Enterprise Web Server from the internet.
  • No ICMP traffic from the internet should be allowed to any hosts on HQ LAN 1
  • Allow all other traffic.

Configurations:

  • HQ(config)# access-list 101 deny tcp any host 192.168.1.70 eq 21
  • HQ(config)# access-list 101 deny icmp any 192.168.1.0 0.0.0.63
  • HQ(config)# access-list 101 permit ip any any

Implementation:

  • HQ(config)# interface Serial0/1/0
  • HQ(config-if)# ip access-group 101 in

Varför 0.0.0.63?

255.255.255.255 - 255.255.255.192 = 0.0.0.(255 - 192) = 0.0.0.63

Step 2: Configure Standard and Extended ACLs per Requirements

Configure ACLs to meet the following requirements:

Important guidelines:

  • Do not use explicit deny any statements at the end of your ACLs.
  • Use shorthand (host and any) whenever possible.
  • Write your ACL statements to address the requirements in the order that they are specified here.
  • Place your ACLs in the most efficient location and direction.

ACL 2 Requirements

  • Use ACL number 111
  • No hosts on HQ LAN 1 should be able to access the Branch Server.
  • All other traffic should be permitted.

Configurations:

  • HQ(config)# access-list 111 deny ip 192.168.1.0 0.0.0.63 host 192.168.2.45
  • HQ(config)# access-list 111 permit ip any any

Implementation:

  • HQ(config)# interface GigabitEthernet0/0/0
  • HQ(config-if)# ip access-group 111 in

Step 2: Configure Standard and Extended ACLs per Requirements

Configure ACLs to meet the following requirements:

Important guidelines:

  • Do not use explicit deny any statements at the end of your ACLs.
  • Use shorthand (host and any) whenever possible.
  • Write your ACL statements to address the requirements in the order that they are specified here.
  • Place your ACLs in the most efficient location and direction.

ACL 3: Requirements

  • Create a named standard ACL. Use the name vty_block. The name of your ACL must match this name exactly.
  • Only addresses from the HQ LAN 2 network should be able to access the VTY lines of the HQ router.

Configurations:

  • HQ(config)# ip access-list standard vty_block
  • HQ(config-std-nacl)# permit 192.168.1.64 0.0.0.7
  • HQ(config-std-nacl)# deny any

Implementation:

  • HQ(config)# line vty 0 4
  • HQ(config-line)# access-class vty_block in

Step 2: Configure Standard and Extended ACLs per Requirements

Configure ACLs to meet the following requirements:

Important guidelines:

  • Do not use explicit deny any statements at the end of your ACLs.
  • Use shorthand (host and any) whenever possible.
  • Write your ACL statements to address the requirements in the order that they are specified here.
  • Place your ACLs in the most efficient location and direction.

ACL 4: Requirements

  • Create a named extended ACL called branch_to_hq. The name of your ACL must match this name exactly.
  • No hosts on either of the Branch LANs should be allowed to access HQ LAN 1. Use one access list statement for each of the Branch LANs.
  • All other traffic should be allowed.

Configurations:

  • Branch(config)#ip access-list extended branch_to_hq
  • Branch(config-ext-nacl)#deny ip 192.168.2.0 0.0.0.31 192.168.1.0 0.0.0.63
  • Branch(config-ext-nacl)#deny ip 192.168.2.32 0.0.0.15 192.168.1.0 0.0.0.63
  • Branch(config-ext-nacl)#permit ip any any
  • Branch(config-ext-nacl)#exit

Implementation:

  • Branch(config)#interface s0/1/1
  • Branch(config-if)#ip access-group branch_to_hq out
  • Branch(config-if)#end
  • Branch#

Step 3: Verify ACL Operation

a. Perform the following connectivity tests between devices in the topology.

Note whether or not they are successful.

Note: Use the show ip access-lists command to verify ACL operation. Use the clear access list counters command to reset the match counters.

Questions:

  1. Send a ping request from Branch PC to the Enterprise Web Server. Was it successful? Explain.
    • Inga ACL-regler är satta för att blockera trafik från Branch PC till Enterprise Web Server.
    • Endast trafik från Internet till Enterprise Server är begränsad, inte från Branch.
    • PING fungerar
  2. Which ACL statement permitted or denied the ping between these two devices? List the access list name or number, the router on which it was applied, and the specific line that the traffic matched.
    • Ingen ACL blockerade denna trafik.
    • Ingen ACLE tillämpning
  3. Attempt to ping from PC-1 on the HQ LAN 1 to the Branch Server. Was it successful? Explain.
    • Ping bör misslyckas.
    • ACL 111 är konfigurerad för att blockera trafik från HQ LAN 1 (192.168.1.0/26) till Branch Server (192.168.2.45).
  4. Which ACL statement permitted or denied the ping between these two devices?
    • ACL 111
    • HQ router
    • ACE: deny ip 192.168.1.0 0.0.0.63 host 192.168.2.45
  5. Open a web browser on the External Server and attempt to bring up a web page stored on the Enterprise Web Server. Is it successful? Explain.
    • Webbsidan bör öppnas utan problem.
    • ACL 101 blockerar endast FTP och ICMP från Internet mot Enterprise Server, inte HTTP (webbtrafik).
  6. Which ACL statement permitted or denied the ping between these two devices?
    • ACL 101
    • HQ router
    • ACE: permit ip any any

Step 3: Verify ACL Operation

b. Test connections to an internal server from the internet.

  1. From the command line on the Internet User PC, attempt to make an FTP connection to the Branch Server. Is the FTP connection successful?
    • Ja, FTP-anslutningen är troligtvis lyckad eftersom vi inte har någon ACL som blockerar Internet-användare från att ansluta till Branch Server.
    • Vi har endast konfigurerat ACL 101 för att:
      • Blockera FTP mot Enterprise Server.
      • Blockera ICMP mot HQ LAN 1.
      • Men Branch Server är inte skyddad ännu.
  2. Which access list should be modified to prevent users from the Internet to make FTP connections to the Branch Server?
    • ACL 101
    • ACL 101 är applicerad på HQ-router interface mot Internet (Serial0/1/0 in). Den hanterar inkommande trafik från Internet, så den ACL bör uppdateras.
  3. Which statement(s) should be added to the access list to deny this traffic?
    • Vi behöver lägga till en regel i ACL 101 som blockerar FTP-trafik till Branch Serverns IP-adress (192.168.2.45).
    • deny tcp any host 192.168.2.45 eq 21

Labb 2: Extended ACL      |      Sammanfattning ACL