4.1.1.10 Packet Tracer – Configuring Extended ACLs Scenario 1 Answers PDF

Preview

Summary

Packet Tracer – Configuring Extended ACLs Scenario 1...

Description

Packet Tracer – Configuring Extended ACLs – Scenario 1 Topology

Addressing Table

Objectives

Part 1: Configure, Apply and Verify an Extended Numbered ACL Part 2: Configure, Apply and Verify an Extended Named ACL Background / Scenario Twoempl oy eesneedacc es st oser v i cespr ovi dedbyt hes er v er .PC1 needsonl yFTPac ces s whi l ePC2 needsonl ywebacces s .Bot hcomput er sar eabl et opi ngt hes er v er ,butnoteac hot her . Part 1: Configure, Apply and Verify an Extended Numbered ACL Step 1: Configure an ACL to permit FTP and ICMP. a.Fr om gl obal c onfi gur at i onmodeonR1,ent ert hef ol l owi ngc ommandt odet er mi net hefi r stv al i d numberf oranex t endedac ces sl i st . R1(config)# access-list ? IP standard access list IP extended access list b.Add100 t ot hecommand,f ol l owedbyaques t i onmar k. R1(config)# access-list 100 ? deny Specify packets to reject permit Specify packets to forward remark Access list entry comment c .Toper mi tFTPt r affic ,ent erpermit,f ol l owedbyaques t i onmar k . R1(config)# access-list 100 permit ? ahp Authentication Header Protocol eigrp Cisco's EIGRP routing protocol esp Encapsulation Security Payload gre Cisco's GRE tunneling icmp Internet Control Message Protocol ip Any Internet Protocol ospf OSPF routing protocol tcp Transmission Control Protocol udp User Datagram Protocol d.Thi sACLper mi t sFTPandI CMP.I CMPi sl i st edabov e,butFTPi snot ,bec aus eFTPus esTCP. Ther ef or e, ent ertcp t of ur t herr efi net heACLhel p. R1(config)# access-list 100 permit tcp ? A.B.C.D Source address any Any source host

host A single source host e.Not i cet hatwecoul dfi l t erj us tf orPC1 byus i ngt hehost k ey wor dorwec oul dal l owany hos t .I nt hi s c ase,anydev i cei sal l owedt hathasanaddr es sbel ongi ngt ot he172. 22. 34. 64/ 27net wor k .Ent ert he net wor kaddr ess ,f ol l owedbyaques t i onmar k . R1(config)# access-list 100 permit tcp 172.22.34.64 ? A.B.C.D Source wildcard bits f .Cal c ul at et hewi l dcar dmaskdet er mi ni ngt hebi nar yoppos i t eofas ubnetmas k . 11111111.11111111.11111111.11100000 = 255.255.255.224 00000000.00000000.00000000.00011111 = 0.0.0.31 g.Ent ert hewi l dcar dmas k ,f ol l owedbyaques t i onmar k . R1(config)# access-list 100 permit tcp 172.22.34.64 0.0.0.31 ? A.B.C.D Destination address any Any destination host eq Match only packets on a given port number gt Match only packets with a greater port number host A single destination host lt Match only packets with a lower port number neq Match only packets not on a given port number range Match only packets in the range of port numbers h.Confi gur et hedes t i nat i onaddr es s .I nt hi ss cenar i o,wear efi l t er i ngt r afficf oras i ngl edes t i nat i on,whi c h i st heser v er .Ent ert hehost k ey wor df ol l owedbyt heser v er ’ sI Paddr es s . R1(config)# access-list 100 permit tcp 172.22.34.64 0.0.0.31 host 172.22.34.62 ? dscp Match packets with given dscp value eq Match only packets on a given port number established established gt Match only packets with a greater port number lt Match only packets with a lower port number neq Match only packets not on a given port number precedence Match packets with given precedence value range Match only packets in the range of port numbers

i .Not i c et hatoneoft heopt i onsi s ( c ar r i ager et ur n) .I not herwor ds ,y oucanpr es sEnter andt he s t at ementwoul dper mi tal lTCPt r affic .Howev er ,wear eonl yper mi t t i ngFTPt r affic ;t her ef or e,ent er

t heeq k ey wor d,f ol l owedbyaquest i onmar kt odi s pl ayt heav ai l abl eopt i ons .Then,ent erftp and pr es sEnter. R1(config)# access-list 100 permit tcp 172.22.34.64 0.0.0.31 host 172.22.34.62 eq ? Port number ftp File Transfer Protocol (21) pop3 Post Office Protocol v3 (110) smtp Simple Mail Transport Protocol (25) telnet Telnet (23) www World Wide Web (HTTP, 80) R1(config)# access-list 100 permit tcp 172.22.34.64 0.0.0.31 host 172.22.34.62 eq ftp j .Cr eat easec ondac ces sl i sts t at ementt oper mi tI CMP( pi ng,et c . )t r afficf r om PC1 t oServer.Not e t hatt heacc es sl i s tnumberr emai nst hes ameandnopar t i c ul art y peofI CMPt r afficneedst obes pec i fied. R1(config)# access-list 100 permit icmp 172.22.34.64 0.0.0.31 host 172.22.34.62 k .Al l ot hert r affici sdeni ed,bydef aul t . Step 2: Apply the ACL on the correct interface to filter traffic. Fr om R1’ sper spec t i v e,t het r affict hatACL100appl i est oi si nboundf r om t henet wor kc onnec t edt o Gi gabi tEt her net0/ 0i nt er f ac e.Ent eri nt er f ac econfi gur at i onmodeandappl yt heACL. R1(config)# interface gigabitEthernet 0/0 R1(config-if)# ip access-group 100 in Step 3: Verify the ACL implementation. a.Pi ngf r om PC1 t oServer.I ft hepi ngsar euns ucc es s f ul ,v er i f yt heI Paddr es s esbef or econt i nui ng. b.FTPf r om PC1 t oServer.Theus er nameandpas s wor dar ebot hcisco. PC> ftp 172.22.34.62 c .Ex i tt heFTPs er v i ceoft heServer. ftp> quit d.Pi ngf r om PC1 t oPC2.Thedes t i nat i onhos ts houl dbeunr eac habl e,becaus et het r afficwasnot ex pl i ci t l yper mi t t ed. Part 2: Configure, Apply and Verify an Extended Named ACL Step 1: Configure an ACL to permit HTTP access and ICMP. a.NamedACLss t ar twi t ht heip k ey wor d.Fr om gl obal c onfi gur at i onmodeofR1,ent ert hef ol l owi ng c ommand,f ol l owedbyaquest i onmar k .

R1(config)# ip access-list ? extended Extended Access List standard Standard Access List b.Youcanc onfi gur enameds t andar dandext endedACLs .Thi sac ces sl i stfi l t er sbot hs our c eand des t i nat i onI Paddr es s es ;t her ef or e,i tmus tbeex t ended.Ent erHTTP_ONLY ast hename.( ForPac k et Tr ac ersc or i ng,t henamei scas es ensi t i v e. ) R1(config)# ip access-list extended HTTP_ONLY c .Thepr omptchanges .Youar enowi nex t endednamedACLc onfi gur at i onmode.Al ldev i ceson t hePC2 LANneedTCPac ces s .Ent ert henet wor kaddr ess ,f ol l owedbyaques t i onmar k . R1(config-ext-nacl)# permit tcp 172.22.34.96 ? A.B.C.D Source wildcard bits d.Anal t er nat i v ewayt oc al cul at eawi l dc ar di st os ubt r actt hes ubnetmas kf r om 255. 255. 255. 255. 255.255.255.255 - 255.255.255.240 ----------------= 0. 0. 0. 15 R1(config-ext-nacl)# permit tcp 172.22.34.96 0.0.0.15 ? e.Fi ni sht hes t at ementbys pec i f y i ngt hes er v eraddr essasy oudi di nPar t1andfi l t er i ngwww t r affic . R1(config-ext-nacl)# permit tcp 172.22.34.96 0.0.0.15 host 172.22.34.62 eq www f .Cr eat easec ondac ces sl i sts t at ementt oper mi tI CMP( pi ng,et c . )t r afficf r om PC2 t oServer.Not e: Thepr omptr emai nst hes ameandas pec i fi ct y peofI CMPt r afficdoesnotneedt obes peci fi ed. R1(config-ext-nacl)# permit icmp 172.22.34.96 0.0.0.15 host 172.22.34.62 g.Al l ot hert r affici sdeni ed,bydef aul t .Ex i toutofex t endednamedACLconfi gur at i onmode. Step 2: Apply the ACL on the correct interface to filter traffic. Fr om R1’ sper spec t i v e,t het r affict hatacc es sl i s tHTTP_ONL Yappl i est oi si nboundf r om t henet wor k c onnec t edt oGi gabi tEt her net0/ 1i nt er f ace.Ent ert hei nt er f ac ec onfigur at i onmodeandappl yt heACL. R1(config)# interface gigabitEthernet 0/1 R1(config-if)# ip access-group HTTP_ONLY in Step 3: Verify the ACL implementation. a.Pi ngf r om PC2 t oServer.Thepi ngs houl dbes uc ces s f ul ,i ft hepi ngi suns uc ces s f ul ,v er i f yt heI P addr ess esbef or econt i nui ng. b.FTPf r om PC2 t oServer.Theconnect i ons houl df ai l . c .Opent hewebbr o ws eronPC2 andent ert heI Paddr es sofServer ast heURL.Theconnec t i on s houl dbes ucces s f ul ....