4.1.2.5 Packet Tracer – Configure IP ACLs to Mitigate Attacks Answers PDF

Preview

Summary

Packet Tracer – Configure IP ACLs to Mitigate Attacks...

Description

Packet Tracer – Configure IP ACLs to Mitigate Attacks Topology

Addressing Table

Objectives •Ver i f yconnect i vi t yamongdevi cesbef or efi r ewal lconfigur at i on. •UseACLst oens ur er emot eaccesst ot her out er si sav ai l abl eonl yf r om managements t at i onPCC. •Configur eACLsonR1andR3t omi t i gat eat t ack s. •Ver i f yACLf unct i onal i t y . Background/Scenario Acc esst or out er sR1,R2,andR3shoul donl ybeper mi t t edf r om PCC,t hemanagements t at i on.PCCi s al sous edf orconnect i vi t yt es t i ngt oPCA,whi c hi sas er verpr ovi di ngDNS,SMTP,FTP,andHTTPS s er vi ces . St andar doper at i ngpr oc edur ei st oappl yACLsonedger out er st omi t i gat ec ommont hr eat sbas edon s our ceanddes t i nat i onI Paddr ess .I nt hi sact i vi t y ,y ouwi l lc r eat eACLsonedger out er sR1andR3t o ac hi ev et hi sgoal .Youwi l l t henv er i f yACLf unct i onal i t yf r om i nt er nalandex t er nal host s . Ther out er shav ebeenpr econfi gur edwi t ht hef ol l owi ng: •Enabl epass wor d:ci sc oenpa55 •Pass wor df orconsol e:ci sc oconpa55 •SSHl ogonus er nameandpass wor d:SSHadmi n/ ci scosshpa55 •I Paddr es si ng •St at i cr out i ng Part 1: Verify Basic Network Connectivity Ver i f ynet wor kc onnect i vi t ypr i ort oconfigur i ngt heI PACLs. Step 1: From PC-A, verify connectivity to PC-C and R2. a.Fr om t hec ommandpr ompt ,pi ngPC-C ( 192. 168. 3. 3) . b.Fr om t hecommandpr ompt ,es t abl i shanSSHsessi ont oR2 Lo0i nt er f ac e( 192. 168. 2. 1)us i ng us er nameSSHadmin andpas swor dciscosshpa55.Whenfini shed,exi tt heSSHsess i on. SERVER> ssh -l SSHadmin 192.168.2.1 Step 2: From PC-C, verify connectivity to PC-A and R2.

a.Fr om t hec ommandpr ompt ,pi ngPC-A ( 192. 168. 1. 3) . b.Fr om t hecommandpr ompt ,es t abl i shanSSHsessi ont oR2 Lo0i nt er f ac e( 192. 168. 2. 1)us i ng us er nameSSHadmin andpas swor dciscosshpa55.Cl os et heSSHses si onwhenfi ni s hed. PC> ssh -l SSHadmin 192.168.2.1 c .Openawebbr owsert ot hePC-A ser v er( 192. 168. 1. 3)t odi s pl ayt hewebpage.Cl os et hebr owser whendone. Part 2: Secure Access to Routers Step 1: Configure ACL 10 to block all remote access to the routers except from PC-C. Uset heaccess-list c ommandt oc r eat eanumber edI PACLonR1,R2,andR3. R1(config)# access-list 10 permit host 192.168.3.3 R2(config)# access-list 10 permit host 192.168.3.3 R3(config)# access-list 10 permit host 192.168.3.3 Step 2: Apply ACL 10 to ingress traffic on the VTY lines. Uset heaccess-class c ommandt oappl yt heacc essl i stt oi nc omi ngt r afficont heVTYl i nes . R1(config-line)# access-class 10 in R2(config-line)# access-class 10 in R3(config-line)# access-class 10 in Step 3: Verify exclusive access from management station PC-C. a.Est abl i s hanSSHses si ont o192. 168. 2. 1f r om PC-C ( s houl dbesucc ess f ul ) . PC> ssh –l SSHadmin 192.168.2.1 b.Est abl i shanSSHses si ont o192. 168. 2. 1f r om PC-A ( shoul df ai l ) . Part 3: Create a Numbered IP ACL 120 on R1 Cr eat eanI PACLnumber ed120wi t ht hef ol l owi ngr ul es : •Per mi tanyout si dehostt oaccessDNS,SMTP,andFTPser v i cesons er v erPC-A. •Denyanyout s i dehos tacc esst oHTTPSser v i cesonPC-A. •Per mi tPC-C t oacc essR1 vi aSSH. Note:CheckRes ul t swi l lnotshowacor r ectconfigur at i onf orACL120unt i l youmodi f yi ti nPar t4. Step 1: Verify that PC-C can access the PC-A via HTTPS using the web browser. Bes ur et odi sabl eHTTPandenabl eHTTPSons er v erPC-A. Step 2: Configure ACL 120 to specifically permit and deny the specified traffic. Uset heaccess-list c ommandt oc r eat eanumber edI PACL. R1(config)# access-list 120 permit udp any host 192.168.1.3 eq domain R1(config)# access-list 120 permit tcp any host 192.168.1.3 eq smtp

R1(config)# access-list 120 permit tcp any host 192.168.1.3 eq ftp R1(config)# access-list 120 deny tcp any host 192.168.1.3 eq 443 R1(config)# access-list 120 permit tcp host 192.168.3.3 host 10.1.1.1 eq 22 Step 3: Apply the ACL to interface S0/0/0. Uset heip access-group c ommandt oappl yt heacc essl i stt oi nc omi ngt r afficoni nt er f aceS0/ 0/ 0. R1(config)# interface s0/0/0 R1(config-if)# ip access-group 120 in Step 4: Verify that PC-C cannot access PC-A via HTTPS using the web browser. Part 4: Modify an Existing ACL on R1 Per mi tI CMPechor epl i esanddes t i nat i onunr eachabl emes sagesf r om t heout si denet wor k( r el at i v e t oR1) .Denyal l ot heri ncomi ngI CMPpack et s. Step 1: Verify that PC-A cannot successfully ping the loopback interface on R2. Step 2: Make any necessary changes to ACL 120 to permit and deny the specified traffic. Uset heaccess-list c ommandt oc r eat eanumber edI PACL. R1(config)# access-list 120 permit icmp any any echo-reply R1(config)# access-list 120 permit icmp any any unreachable R1(config)# access-list 120 deny icmp any any R1(config)# access-list 120 permit ip any any Step 3: Verify that PC-A can successfully ping the loopback interface on R2. Part 5: Create a Numbered IP ACL 110 on R3 Denyal l out boundpack et swi t hsour c eaddr essout s i det her angeofi nt er nal I Paddr ess esonR3. Step 1: Configure ACL 110 to permit only traffic from the inside network. Uset heaccess-list c ommandt oc r eat eanumber edI PACL. R3(config)# access-list 110 permit ip 192.168.3.0 0.0.0.255 any Step 2: Apply the ACL to interface G0/1. Uset heip access-group c ommandt oappl yt heacc essl i stt oi nc omi ngt r afficoni nt er f aceG0/ 1. R3(config)# interface g0/1 R3(config-if)# ip access-group 110 in Part 6: Create a Numbered IP ACL 100 on R3 OnR3,bl oc kal lpack et scont ai ni ngt hes our ceI Paddr es sf r om t hef ol l owi ngpoolofaddr ess es :anyRFC 1918pr i vat eaddr ess es,127. 0. 0. 0/ 8,andanyI Pmul t i c astaddr ess .Si nc ePC-C i sbei ngusedf orr emot e admi ni s t r at i on,per mi tSSHt r afficf r om t he10. 0. 0. 0/ 8net wor kt or et ur nt ot hehos tPC-C.

Step 1: Configure ACL 100 to block all specified traffic from the outside network. Youshoul dal sobl ockt r afficsour c edf r om y ourowni nt er naladdr essspac ei fi ti snotanRFC1918 addr ess .I nt hi sact i v i t y ,y ouri nt er naladdr esss pacei spar toft hepr i v at eaddr essspac espec i fi edi nRFC 1918. Uset heaccess-list c ommandt oc r eat eanumber edI PACL. R3(config)# access-list 100 permit tcp 10.0.0.0 0.255.255.255 eq 22 host 192.168.3.3 R3(config)# access-list 100 deny ip 10.0.0.0 0.255.255.255 any R3(config)# access-list 100 deny ip 172.16.0.0 0.15.255.255 any R3(config)# access-list 100 deny ip 192.168.0.0 0.0.255.255 any R3(config)# access-list 100 deny ip 127.0.0.0 0.255.255.255 any R3(config)# access-list 100 deny ip 224.0.0.0 15.255.255.255 any R3(config)# access-list 100 permit ip any any Step 2: Apply the ACL to interface Serial 0/0/1. Uset heip access-group c ommandt oappl yt heacc essl i stt oi nc omi ngt r afficoni nt er f aceSer i al 0/ 0/ 1. R3(config)# interface s0/0/1 R3(config-if)# ip access-group 100 in Step 3: Confirm that the specified traffic entering interface Serial 0/0/1 is handled correctly. a.Fr om t hePCCcommandpr ompt ,pi ngt hePCAser v er .TheI CMPechor epl i esar ebl ock edbyt he ACLs i ncet heyar es our c edf r om t he192. 168. 0. 0/ 16addr essspac e. b.Est abl i shanSSHses si ont o192. 168. 2. 1f r om PC-C ( shoul dbesuc ces sf ul ) . Step 4: Check results. Yourc ompl et i onper cent ages houl dbe100%.Cl i ckCheck Results t oseef eedbackandv er i ficat i onof whi c hr equi r edcomponent shav ebeencompl et ed. Scripts for R1 Scripts for R2 Scripts for R3 access-list 10 permit host 192.168.3.3 line vty 0 4 access-class 10 in access-list 120 permit udp any host 192.168.1.3 eq domain access-list 120 permit tcp any host 192.168.1.3 eq smtp

access-list 120 permit tcp any host 192.168.1.3 eq ftp access-list 120 deny tcp any host 192.168.1.3 eq 443 access-list 120 permit tcp host 192.168.3.3 host 10.1.1.1 eq 22 interface s0/0/0 ip access-group 120 in access-list 120 permit icmp any any echo-reply access-list 120 permit icmp any any unreachable access-list 120 deny icmp any any access-list 120 permit ip any any...