Download as DOC, PDF, TXT or read online from Scribd
Download as doc, pdf, or txt
You are on page 1of 6
PT Activity 5.2.
8: Configuring Standard ACLs
Topology Diagram All contents are Copyright 2007-2008 Cisco Systems, Inc. All rights reserved. This docment is Cisco !"lic In#ormation. !age $ o# % CC&A '(ploration Accessing the )A&* AC+s !T Activity ,.2.8* Con#igring Standard AC+s Addressing Tale Device !nterface !P Address Sunet "as# $% S&'&'& $0.$.$.$ 2,,.2,,.2,,.2,2 (a&'& $-2.$%8.$0.$ 2,,.2,,.2,,.0 (a&'% $-2.$%8.$$.$ 2,,.2,,.2,,.0 $2 S&'&'& $0.$.$.2 2,,.2,,.2,,.2,2 S&'&'% $0.2.2.$ 2,,.2,,.2,,.2,2 S&'%'& 20-.$%,.200.22, 2,,.2,,.2,,.22. (a&'& $-2.$%8.20.$ 2,,.2,,.2,,.0 $) S&'&'% $0.2.2.2 2,,.2,,.2,,.2,2 (a&'& $-2.$%8./0.$ 2,,.2,,.2,,.0 !SP S&'&'% 20-.$%,.200.22% 2,,.2,,.2,,.22. (a&'& 20-.$%,.20$.$ 2,,.2,,.2,,.22. (a&'% 20-.$%,.202.$2- 2,,.2,,.2,,.22. PC% *!C $-2.$%8.$0.$0 2,,.2,,.2,,.0 PC2 *!C $-2.$%8.$$.$0 2,,.2,,.2,,.0 PC) *!C $-2.$%8./0.$0 2,,.2,,.2,,.0 PC+ *!C $-2.$%8./0.$28 2,,.2,,.2,,.0 ,-.'T(TP Server *!C $-2.$%8.20.2,. 2,,.2,,.2,,.0 ,-. Server *!C 20-.$%,.20$./0 2,,.2,,.2,,.22. /utside 0ost *!C 20-.$%,.202.$,8 2,,.2,,.2,,.22. Learning /1ectives Investigate the crrent net0or1 con#igration. 'valate a net0or1 policy and plan an AC+ implementation. Con#igre nm"ered standard AC+s. Con#igre named standard AC+s. !ntroduction Standard AC+s are roter con#igration scripts that control 0hether a roter permits or denies pac1ets "ased on the sorce address. This activity #ocses on de#ining #iltering criteria, con#igring standard AC+s, applying AC+s to roter inter#aces, and veri#ying and testing the AC+ implementation. The roters are already con#igred, inclding I! addresses and 'I23! roting. The ser '4'C pass0ord is cisco2 and the privileged '4'C pass0ord is class. All contents are Copyright 2007-2008 Cisco Systems, Inc. All rights reserved. This docment is Cisco !"lic In#ormation. !age 2 o# % CC&A '(ploration Accessing the )A&* AC+s !T Activity ,.2.8* Con#igring Standard AC+s Tas# %: !nvestigate t3e Current *et4or# Configuration Step %. 5ie4 t3e running configuration on t3e routers. 5ie0 the rnning con#igrations on all three roters sing the s3o4 running6config command 0hile in privileged '4'C mode. &otice that the inter#aces and roting are #lly con#igred. Compare the I! address con#igrations to the Addressing Ta"le a"ove. There shold not "e any AC+s con#igred on the roters at this time. The IS! roter does not re6ire any con#igration dring this e(ercise. Assme that the IS! roter is not nder yor administration and is con#igred and maintained "y the IS! administrator. Step 2. Confirm t3at all devices can access all ot3er locations. 7e#ore applying any AC+s to a net0or1, it is important to con#irm that yo have #ll connectivity. )ithot testing connectivity in yor net0or1 prior to applying an AC+, tro"leshooting may "e more di##iclt. 8ne help#l step in testing connectivity is to vie0 the roting ta"les on each device to ensre that each net0or1 is listed. 8n 3$, 32, and 3/, isse the s3o4 ip route command. 9o shold see that each device has connected rotes #or attached net0or1s, and dynamic rotes to all other remote net0or1s. All devices can access all other locations. Althogh the roting ta"le can "e help#l in assessing the stats o# the net0or1, yo shold still test connectivity sing ping. Complete the #ollo0ing tests* :rom !C$, ping !C2. :rom !C2, ping 8tside ;ost. :rom !C., ping the )e"<T:T! Server. 'ach o# these connectivity tests shold "e sccess#l. Tas# 2: -valuate a *et4or# Policy and Plan an ACL !mplementation Step %. -valuate t3e policy for t3e $% LA*s. The $-2.$%8.$0.0<2. net0or1 is allo0ed access to all locations, e(cept the $-2.$%8.$$.0<2. net0or1. The $-2.$%8.$$.0<2. net0or1 is allo0ed access to all destinations, e(cept to any net0or1s connected to the IS!. Step 2. Plan t3e ACL implementation for t3e $% LA*s. T0o AC+s #lly implement the secrity policy #or the 3$ +A&s. The #irst AC+ on 3$ denies tra##ic #rom the $-2.$%8.$0.0<2. net0or1 to the $-2.$%8.$$.0<2. net0or1, "t permits all other tra##ic. This #irst AC+, applied ot"ond on the :a0<$ inter#ace, monitors any tra##ic sent to the $-2.$%8.$$.0 net0or1. The second AC+ on 32 denies the $-2.$%8.$$.0<2. net0or1 access to the IS!, "t permits all other tra##ic. 8t"ond tra##ic #rom the S0<$<0 inter#ace is controlled. !lace the AC+ statements in the order o# most speci#ic to least speci#ic. =enying the net0or1 tra##ic #rom accessing another net0or1 comes "e#ore permitting all other tra##ic. Step ). -valuate t3e policy for t3e $) LA*. The $-2.$%8./0.0<2. net0or1 is allo0ed access to all destinations. ;ost $-2.$%8./0.$28 is not allo0ed access otside o# the +A&. All contents are Copyright 2007-2008 Cisco Systems, Inc. All rights reserved. This docment is Cisco !"lic In#ormation. !age / o# % CC&A '(ploration Accessing the )A&* AC+s !T Activity ,.2.8* Con#igring Standard AC+s Step +. Plan t3e ACL implementation for t3e $) LA*. 8ne AC+ #lly implements the secrity policy #or the 3/ +A&. The AC+ is placed on 3/ and denies the $-2.$%8./0.$28 host access otside o# the +A&, "t permits tra##ic #rom all other hosts on the +A&. Applied in"ond on the :a0<0 inter#ace, this AC+ 0ill monitor all tra##ic attempting to leave the $-2.$%8./0.0<2. net0or1. !lace the AC+ statements in the order o# most speci#ic to least speci#ic. =enying the $-2.$%8./0.$28 host access comes "e#ore permitting all other tra##ic. Tas# ): Configure *umered Standard ACLs Step %. Determine t3e 4ildcard mas#. The 0ildcard mas1 in an AC+ statement determines ho0 mch o# an I! sorce or destination address to chec1. A 0 "it means to match that vale in the address, 0hile a $ "it ignores that vale in the address. 3emem"er that standard AC+s can only chec1 sorce addresses. Since the AC+ on 3$ denies all $-2.$%8.$0.0<2. net0or1 tra##ic, any sorce I! that "egins 0ith $-2.$%8.$0 is denied. Since the last octet o# the I! address can "e ignored, the correct 0ildcard mas1 is 0.0.0.2,,. 'ach octet in this mas1 can "e thoght o# as >chec1, chec1, chec1, ignore.? The AC+ on 32 also denies $-2.$%8.$$.0<2. net0or1 tra##ic. The same 0ildcard mas1 can "e applied, 0.0.0.2,,. Step 2. Determine t3e statements. AC+s are con#igred in glo"al con#igration mode. :or standard AC+s, se a nm"er "et0een $ and --. The nm"er %& is sed #or this list on 3$ to help remem"er that this AC+ is monitoring the $-2.$%8.%&.0 net0or1. 8n 32, access list %% 4ill deny tra##ic #rom the $-2.$%8.%%.0 net0or1 to any IS! net0or1s, so the deny option is set 0ith the net0or1 %72.%88.%%.& and 0ildcard mas1 &.&.&.255. All other tra##ic mst "e permitted 0ith the permit option "ecase o# the implicit >deny any? at the end o# AC+s. The any option speci#ies any sorce host. Con#igre the #ollo0ing on 3$* R1(config)#access-list 10 deny 192.168.10.0 0.0.0.255 R1(config)#access-list 10 permit any &ote* !ac1et Tracer 0ill not grade an AC+ con#igration ntil all statements are entered in the correct order. &o0 create an AC+ on 32 to deny the $-2.$%8.$$.0 net0or1 and permit all other net0or1s. :or this AC+, se the nm"er %%. Con#igre the #ollo0ing on 32* R2(config)#access-list 11 deny 192.168.11.0 0.0.0.255 R2(config)#access-list 11 permit any Step ). Apply t3e statements to t3e interfaces. 8n 3$, enter con#igration mode #or the :a0<$ inter#ace. Isse the ip access6group %& out command to apply the standard AC+ ot"ond on the inter#ace. R1(config)#interface fa0/1 R1(config-if)#ip access-group 10 out 8n 32, enter con#igration mode #or the S0<$<0 inter#ace. All contents are Copyright 2007-2008 Cisco Systems, Inc. All rights reserved. This docment is Cisco !"lic In#ormation. !age . o# % CC&A '(ploration Accessing the )A&* AC+s !T Activity ,.2.8* Con#igring Standard AC+s Isse the ip access6group %% out command to apply the standard AC+ ot"ond on the inter#ace. R2(config)#interface s0/1/0 R2(config-if)#ip access-group 11 out Step +. 5erify and test ACLs. )ith the AC+s con#igred and applied, !C$ @$-2.$%8.$0.$0A shold not "e a"le to ping !C2 @$-2.$%8.$$.$0A, "ecase AC+ $0 is applied ot"ond on :a0<$ on 3$. !C2 @$-2.$%8.$$.$0A shold not "e a"le to ping )e" Server @20-.$%,.20$./0A or 8tside ;ost @20-.$%,.202.$,8A, "t shold "e a"le to ping every0here else, "ecase AC+ $$ is applied ot"ond on S0<$<0 on 32. ;o0ever, !C2 cannot ping !C$ "ecase AC+ $0 on 3$ prevents the echo reply #rom !C$ to !C2. Step 5. C3ec# results. 9or completion percentage shold "e %7B. I# not, clic1 C3ec# $esults to see 0hich re6ired components are not yet completed. Tas# +: Configure a *amed Standard ACL Step %. Determine t3e 4ildcard mas#. The access policy #or 3/ states that the host at $-2.$%8./0.$28 shold not "e allo0ed any access otside the local +A&. All other hosts on the $-2.$%8./0.0 net0or1 shold "e allo0ed access to all other locations. To chec1 a single host, the entire I! address needs to "e chec1ed, 0hich is accomplished sing the 3ost 1ey0ord. All pac1ets that do not match the host statement are permitted. Step 2. Determine t3e statements. 8n 3/, enter glo"al con#igration mode. Create a named AC+ called &8CACC'SS "y issing the ip access6list standard */9ACC-SS command. 9o 0ill enter AC+ con#igration mode. All permit and deny statements are con#igred #rom this con#igration mode. =eny tra##ic #rom the $-2.$%8./0.$28 host 0ith the 3ost option. !ermit all other tra##ic 0ith permit any. Con#igre the #ollo0ing named AC+ on 3/* R3(config)#ip access-list standard NO_!!"## R3(config-std-nacl)#deny $ost 192.168.%0.128 R3(config-std-nacl)#permit any Step ). Apply t3e statements to t3e correct interface. 8n 3/, enter con#igration mode #or the :a0<0 inter#ace. Isse the ip access6group */9ACC-SS in command to apply the named AC+ in"ond on the inter#ace. This command cases all tra##ic entering the :a0<0 inter#ace #rom the $-2.$%8./0.0<2. +A& to "e chec1ed against the AC+. R3(config)#interface fa0/0 R3(config-if)#ip access-group NO_!!"## in Step +. 5erify and test ACLs. Clic1 C3ec# $esults2 and then clic1 Connectivity Tests. The #ollo0ing tests shold #ail* All contents are Copyright 2007-2008 Cisco Systems, Inc. All rights reserved. This docment is Cisco !"lic In#ormation. !age , o# % CC&A '(ploration Accessing the )A&* AC+s !T Activity ,.2.8* Con#igring Standard AC+s !C$ to !C2 !C2 to 8tside ;ost !C2 to )e" Server All pings #rom<to !C. e(cept "et0een !C/ and !C. Step 5. C3ec# results. 9or completion percentage shold "e $00B. I# not, clic1 C3ec# $esults to see 0hich re6ired components are not yet completed. All contents are Copyright 2007-2008 Cisco Systems, Inc. All rights reserved. This docment is Cisco !"lic In#ormation. !age % o# %