Laboratorio13 - ACLs Extendidos en Routers Cisco

Lab 5.5.
2: Access Control Lists Challenge

Topology Diagram
Addressing Table
Device Interface IP Address !bnet "as#
Defa!lt $ate%ay
&'
()()( 10.1.0.1 255.255.255.0 N/A
*a()' 10.1.1.254 255.255.255.0 N/A
&2
()()( 10.1.0.2 255.255.255.0 N/A
()()' 10.3.0.1 255.255.255.0 N/A
Lo ( 10.13.205.1 255.255.0.0 N/A
&+
()()' 10.3.0.2 255.255.255.0 N/A
*a()' 10.3.1.254 255.255.255.0 N/A
PC ' ,IC 10.1.1.1 255.255.255.0 10.1.1.254
PC + ,IC 10.3.1.1 255.255.255.0 10.3.1.254
All contents are Copyright 19922007 Cisco Systes! "nc. All rights reser#e$. %his $oc&ent is Cisco '&(lic "n)oration. 'age 1 o) 9
CCNA *+ploration
Accessing the ,AN- AC.s .a( 5.5.2- Access Control .ists Challenge
Learning -b.ectives
%o coplete this la(-
/esign nae$ stan$ar$ an$ nae$ e+ten$e$ AC.s.
Apply nae$ stan$ar$ an$ nae$ e+ten$e$ AC.s.
%est nae$ stan$ar$ an$ nae$ e+ten$e$ AC.s.
%ro&(leshoot nae$ stan$ar$ an$ nae$ e+ten$e$ AC.s.
Tas# ': Prepare the ,et%or#
tep ': Cable a net%or# that is similar to the one in the Topology Diagram.
0o& can &se any c&rrent ro&ter in yo&r la( as long as it has the re1&ire$ inter)aces sho2n in the topology
$iagra.
Note- ") yo& &se a 1700! 2500! or 2300 ro&ter! the ro&ter o&tp&ts an$ inter)ace $escriptions ay appear
$i))erent.
tep 2: Clear any e/isting config!rations on the ro!ters.
Tas# 2: Perform 0asic &o!ter Config!rations.
Con)ig&re the 41! 42! an$ 43 ro&ters accor$ing to the )ollo2ing g&i$elines-
Con)ig&re the ro&ter hostnae.
/isa(le /NS loo5&p.
Con)ig&re an *6*C o$e pass2or$.
Con)ig&re a essage7o)7the7$ay (anner.
Con)ig&re a pass2or$ )or console connections.
Con)ig&re a pass2or$ )or 8%0 connections.
Con)ig&re "' a$$resses on all $e#ices.
Create a loop(ac5 inter)ace on 42.
*na(le 9S': area 0 on all ro&ters )or all net2or5s.
8eri)y )&ll "' connecti#ity &sing the ping coan$.
&'
hostname R1
no ip domain-lookup
enable secret class
!
interface FastEthernet0/1
ip address 10.1.1.254 255.255.255.0
no shutdon
!
interface serial 0/0/0
ip address 10.1.0.1 255.255.255.0
clock rate 125000
no shutdon
CCNA *+ploration
!
router ospf 1
netork 10.1.0.0 0.0.0.255 area 0
netork 10.1.1.0 0.0.0.255 area 0
!
banner motd !"nauthori#ed access strictl$ prohibited% &iolators ill be
prosecuted to the full e'tent of the la.!
!
line con 0
lo((in( s$nchronous
passord cisco
lo(in
!
line &t$ 0 4
passord cisco
lo(in
!
&2
hostname R2
enable secret class
no ip domain lookup
!
interface )oopback0
ip address 10.1*.205.1 255.255.0.0
!
interface +erial0/0/0
ip address 10.1.0.2 255.255.255.0
no shutdon
!
ip address 10.*.0.1 255.255.255.0
clockrate 125000
no shutdon
!
router ospf 1
netork 10.1.0.0 0.0.0.255 area 0
netork 10.*.0.0 0.0.0.255 area 0
netork 10.1*.0.0 0.0.255.255 area 0
!
!
line con 0
passord cisco
lo((in( s$nchronous
lo(in
!
line &t$ 0 4
passord cisco
lo(in
!
&+
CCNA *+ploration
hostname R*
!
enable secret class
no ip domain lookup
!
ip address 10.*.1.254 255.255.255.0
no shutdon
!
ip address 10.*.0.2 255.255.255.0
no shutdon
!
router ospf 1
netork 10.*.0.0 0.0.0.255 area 0
netork 10.*.1.0 0.0.0.255 area 0
!
!
line con 0
passord cisco
lo((in( s$nchronous
lo(in
!
line &t$ 0 4
passord cisco
lo(in
!
Tas# +: Config!ring tandard ACLs
Con)ig&re stan$ar$ nae$ AC.s on the 41 an$ 43 8%0 lines! peritting hosts connecte$ $irectly to their
:ast*thernet s&(nets to gain %elnet access. /eny an$ log all other connection attepts. /oc&ent yo&r
testing proce$&res.
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
&'
ip access-list standard ,-./)012)
permit 10.1.1.0 0.0.0.255
den$ an$ lo(
!
line &t$ 0 4
access-class ,-./)012) in
!
&+
permit 10.*.1.0 0.0.0.255
CCNA *+ploration
den$ an$ lo(
!
line &t$ 0 4
Attept to telnet to 43 )ro 'C1! 41! an$ 42. %hese tests sho&l$ )ail.
Attept to telnet to 41 )ro 'C3! 42! an$ 43. %hese tests sho&l$ )ail.
Attept to telnet to 41 )ro 'C1. %est sho&l$ pass
Attept to telnet to 43 )ro 'C3. %est sho&l$ pass.
Tas# 1: Config!ring 2/tended ACLs
<sing e+ten$e$ AC.s on 42! coplete the )ollo2ing re1&ireents-
%he .ANs connecte$ to 41 an$ 43 are &se$ )or st&$ent cop&ter la(s. %he net2or5
a$inistrator has notice$ that st&$ents in these la(s are playing gaes across the ,AN 2ith the
reote st&$ents. =a5e s&re that yo&r AC. pre#ents the .AN attache$ to 41 )ro reaching the
.AN at 43 an$ that the .AN on 43 cannot reach the .AN on 41. >e speci)ic in yo&r stateents
so that any ne2 .ANs a$$e$ to either 41 or 43 are not a))ecte$.
'erit all 9S': tra))ic.
'erit "C=' tra))ic to the 42 local inter)aces.
All net2or5 tra))ic $estine$ to %C' port ?0 sho&l$ (e allo2e$ an$ logge$. Any other tra))ic sho&l$
(e $enie$.
Any tra))ic not speci)ie$ a(o#e sho&l$ (e $enie$.
Note- %his ay re1&ire &ltiple access lists. 8eri)y yo&r con)ig&ration an$ $oc&ent yo&r testing
proce$&re.
,hy is the or$er o) access list stateents so iportant@
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
Access lists are processe$ )ro the top $o2n. ") a pac5et atches a line! the atche$ action is
per)ore$ an$ the actions a)ter that are ignore$.
&2
ip access-list e'tended 3)014/R1
den$ ip 10.1.1.0 0.0.0.255 10.*.1.0 0.0.0.255
permit ospf an$ an$
permit icmp an$ host 10.1.0.2
permit icmp an$ host 10.*.0.2
permit icmp an$ host 10.1*.205.1
permit tcp an$ an$ e5 60 lo(

ip access-list e'tended 3)014/R*
den$ ip 10.*.1.0 0.0.0.255 10.1.1.0 0.0.0.255
permit ospf an$ an$
CCNA *+ploration
ip access-(roup 3)014/R1 in
!
ip access-(roup 3)014/R* in
Tas# 5: 3erifying an ACL
%est each protocol that yo& are trying (loc5! an$ a5e s&re that peritte$ tra))ic is allo2e$. %his re1&ires
testing ping! A%%'! %elnet! an$ 9S':.
tep ': Test &' to &+ traffic and &+ to &' traffic.
'ing )ro 'C1 to 'C3.
'ing )ro 'C3 to 'C1.
>oth sho&l$ )ail.
tep 2: Test port 4( access.
%o test port ?0 )&nctionality! ena(le the A%%' ser#er on 42-
R27confi(89ip http server
:ro 'C1! open a 2e( (ro2ser to the 42 Serial 0/0/0 inter)ace. %his sho&l$ (e s&ccess)&l.
tep +: 3erify -P* ro!tes.
No ro&tes sho&l$ (e lost. Con)ir 2ith sho% ip ro!te.
tep 1: Test ping to &2.
'ing to 42 )ro 41 an$ 'C1.
'ing to 42 )ro 43 an$ 'C3.
>oth sho&l$ s&ccee$.
tep 5: Perform other ping tests to confirm that all other traffic is denied.
Tas# 5: Doc!ment the &o!ter Config!rations
Config!rations
&'
hostname R1
enable secret class
no ip domain lookup
!
ip address 10.1.1.254 255.255.255.0
no shutdon
!
CCNA *+ploration
ip address 10.1.0.1 255.255.255.0
clockrate 125000
no shutdon
!
router ospf 1
no auto-cost
netork 10.1.0.0 0.0.0.255 area 0
netork 10.1.1.0 0.0.0.255 area 0
!
permit 10.1.1.0 0.0.0.255
den$ an$ lo(
!
!
line con 0
passord cisco
lo((in( s$nchronous
lo(in
!
line &t$ 0 4
passord cisco
lo(in
!
&2
hostname R2
enable secret class
no ip domain lookup
!
interface )oopback0
ip address 10.1*.205.1 255.255.0.0
!
ip address 10.1.0.2 255.255.255.0
ip access-(roup 3)014/R1 in
no shutdon
!
ip address 10.*.0.1 255.255.255.0
ip access-(roup 3)014/R* in
clockrate 125000
no shutdon
!
router ospf 1
no auto-cost
netork 10.1.0.0 0.0.0.255 area 0
netork 10.*.0.0 0.0.0.255 area 0
netork 10.1*.0.0 0.0.255.255 area 0
!
ip access-list e'tended 3)014/R1
den$ ip 10.1.1.0 0.0.0.255 10.*.1.0 0.0.0.255
permit ospf an$ an$
CCNA *+ploration

ip access-list e'tended 3)014/R*
den$ ip 10.*.1.0 0.0.0.255 10.1.1.0 0.0.0.255
permit ospf an$ an$
!
!
line con 0
passord cisco
lo((in( s$nchronous
lo(in
!
line &t$ 0 4
passord cisco
lo(in
!
&+
hostname R*
!
enable secret class
no ip domain lookup
!
ip address 10.*.1.254 255.255.255.0
no shutdon
!
ip address 10.*.0.2 255.255.255.0
no shutdon
!
router ospf 1
no auto-cost
netork 10.*.0.0 0.0.0.255 area 0
netork 10.*.1.0 0.0.0.255 area 0
!
permit 10.*.1.0 0.0.0.255
den$ an$ lo(
!
prosecuted to the full e'tent of the la.!1
!
line con 0
passord cisco
lo((in( s$nchronous
All contents are Copyright 19922007 Cisco Systes! "nc. All rights reser#e$. %his $oc&ent is Cisco '&(lic "n)oration. 'age ? o) 9
CCNA *+ploration
lo(in
!
line &t$ 0 4
passord cisco
lo(in
!
Tas# 6: Clean 7p
*rase the con)ig&rations an$ reloa$ the ro&ters. /isconnect an$ store the ca(ling. :or 'C hosts that are
norally connecte$ to other net2or5s! s&ch as the school .AN or the "nternet! reconnect the appropriate
ca(ling an$ restore the %C'/"' settings.

Laboratorio13 - ACLs Extendidos en Routers Cisco

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Laboratorio13 - ACLs Extendidos en Routers Cisco

Uploaded by

Copyright:

Available Formats

Lab 5.5.

2: Access Control Lists Challenge

You might also like