PT Activity 5.3.

4: Configuring Extended ACLs

Topology Diagra

All contents are Copyright 2007-2008 Cisco Systems, Inc. All rights reserved. This doc ment is Cisco ! "lic In#ormation.

!age $ o# 8

CC%A &'ploration Accessing the (A%) AC*s

!T Activity +.,.-) Con#ig ring &'tended AC*s

Addressing Ta!le
Device "nterface #()()( &' *a()( *a()' #()()( &+ #()()' #()')( *a()( &3 #()()' *a()( #()()' "#P PC' PC+ PC3 PC4 -E.)T*TP #erver -E. #erver /utside 0ost *a()( *a()' ,"C ,"C ,"C ,"C ,"C ,"C ,"C "P Address $0.$.$.$ $.2.$/8.$0.$ $.2.$/8.$$.$ $0.$.$.2 $0.2.2.2 20..$/+.200.22+ $.2.$/8.20.$ $0.2.2.$ $.2.$/8.,0.$ 20..$/+.200.22/ 20..$/+.20$.$ 20..$/+.202.$2. $.2.$/8.$0.$0 $.2.$/8.$$.$0 $.2.$/8.,0.$0 $.2.$/8.,0.$28 $.2.$/8.20.2+20..$/+.20$.,0 20..$/+.202.$+8 #u!net $as% 2++.2++.2++.2+2 2++.2++.2++.0 2++.2++.2++.0 2++.2++.2++.2+2 2++.2++.2++.2+2 2++.2++.2++.222++.2++.2++.0 2++.2++.2++.2+2 2++.2++.2++.0 2++.2++.2++.222++.2++.2++.222++.2++.2++.222++.2++.2++.0 2++.2++.2++.0 2++.2++.2++.0 2++.2++.2++.0 2++.2++.2++.0 2++.2++.2++.222++.2++.2++.22-

Learning /!1ectives
Investigate the c rrent net0or1 con#ig ration. &val ate a net0or1 policy and plan an AC* implementation. Con#ig re n m"ered e'tended AC*s. Con#ig re named e'tended AC*s.

"ntroduction
&'tended AC*s are ro ter con#ig ration scripts that control 0hether a ro ter permits or denies pac1ets "ased on their so rce or destination address as 0ell as protocols or ports. &'tended AC*s provide more #le'i"ility and gran larity than standard AC*s. This activity #oc ses on de#ining #iltering criteria, con#ig ring e'tended AC*s, applying AC*s to ro ter inter#aces, and veri#ying and testing the AC* implementation. The ro ters are already con#ig red, incl ding I! addresses and &I23! ro ting. The ser &4&C pass0ord is cisco2 and the privileged &4&C pass0ord is class.

All contents are Copyright 2007-2008 Cisco Systems, Inc. All rights reserved. This doc ment is Cisco ! "lic In#ormation.

!age 2 o# 8

CC%A &'ploration Accessing the (A%) AC*s

!T Activity +.,.-) Con#ig ring &'tended AC*s

Tas% ': "nvestigate t3e Current ,et4or% Configuration

#tep '. 5ie4 t3e running configuration on t3e routers. 5ie0 the r nning con#ig rations on all three ro ters sing the s3o4 running6config command 0hile in privileged &4&C mode. %otice that the inter#aces and ro ting are # lly con#ig red. Compare the I! address con#ig rations to the Addressing Ta"le a"ove. There sho ld not "e any AC*s con#ig red on the ro ters at this time. The IS! ro ter does not re6 ire any con#ig ration d ring this e'ercise. It is ass med that the IS! ro ter is not nder yo r administration and is con#ig red and maintained "y the IS! administrator. #tep +. Confir t3at all devices can access all ot3er locations.

7e#ore applying any AC*s to a net0or1, it is important to con#irm that yo have # ll connectivity. (itho t testing connectivity in yo r net0or1 prior to applying an AC*, tro "leshooting 0ill "e very di##ic lt. To ens re net0or1-0ide connectivity, se the ping and tracert commands "et0een vario s net0or1 devices to veri#y connections.

Tas% +: Evaluate a ,et4or% Policy and Plan an ACL " ple entation
#tep '. Evaluate t3e policy for t3e &' LA,s. 8or the $.2.$/8.$0.092- net0or1, "loc1 Telnet access to all locations and T8T! access to the corporate (e"9T8T! server at $.2.$/8.20.2+-. All other access is allo0ed. 8or the$.2.$/8.$$.092- net0or1, allo0 T8T! access and 0e" access to the corporate (e"9T8T! server at $.2.$/8.20.2+-. 7loc1 all other tra##ic #rom the $.2.$/8.$$.092- net0or1 to the $.2.$/8.20.092- net0or1. All other access is allo0ed.

#tep +. Plan t3e ACL i ple entation for t3e &' LA,s. T0o AC*s # lly implement the sec rity policy #or the 3$ *A%s. The #irst AC* s pports the #irst part o# the policy and is con#ig red on 3$ and applied in"o nd to the 8ast &thernet 090 inter#ace. The second AC* s pports the second part o# the policy and is con#ig red on 3$ and applied in"o nd to the 8ast &thernet 09$ inter#ace.

#tep 3. Evaluate t3e policy for t3e &3 LA,. All I! addresses o# the $.2.$/8.,0.092- net0or1 are "loc1ed #rom accessing all I! addresses o# the $.2.$/8.20.092- net0or1. The #irst hal# o# $.2.$/8.,0.092- is allo0ed access to all other destinations. The second hal# o# $.2.$/8.,0.092- net0or1 is allo0ed access to the $.2.$/8.$0.092- and $.2.$/8.$$.092- net0or1s. The second hal# o# $.2.$/8.,0.092- is allo0ed 0e" and IC:! access to all remaining destinations. All other access is e'plicitly denied.

#tep 4. Plan t3e ACL i ple entation for t3e &3 LA,. This step re6 ires one AC* con#ig red on 3, and applied in"o nd to the 8ast &thernet 090 inter#ace. #tep 5. Evaluate t3e policy for traffic co ing fro t3e "nternet via t3e "#P.

; tside hosts are allo0ed to esta"lish a 0e" session 0ith the internal 0e" server on port 80 only.
!age , o# 8

All contents are Copyright 2007-2008 Cisco Systems, Inc. All rights reserved. This doc ment is Cisco ! "lic In#ormation.

CC%A &'ploration Accessing the (A%) AC*s

!T Activity +.,.-) Con#ig ring &'tended AC*s

;nly esta"lished TC! sessions are allo0ed in. ;nly ping replies are allo0ed thro gh 32. t3e "nternet via t3e "#P.

#tep 7. Plan t3e ACL i ple entations for traffic co ing fro

This step re6 ires one AC* con#ig red on 32 and applied in"o nd to the Serial 09$90 inter#ace.

Tas% 3: Configure ,u !ered Extended ACLs

#tep '. Deter ine t3e 4ildcard as%s.

T0o AC*s are needed to en#orce the access control policy on 3$. 7oth AC*s 0ill "e designed to deny an entire Class C net0or1. <o 0ill con#ig re a 0ildcard mas1 that matches all hosts on each o# these Class C net0or1s. 8or e'ample, #or the entire s "net o# $.2.$/8.$0.092- to "e matched, the 0ildcard mas1 is 0.0.0.2++. This can "e tho ght o# as =chec1, chec1, chec1, ignore> and, in essence, matches the entire $.2.$/8.$0.092net0or1. #tep +. Configure t3e first extended ACL for &'. 8rom glo"al con#ig ration mode, con#ig re the #irst AC* 0ith n m"er $$0. 8irst, yo 0ant to "loc1 Telnet to any location #or all I! addresses on the $.2.$/8.$0.092- net0or1. (hen 0riting the statement, ma1e s re that yo are c rrently in glo"al con#ig ration mode. R1(config)#access-list 110 deny tcp 192.168.10.0 0.0.0.255 any eq telnet %e't, "loc1 all I! addresses on the $.2.$/8.$0.092- net0or1 #rom T8T! access to the host at $.2.$/8.20.2+-. R1(config)#access-list 110 deny udp 192.168.10.0 0.0.0.255 host 192.168.20.254 eq tftp 8inally, permit all other tra##ic. R1(config)#access-list 110 permit ip any any #tep 3. Configure t3e second extended ACL for &'. Con#ig re the second AC* 0ith n m"er $$$. !ermit ((( to the host at $.2.$/8.20.2+- #or any I! addresses on the $.2.$/8.$$.092- net0or1. R1(config)#access-list 111 permit tcp 192.168.11.0 0.0.0.255 host 192.168.20.254 eq www %e't, permit T8T! to the host at $.2.$/8.20.2+- #or any I! addresses on the $.2.$/8.$$.092- net0or1. R1(config)#access-list 111 permit udp 192.168.11.0 0.0.0.255 host 192.168.20.254 eq tftp 7loc1 all other tra##ic #rom $.2.$/8.$$.092- net0or1 to the $.2.$/8.20.092- net0or1. R1(config)#access-list 111 deny ip 192.168.11.0 0.0.0.255 192.168.20.0 0.0.0.255 8inally, permit any other tra##ic. This statement ens res that tra##ic to other net0or1s is not "loc1ed. R1(config)#access-list 111 permit ip any any

All contents are Copyright 2007-2008 Cisco Systems, Inc. All rights reserved. This doc ment is Cisco ! "lic In#ormation.

!age - o# 8

CC%A &'ploration Accessing the (A%) AC*s

!T Activity +.,.-) Con#ig ring &'tended AC*s

#tep 4. 5erify t3e ACL configurations. Con#irm yo r con#ig rations on 3$ "y iss ing the s3o4 access6lists command. <o r o tp t sho ld loo1 li1e this) R1#show access-lists Extended IP access list 110 deny tcp 192.168.10.0 0.0.0.255 any e telnet deny !dp 192.168.10.0 0.0.0.255 "ost 192.168.20.25# e tftp pe$%it ip any any Extended IP access list 111 pe$%it tcp 192.168.11.0 0.0.0.255 "ost 192.168.20.25# e &&& pe$%it !dp 192.168.11.0 0.0.0.255 "ost 192.168.20.25# e tftp deny ip 192.168.11.0 0.0.0.255 192.168.20.0 0.0.0.255 pe$%it ip any any #tep 5. Apply t3e state ents to t3e interfaces. To apply an AC* to an inter#ace, enter inter#ace con#ig ration mode #or that inter#ace. Con#ig re the command ip access6group access-list-number ?in @ outA to apply the AC* to the inter#ace. &ach AC* #ilters in"o nd tra##ic. Apply AC* $$0 to 8ast &thernet 090 and AC* $$$ to 8ast &thernet 09$. R1(config)#interface fa0/0 R1(config'if)#ip access- roup 110 in R1(config'if)#interface fa0/1 R1(config'if)#ip access- roup 111 in Con#irm that the AC*s appear in the r nning con#ig ration o# 3$ and that they have "een applied to the correct inter#aces. #tep 7. Test t3e ACLs configured on &'. %o0 that AC*s have "een con#ig red and applied, it is very important to test that tra##ic is "loc1ed or permitted as e'pected. 8rom !C$, attempt to gain Telnet access to any device. This sho ld "e "loc1ed. 8rom !C$, attempt to access the corporate (e"9T8T! server via BTT!. This sho ld "e allo0ed. 8rom !C2, attempt to access the (e"9T8T! server via BTT!. This sho ld "e allo0ed. 8rom !C2, attempt to access the e'ternal (e" server via BTT!. This sho ld "e allo0ed.

7ased on yo r nderstanding o# AC*s, try some other connectivity tests #rom !C$ and !C2. #tep 8. C3ec% results. !ac1et Tracer does not s pport testing T8T! access, so yo 0ill not "e a"le to veri#y that policy. Bo0ever, yo r completion percentage sho ld "e +0C. I# not, clic1 C3ec% &esults to see 0hich re6 ired components are not yet completed.

Tas% 4: Configure a ,u !ered Extended ACL for &3

#tep '. Deter ine t3e 4ildcard as%.

The access policy #or the lo0er hal# o# the I! addresses on the $.2.$/8.,0.092- net0or1 re6 ires) Deny access to the $.2.$/8.20.092- net0or1 Allo0 access to all other destinations Allo0 access to $.2.$/8.$0.0 and $.2.$/8.$$.0
!age + o# 8

The top hal# o# the I! addresses in the $.2.$/8.,0.092- net0or1 has the #ollo0ing restrictions)
All contents are Copyright 2007-2008 Cisco Systems, Inc. All rights reserved. This doc ment is Cisco ! "lic In#ormation.

CC%A &'ploration Accessing the (A%) AC*s

!T Activity +.,.-) Con#ig ring &'tended AC*s

Deny access to $.2.$/8.20.0 Allo0 0e" and IC:! to all other locations

To determine the 0ildcard mas1, consider 0hich "its need to "e chec1ed #or the AC* to match I! addresses 0E$27 Flo0er hal#G or $28E2++ F pper hal#G. 3ecall that one 0ay to determine the 0ildcard mas1 is to s "tract the normal net0or1 mas1 #rom 2++.2++.2++.2++. The normal mas1 #or I! addresses 0E$27 and $28E2++ #or a Class C address is 2++.2++.2++.$28. Hsing the s "traction method, here is the correct 0ildcard mas1) 255.255.255.255 ( 255.255.255.128 '''''''''''''''''' 0. 0. 0.12) #tep +. Configure t3e extended ACL on &3. ;n 3,, enter glo"al con#ig ration mode and con#ig re the AC* sing $,0 as the access list n m"er. The #irst statement "loc1s the $.2.$/8.,0.092- #rom accessing all addresses in the $.2.$/8.20.092net0or1. R*(config)#access-list 1!0 deny ip 192.168.!0.0 0.0.0.255 192.168.20.0 0.0.0.255 The second statement allo0s the lo0er hal# o# the $.2.$/8.,0.092- net0or1 access to any other destinations. R*(config)#access-list 1!0 permit ip 192.168.!0.0 0.0.0.12" any The remaining statements e'plicitly permit the pper hal# o# the $.2.$/8.,0.092- net0or1 access to those net0or1s and services that the net0or1 policy allo0s. R*(config)#access-list 1!0 permit ip 192.168.!0.128 0.0.0.12" 192.168.10.0 0.0.0.255 R*(config)# access-list 1!0 permit ip 192.168.!0.128 0.0.0.12" 192.168.11.0 0.0.0.255 R*(config)# access-list 1!0 permit tcp 192.168.!0.128 0.0.0.12" any eq www R*(config)# access-list 1!0 permit icmp 192.168.!0.128 0.0.0.12" any R*(config)# access-list 1!0 deny ip any any #tep 3. Apply t3e state ent to t3e interface. To apply an AC* to an inter#ace, enter inter#ace con#ig ration mode #or that inter#ace. Con#ig re the command ip access6group access-list-number ?in @ outA to apply the AC* to the inter#ace. R*(config)#interface fa0/0 R*(config'if)#ip access- roup 1!0 in #tep 4. 5erify and test ACLs. %o0 that the AC* has "een con#ig red and applied, it is very important to test that tra##ic is "loc1ed or permitted as e'pected. 8rom !C,, ping the (e"9T8T! server. This sho ld "e "loc1ed. 8rom !C,, ping any other device. This sho ld "e allo0ed. 8rom !C-, ping the (e"9T8T! server. This sho ld "e "loc1ed. 8rom !C-, telnet to 3$ at $.2.$/8.$0.$ or $.2.$/8.$$.$. This sho ld "e allo0ed. 8rom !C-, ping !C$ and !C2. This sho ld "e allo0ed. 8rom !C-, telnet to 32 at $0.2.2.2. This sho ld "e "loc1ed.
!age / o# 8

All contents are Copyright 2007-2008 Cisco Systems, Inc. All rights reserved. This doc ment is Cisco ! "lic In#ormation.

CC%A &'ploration Accessing the (A%) AC*s

!T Activity +.,.-) Con#ig ring &'tended AC*s

A#ter yo r tests have "een cond cted and yield the correct res lts, se the s3o4 access6lists privileged &4&C command on 3, to veri#y that the AC* statements have matches. 7ased on yo r nderstanding o# AC*s, cond ct other tests to veri#y that each statement is matching the correct tra##ic. #tep 5. C3ec% results. <o r completion percentage sho ld "e 7+C. I# not, clic1 C3ec% &esults to see 0hich re6 ired components are not yet completed.

Tas% 5: Configure a ,a ed Extended ACL

#tep '. Configure a na ed extended ACL on &+. 3ecall that the policy on 32 0ill "e designed to #ilter Internet tra##ic. Since 32 has the connection to the IS!, this is the "est placement #or the AC*. Con#ig re a named AC* called 8I3&(A** on 32 sing the ip access6list extended name command. This command p ts the ro ter into e'tended named AC* con#ig ration mode. %ote the changed ro ter prompt. R2(config)#ip access-list e#tended $%&'()** R2(config'ext'nacl)# In AC* con#ig ration mode, add the statements to #ilter tra##ic as o tlined in the policy) ; tside hosts are allo0ed to esta"lish a 0e" session 0ith the internal 0e" server on port 80 only. ;nly esta"lished TC! sessions are allo0ed in. !ing replies are allo0ed thro gh 32.

R2(config'ext'nacl)#permit tcp any host 192.168.20.254 eq www R2(config'ext'nacl)#permit tcp any any esta+lished R2(config'ext'nacl)#permit icmp any any echo-reply R2(config'ext'nacl)#deny ip any any A#ter con#ig ring the AC* on 32, se the s3o4 access6lists command to con#irm that the AC* has the correct statements. #tep +. Apply t3e state ent to t3e interface. Hse the ip access6group name ?in @ outA command to apply the AC* in"o nd on the IS! #acing inter#ace o# 32. R2(config)#interface s0/1/0 R2(config'if)#ip access- roup $%&'()** in #tep 3. 5erify and test ACLs. Cond ct the #ollo0ing tests to ens re that the AC* is # nctioning as e'pected) 8rom ; tside Bost, open a 0e" page on the internal (e"9T8T! server. This sho ld "e allo0ed. 8rom ; tside Bost, ping the internal (e"9T8T! server. This sho ld "e "loc1ed. 8rom ; tside Bost, ping !C$. This sho ld "e "loc1ed. 8rom !C$, ping the e'ternal (e" Server at 20..$/+.20$.,0. This sho ld "e allo0ed. 8rom !C$, open a 0e" page on the e'ternal (e" Server. This sho ld "e allo0ed.

A#ter yo r tests have "een cond cted and yield the correct res lts, se the s3o4 access6lists privileged &4&C command on 32 to veri#y that the AC* statements have matches.
All contents are Copyright 2007-2008 Cisco Systems, Inc. All rights reserved. This doc ment is Cisco ! "lic In#ormation. !age 7 o# 8

CC%A &'ploration Accessing the (A%) AC*s

!T Activity +.,.-) Con#ig ring &'tended AC*s

7ased on yo r nderstanding o# AC*s, cond ct other tests to veri#y that each statement is matching the correct tra##ic. #tep 4. C3ec% results. <o r completion percentage sho ld "e $00C. I# not, clic1 C3ec% &esults to see 0hich re6 ired components are not yet completed.

All contents are Copyright 2007-2008 Cisco Systems, Inc. All rights reserved. This doc ment is Cisco ! "lic In#ormation.

!age 8 o# 8