Professional Documents
Culture Documents
CCENT Lab 3 3 Traffic Filtering With ACLs v1.0.1
CCENT Lab 3 3 Traffic Filtering With ACLs v1.0.1
DAVID
DAVID
BOMBAL
BOMBAL
David Bombal CCNA Labs Lab 3.3
om
l.c
ba
om
db
vi
da
om
ISP DNS Server 209.165.202.30
www.cisco.com 23.43.20.35 HTTP, HTTPS, FTP
l.c
www.facebook.com 31.13.65.38 HTTP, HTTPS
www.twitter.com 104.244.42.65 HTTP, HTTPS
ba
www.google.com 216.58.206.132 HTTP, HTTPS, FTP
om
ACL Overview
db
om
Order of statements in ACL is important - put more specific statements at the
beginning
Last statement in an ACL is an implicit deny any
l.c
An ACL needs at least one permit entry (there are exceptions as always)
Create ACL in global configuration and then apply on an interface - inbound
or outbound
ba
Place extended ACLs as close to the source as possible
Place standard ACLs as close to the destination as possible
om
NOTE: The following table of commands is reference only. Do not try to type
them all in your lab now. Follow the steps after the table.
om
(config-ext- Specifies the ACL conditions
nacl)#{permit |
deny]
‘condition’
l.c
(config- (config-if)#int enables interface mode
if)#interface
‘interface’
ba
(config-if)#ip Attaches the ACL to an interface In or Out
access-group
om
‘ACL-
name’[in|out]
‘interface’
list ‘ACL-name’
Configure an ACL
1. Deny Telnet and SSH access from PC2 to the Branch Router. Violations should
be logged.
2. Permit SSH only from PC1 to the Branch Router
3. Permit ALL users’ access to ONLY your ISP DNS server. Other public DNS
servers should be denied.
om
4. Permit PC1 (network admin user) to access Cisco, Twitter and Google secure
Website’s ONLY. Facebook access is NOT allowed
5. Permit PC2 (standard user) to access Cisco and Google Web and Secure
Websites ONLY. Facebook and Twitter access is not permitted.
l.c
6. Permit PC1 to Ping and Trace to any devices for connectivity testing purposes.
7. Deny PC2 Ping and Trace tools access to external resources.
ba
8. Permit ALL users on the internal network to access the Gmail server for their
business mail accounts.
9. Permit ALL users on the internal network to access to the HQ Server network
om
Web Servers.
10. All other traffic should be denied and logged to adhere to the company
acceptable use policy.
db
vi
da
********************Warning********************************
Access to this device is restricted to Authorized personnel only!
Unauthorized access is prohibited. Violators will be prosecuted.
***********************************************************
Username: ccna
Password: cisco
Branch>en
om
Password: secret123
Branch#
l.c
ba
Step 2: Configure an access-list to permit Telnet only from PC1 to the Branch Router
while denying PC2 any remote access to the device.
For this task, you will use a named standard access-list to identify PC1 as interesting
om
traffic. With regard to PC2 and any other users, you can take advantage of the
explicit deny all within the ACL to prevent PC2 gaining access.
db
Branch# conf t
Branch(config)# ip access-list standard Remote_Access
vi
Note:
Packet Tracer does not support the use of the log keyword. The criteria
in the ACL tasks outlined said that all violations should be logged.
When an ACL is created, the ‘deny any’ statement is a hidden rule at
the bottom of the access-list. In order to log any violation of this policy,
network engineers will actually create the deny any statement and add
on the ‘log’ keyword at the end of the line so that it will appear in the
ACL entries and can be logged against. Without the log keyword
violations are not logged and you will be unaware of any attempts.
The last entry in this ACL in the real world would look like this:
om
Branch(config-std-nacl)# deny any log
Note:
l.c
ba
When any violations match against the entry, the device would send a
logging message on the console or other session with the following
output:
om
Step 3: Verify the access-list is configured correctly. The standard ACL number 1
vi
Branch(config-std-nacl)# do sh ip access-list
--omitted--
Standard IP access list Remote_Access
10 permit host 10.1.1.100
20 deny any
Step 4: Now, attach the access-list to the vty lines with the access-class command
and save your configuration.
Building configuration...
[OK]
om
Step 5: Access PC1. Click on the Desktop tab and launch a Command Prompt to
test the ACL. Observe that both Telnet and SSH protocol access works.
l.c
ba
om
db
vi
da
Step 6: Return to the Branch Router console session. Recall the statistics for the
access-list and observe the changes from Step 3.
Branch# sh access-list
Standard IP access list Remote_Access
10 permit host 10.1.1.100 (4 match(es))
20 deny any
Note:
without the deny statement actually being configured in the ACL there
would be no sequence no.20.
om
Observe that there are now 4 matches against the permit sequence of the ACL from
PC1’s telnet and ssh successful connections.
l.c
Step 7: Access PC2. Click on the Desktop tab and launch a Command Prompt to
ba
test the ACL. Observe the result of the attempted connections.
om
db
vi
da
Step 8: Return to the Branch Router console session. Recall the statistics for the
access-list and observe the results once more.
Branch# sh access-list
Standard IP access list Remote_Access
10 permit host 10.1.1.100 (4 match(es))
20 deny any (10 match(es))
Observe that there are now matches against the deny statement in the ACL. Packet
Tracer displays more ‘hits’ against the ACL than a real device would. A real scenario
would list 1 deny for each attempt.
om
Step 9: In this next step, you will configure another ACL as a packet filter to prevent
access to all servers and services as per the ACL outline criteria.
l.c
criteria outlined above. This ACL has to be an extended ACL as you are concerned
about source, destination, ports and protocols. Standard ACLs are only interested in
the source of a packet.
ba
Permit ONLY DNS requests via the ISP Server.
om
Branch# conf t
Branch(config)# ip access-list extended Outbound_Access
Branch(config-ext-nacl)# permit udp 10.1.1.0 0.0.0.255 host
db
209.165.202.30 eq 53
vi
In this access control list entry (ACE), UDP is the transport protocol, the network
da
10.1.1.0 /24 is the source, the ISP DNS server is the destination and DNS is
identified as the destination port.
Step 10: During each access list entry, verify the access-list is being created
correctly.
Notice that the router has changed the port number of 53 to the word ‘domain’. You
can actually write the word or the port number for many of the ‘well-known’ service
ports. Both are supported.
Step 11: In order to know how to create the access-list entries in this case you will
om
need to discover what the server application addresses are on the Internet. In order
to do this connect to PC1 and open a Command Prompt.
Using the appropriate command, confirm the ISP server is your DNS server. Once
l.c
confirmed, use the nslookup utility to discover the server addresses involved in the
lab.
ba
om
db
vi
da
Using the nslookup utility on PC1, verify the IP addresses of the cisco.com,
facebook.com, twitter.com and google.com servers ready to create the ACL entries.
Note:
nslookup or name server lookup is an operating system command
line tool for querying the Domain Name System (DNS) to obtain the
domain name IP address mapping. Other tools are DIG and Hosts in
om
the Unix/Linux arena.
l.c
ba
om
db
vi
da
We can now confirm that DNS resolves the Servers to the following IP Addresses
Cisco.com: 23.43.20.35
Facebook.com: 31.13.65.38
Twitter.com: 104.244.42.65
Google.com: 216.58.206.132
Step 12: Using the nslookup information, we can now create the ACL entries.
Permit PC1 (network admin user) to access Cisco, Twitter and Google secure
Website’s ONLY. Facebook access is NOT allowed
Permit PC2 (standard user) to access Cisco and Google Web and Secure
om
Websites ONLY. Facebook and Twitter access is not permitted
l.c
Return to the Branch Router to create the permit conditions for PC1 and PC2
Website access. We will also add in a ‘remark’ to comment on the detail of the ACL
entries so you and other engineers who view the ACL will follow the statements
ba
easier.
216.58.206.132 eq 443
Branch(config-ext-nacl)# remark google.com IP:216.58.206.132
Note:
Port 443 referenced in the ACL entries is the Secure Web Server port.
Any traffic sent and received over these connections is encrypted by
SSL/TLS (Secure Sockets Layer/Transport Layer Security)
Note:
You do not need to make explicit DENY statements to prevent
Facebook.com or other http sites as the implicit deny at the end of the
ACL will take care of this for us.
om
Permit PC1 to Ping and Trace to any devices for connectivity testing
purposes.
Deny ALL other users Ping and Trace tool access to external resources.
l.c
Branch(config-ext-nacl)# permit icmp host 10.1.1.100 any echo
ba
Branch(config-ext-nacl)# permit icmp host 10.1.1.100 any echo-reply
Branch(config-ext-nacl)# permit udp host 10.1.1.100 any gt 33434
om
Note:
Remember, although the criteria talks about all other users being
vi
Permit ALL users on the internal network to access the Gmail server for their
business mail accounts.
Permit ALL users on the internal network to access to the HQ Server network
Web Servers.
All other traffic should be denied and logged to adhere to the company
acceptable use policy.
Recall that nslookup provided you with the IP Address of the Google.com server.
Create the ACL entry to permit ALL users access to their Gmail accounts.
om
Branch(config-ext-nacl)#
Branch(config-ext-nacl) #permit tcp 10.1.1.0 0.0.0.255 172.16.0.0
0.0.255.255 eq 80
Branch(config-ext-nacl)# permit tcp 10.1.1.0 0.0.0.255 172.16.0.0
l.c
0.0.255.255 eq 443
Branch(config-ext-nacl)#
Branch(config-ext-nacl)# deny ip any any
ba
om
Note:
Remember, Packet Tracer does not allow logging, but will show the
deny statement written at the end of the ACL if it is typed in.
db
vi
da
Step 15: Review the complete ACL. (Packet Tracer does not add in sequence
numbering to the ACL entries if you use the specific show ip access-list
Outbound_Access’ – try this for yourself!) ACL entries are sequenced in increments
of 10 from the first entry in order to indicate the order of processing and the ability to
EDIT or remove individual statements. This is ONLY the case in NAMED ACLs,
hence why named ACLs are the recommended method for packet filtering on
interfaces. Packet Tracer will however, show the sequencing in the ACL if you omit
the nameof the ACL on the verification step as shown below.
Branch(config-ext-nacl)# do sh ip access-list
Extended IP access list Outbound_Access
10 permit udp 10.1.1.0 0.0.0.255 host 209.165.202.30 eq domain
20 permit tcp host 10.1.1.100 host 23.43.20.35 eq 443
30 permit tcp host 10.1.1.100 host 104.244.42.65 eq 443
40 permit tcp host 10.1.1.100 host 216.58.206.132 eq 443
50 permit tcp host 10.1.1.101 host 23.43.20.35 eq 443
om
60 permit tcp host 10.1.1.101 host 216.58.206.132 eq 443
70 permit icmp host 10.1.1.100 any echo
80 permit icmp host 10.1.1.100 any echo-reply
90 Permit udp host 10.1.1.100 any gt 33434
l.c
100 permit tcp any host 216.58.206.132 eqsmtp
110 permit tcp any host 216.58.206.132 eq pop3
120 permit tcp 10.1.1.0 0.0.0.255 172.16.0.0 0.0.255.255 eq www
ba
130 permit tcp 10.1.1.0 0.0.0.255 172.16.0.0 0.0.255.255 eq 443
140 deny ip any any
om
Also, observe that there are no remarks in the above output. The ‘comments’ are
visible when a ‘show run’ command is executed.
db
om
Step 1: Access PC1 Desktop tab. Open the Web Browser and test connections to
the Web Servers on the Internet
l.c
PC1 Cisco.com http and https access
ba
om
db
vi
da
om
l.c
ba
Result: The Facebook.com login page opens successfully.
om
om
l.c
ba
Result: The google.com search engine opens successfully.
om
db
vi
da
Branch# conf t
Branch(config)# int g0/1
Branch(config-if)# ip access-group Outbound_Access in
Branch(config-if)# end
Branch#
om
[OK]
l.c
Note:
ACLs are applied using the ip access-group [name|number] [in|out]
ba
command
Step 2: Using the appropriate command verify the ACL is attached to the G0/1
om
interface
db
The ACL is correctly applied and packet filtering can now be tested.
Step 3: Return to PC1. Test secure http access to cisco.com, twitter.com and
google.com
om
l.c
Result: Success on https access. ba
om
db
om
l.c
ba
Result: Success on https access
om
db
om
l.c
Result: Success on https access.
ba
om
db
vi
om
l.c
Result: Failure on https access.
ba
The access list is working as expected so far. You may need to view the access-list
counters to confirm that the pages are trying to connect and refresh to verify the
om
ACL. To do this return to the Branch router and recall the appropriate command to
view the ACL counters
db
vi
da
Branch# sh ip access-list
Standard IP access list 1
10 permit 10.1.0.0 0.0.255.255 (108 match(es))
om
google.com is working
50 permit tcp host 10.1.1.101 host 23.43.20.35 eq 443
60 permit tcp host 10.1.1.101 host 216.58.206.132 eq 443
70 permit icmp host 10.1.1.100 any echo
l.c
80 permit icmp host 10.1.1.100 any echo-reply
90 permit udp host 10.1.1.100 any gt 33434
100 permit tcp any host 216.58.206.132 eqsmtp
ba
110 permit tcp any host 216.58.206.132 eq pop3
120 permit tcp 10.1.1.0 0.0.0.255 172.16.0.0 0.0.255.255 eq www
130 permit tcp 10.1.1.0 0.0.0.255 172.16.0.0 0.0.255.255 eq 443
140 deny ip any any (139 match(es))
om
Step 5: From PC2, Test access to permitted cisco.com and google.com Secure Web
Sites.
om
l.c
ba
om
db
om
l.c
ba
om
db
Note:
da
Step 6: From PC1, open a command prompt from the desktop tab to verify the Ping
and Trace utilities work.
om
C:\> ping twitter.com
l.c
Reply from 104.244.42.65: bytes=32 time=1ms TTL=126
Reply from 104.244.42.65: bytes=32 time=1ms TTL=126
Reply from 104.244.42.65: bytes=32 time<1ms TTL=126
ba
Ping statistics for 104.244.42.65:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
om
Verify the counters by repeating the access-list verification counters on the Branch
Router.
Branch# sh ip access-list
Extended IP access list Outbound_Access
10 permit udp 10.1.1.0 0.0.0.255 host 209.165.202.30 eq domain (40
match(es))
20 permit tcp host 10.1.1.100 host 23.43.20.35 eq 443 (130
match(es))
30 permit tcp host 10.1.1.100 host 104.244.42.65 eq 443 (48
match(es))
40 permit tcp host 10.1.1.100 host 216.58.206.132 eq 443 (66
match(es))
50 permit tcp host 10.1.1.101 host 23.43.20.35 eq 443 (65
match(es))
60 permit tcp host 10.1.1.101 host 216.58.206.132 eq 443 (66
om
match(es))
70 permit icmp host 10.1.1.100 any echo (16 match(es))
80 permit icmp host 10.1.1.100 any echo-reply
90 permit udp host 10.1.1.100 any gt 33434
l.c
100 permit tcp any host 216.58.206.132 eqsmtp
110 permit tcp any host 216.58.206.132 eq pop3
120 permit tcp 10.1.1.0 0.0.0.255 172.16.0.0 0.0.255.255 eq www
ba
130 permit tcp 10.1.1.0 0.0.0.255 172.16.0.0 0.0.255.255 eq 443
140 deny ip any any (247 match(es))
om
db
vi
da
Trace complete.
om
1 0 ms 0 ms 0 ms 10.1.1.1
2 0 ms 0 ms 0 ms 209.165.201.2
3 12 ms 13 ms 3 ms 104.244.42.65
Trace complete.
l.c
ba
C:\> tracert facebook.com
Tracing route to 31.13.65.38 over a maximum of 30 hops:
om
1 0 ms 0 ms 0 ms 10.1.1.1
2 0 ms 1 ms 12 ms 209.165.201.2
3 1 ms 1 ms 3 ms 31.13.65.38
db
Trace complete.
vi
C:\>tracert google.com
da
1 0 ms 0 ms 0 ms 10.1.1.1
2 0 ms 0 ms 15 ms 209.165.201.2
3 0 ms 1 ms 0 ms 216.58.206.132
Trace complete.
Step 9: Verify the counters by repeating the access-list verification counters on the
Branch Router to confirm that Tracert is allowed and the counters are incrementing.
Branch# sh ip access-list
Extended IP access list Outbound_Access
10 permit udp 10.1.1.0 0.0.0.255 host 209.165.202.30 eq domain
(46 match(es))
20 permit tcp host 10.1.1.100 host 23.43.20.35 eq 443 (130
match(es))
30 permit tcp host 10.1.1.100 host 104.244.42.65 eq 443 (48
match(es))
40 permit tcp host 10.1.1.100 host 216.58.206.132 eq 443 (66
match(es))
50 permit tcp host 10.1.1.101 host 23.43.20.35 eq 443 (65
match(es))
60 permit tcp host 10.1.1.101 host 216.58.206.132 eq 443 (66
match(es))
om
70 permit icmp host 10.1.1.100 any echo (70 match(es))
80 permit icmp host 10.1.1.100 any echo-reply
90 permit udp host 10.1.1.100 any gt 33434
100 permit tcp any host 216.58.206.132 eqsmtp
l.c
110 permit tcp any host 216.58.206.132 eq pop3
120 permit tcp 10.1.1.0 0.0.0.255 172.16.0.0 0.0.255.255 eq www
130 permit tcp 10.1.1.0 0.0.0.255 172.16.0.0 0.0.255.255 eq 443
ba
140 deny ip any any (247 match(es))
Matches on the icmp permit are allowing the PC tracert utility to complete
om
successfully.
db
Step 10: From PC2, open a command prompt from the desktop tab to verify the Ping
and Trace utilities are denied through the Branch router.
vi
da
om
C:\> ping google.com
l.c
Reply from 10.1.1.1: Destination host unreachable.
3 0 ms 0 ms 0 ms 10.1.1.1
Control-C
Trace complete.
vi
da
1 0 ms 0 ms 0 ms 10.1.1.1
2 0 ms 0 ms 0 ms 10.1.1.1
3 1 ms 0 ms 0 ms 10.1.1.1
Control-C
1 0 ms 0 ms 0 ms 10.1.1.1
2 0 ms 0 ms 0 ms 10.1.1.1
3 1 ms 0 ms 0 ms 10.1.1.1
Control-C
om
Note:
All Pings and Tracert tools are denied. The Branch router returning
unreachable or ONLY its gateway address on a trace respectively. No
l.c
packets for these utilities are allowed through the router from PC2
ba
The Lab is complete.
om
db
vi
da
Tyrell Corporation have just called to say that some of their users are now accessing
web pages that should be blocked. They are quite anxious to have this resolved as
soon as possible as it is effecting genuine users accessing external business sites
essential for the business.
Also, one of the first line support team at Tyrell have also noticed that they can use
telnet to access the Branch router. They have also noticed that when they login to
PC2, it is also possible to connect to the Branch router. They have escalated this to
you to check and resolve.
om
You have been asked to resolve this a soon as possible and report back to Tyrell
when it is resolved.
Access Credentials:
l.c
Username: ccna
Password: cisco
ba
Enable Password: secret123
om
1. PC1 can access the Branch Router securely only. PC2 should have no
db
access and any attempts should be logged. Currently PC1 and PC2 can
access the Branch router by telnet
vi
3. PC2 should only be able to access google.com and cisco.com via https. PC2
should have no access to any insecure sites. Facebook and twitter should be
block for PC2. Currently PC1 and PC2 can access all sites including
gambling and other sites.
4. Only PC1 should be able to use command line troubleshooting tools of ping
and trace to discover any initial problems and then escalate them for fixes.
Currently, PC2 has this ability
5. PC1 should be able to continue to access the Branch router securely after the
access-list troubleshooting is complete.
6. All users are complaining that they cannot access their cloud googlemail
accounts. No mail has been received this morning.