CCENT Lab 3 3 Traffic Filtering With ACLs v1.0.1

CCENT L A B GUIDE 3 -3
Interconnecting Cisco Network Devices

version 3.0
DAVID
DAVID
BOMBAL
BOMBAL
David Bombal CCNA Labs Lab 3.3
Lab 3-3: Traffic Filtering with Access Control

Lists (ACL’s)
Task 1: Initial Lab Setup & Configure an ACL
Task 2: Verify Connectivity
Task 3: Apply the ACL and Verify Counter
Task 4: Can you complete the Lab – Troubleshooting IP Access-lists
Visual Objective Lab 3-3: Traffic Filtering with ACL's
om
l.c
ba
om
db
vi
da
Rev 1.0.1 L3.3-1

Lab 3-3: Topology and IP Addressing Job Aid
Device Interface IP Addressing Services

PC1 10.1.1.100
PC2 10.1.1.101
Branch Router G0/0 209.165.201.1

G0/1 10.1.1.1
ISP Router G0/0 209.165.201.2 Telnet, SSH
G0/1 209.165.200.2
G0/2 209.165.202.1
om
ISP DNS Server 209.165.202.30
www.cisco.com 23.43.20.35 HTTP, HTTPS, FTP
l.c
www.facebook.com 31.13.65.38 HTTP, HTTPS
www.twitter.com 104.244.42.65 HTTP, HTTPS
ba
www.google.com 216.58.206.132 HTTP, HTTPS, FTP
om
ACL Overview
db
Access list numbers:

vi
 1-99 Standard IP ACL

da
 100-199 Extented IP ACL

 1300-1999 Expanded Standard IP ACL
 2000-2699 Expanded Extended IP ACL
Rev 1.0.1 L3.3-2

Access list filtering options:
 Standard - Source address

 Extended - Protocol, source & destination addresses, source & destination
port numbers, types, eq, neq, range and more
Other things to remember:
 Named ACLs can be either standard or extended.

 One ACL per interface, per direction, per protocol.

om
Order of statements in ACL is important - put more specific statements at the
beginning
 Last statement in an ACL is an implicit deny any

l.c
An ACL needs at least one permit entry (there are exceptions as always)
 Create ACL in global configuration and then apply on an interface - inbound
or outbound
ba
 Place extended ACLs as close to the source as possible
 Place standard ACLs as close to the destination as possible
om
 Always create the ACL before binding it to an interface.

db
vi
da
Rev 1.0.1 L3.3-3

NOTE: The following table of commands is reference only. Do not try to type
them all in your lab now. Follow the steps after the table.
Command List Useful Shortcut Description

Command
>enable >en Activates privilege exec mode
#configure #conf t Activates configuration Mode from the

terminal terminal
(config)#ip Configures an extended IP ACL

access-list
extended‘ACL-
name’
om
(config-ext- Specifies the ACL conditions
nacl)#{permit |
deny]
‘condition’
l.c
(config- (config-if)#int enables interface mode
if)#interface
‘interface’
ba
(config-if)#ip Attaches the ACL to an interface In or Out
access-group
om
‘ACL-
name’[in|out]
#show ip #sh ip int ‘in Displays IP statistics for an interface

interface
db
‘interface’
#show access- Displays ACL statistics information

vi
list ‘ACL-name’
#copy run start

da
Saves the running configuration to NVRAM
Rev 1.0.1 L3.3-4

Task 1: Initial Lab setup

Open the Packet Tracer file ‘CCENT Lab 3-3 Traffic Filtering with ACL's.pkt’
Configure an ACL
ACL’s enable administrators to control access to network resources based on packet

header information. You will configure appropriate ACLs to complete the following:
1. Deny Telnet and SSH access from PC2 to the Branch Router. Violations should
be logged.
2. Permit SSH only from PC1 to the Branch Router
3. Permit ALL users’ access to ONLY your ISP DNS server. Other public DNS
servers should be denied.
om
4. Permit PC1 (network admin user) to access Cisco, Twitter and Google secure
Website’s ONLY. Facebook access is NOT allowed
5. Permit PC2 (standard user) to access Cisco and Google Web and Secure
Websites ONLY. Facebook and Twitter access is not permitted.
l.c
6. Permit PC1 to Ping and Trace to any devices for connectivity testing purposes.
7. Deny PC2 Ping and Trace tools access to external resources.
ba
8. Permit ALL users on the internal network to access the Gmail server for their
business mail accounts.
9. Permit ALL users on the internal network to access to the HQ Server network
om
Web Servers.
10. All other traffic should be denied and logged to adhere to the company
acceptable use policy.
db
vi
da
Rev 1.0.1 L3.3-5

Step 1: Access the Branch router
Press RETURN to get started!
********************Warning********************************
Access to this device is restricted to Authorized personnel only!
Unauthorized access is prohibited. Violators will be prosecuted.
***********************************************************
User Access Verification
Username: ccna
Password: cisco
Branch>en
om
Password: secret123
Branch#
l.c
ba
Step 2: Configure an access-list to permit Telnet only from PC1 to the Branch Router
while denying PC2 any remote access to the device.
For this task, you will use a named standard access-list to identify PC1 as interesting
om
traffic. With regard to PC2 and any other users, you can take advantage of the
explicit deny all within the ACL to prevent PC2 gaining access.
db
Branch# conf t
Branch(config)# ip access-list standard Remote_Access
vi
Branch(config-std-nacl)# permit host 10.1.1.100

da
Branch(config-std-nacl)# deny any
Rev 1.0.1 L3.3-6

Note:
Packet Tracer does not support the use of the log keyword. The criteria
in the ACL tasks outlined said that all violations should be logged.
When an ACL is created, the ‘deny any’ statement is a hidden rule at
the bottom of the access-list. In order to log any violation of this policy,
network engineers will actually create the deny any statement and add
on the ‘log’ keyword at the end of the line so that it will appear in the
ACL entries and can be logged against. Without the log keyword
violations are not logged and you will be unaware of any attempts.
The last entry in this ACL in the real world would look like this:
Branch(config)# ip access-list standard Remote_Access

Branch(config-std-nacl)# permit host 10.1.1.100
om
Branch(config-std-nacl)# deny any log
Note:
l.c
ba
When any violations match against the entry, the device would send a
logging message on the console or other session with the following
output:
om
%SEC-6-IPACCESSLOGNP: list 1 Remote_Access denied 0

10.1.1.101 -> 0.0.0.0,
db
Step 3: Verify the access-list is configured correctly. The standard ACL number 1
vi
was the ACL used for NAT traffic in earlier labs.

da
Branch(config-std-nacl)# do sh ip access-list
--omitted--
Standard IP access list Remote_Access
10 permit host 10.1.1.100
20 deny any
Rev 1.0.1 L3.3-7

Step 4: Now, attach the access-list to the vty lines with the access-class command
and save your configuration.
Branch(config-std-nacl)# line vty 0 4

Branch(config-line)# access-class Remote_Access in
Branch(config-line)# end
Branch# copy run start
Destination filename [startup-config]?
Building configuration...
[OK]
om
Step 5: Access PC1. Click on the Desktop tab and launch a Command Prompt to
test the ACL. Observe that both Telnet and SSH protocol access works.
l.c
ba
om
db
vi
da
Rev 1.0.1 L3.3-8

Step 6: Return to the Branch Router console session. Recall the statistics for the
access-list and observe the changes from Step 3.
Branch# sh access-list
10 permit host 10.1.1.100 (4 match(es))
20 deny any
Note:
without the deny statement actually being configured in the ACL there
would be no sequence no.20.
om
Observe that there are now 4 matches against the permit sequence of the ACL from
PC1’s telnet and ssh successful connections.
l.c
Step 7: Access PC2. Click on the Desktop tab and launch a Command Prompt to
ba
test the ACL. Observe the result of the attempted connections.
om
db
vi
da
Neither of the attempts were successful from PC2.
Rev 1.0.1 L3.3-9

Step 8: Return to the Branch Router console session. Recall the statistics for the
access-list and observe the results once more.
Branch# sh access-list
10 permit host 10.1.1.100 (4 match(es))
20 deny any (10 match(es))
Observe that there are now matches against the deny statement in the ACL. Packet
Tracer displays more ‘hits’ against the ACL than a real device would. A real scenario
would list 1 deny for each attempt.
om
Step 9: In this next step, you will configure another ACL as a packet filter to prevent
access to all servers and services as per the ACL outline criteria.
Configure an extended IP access-list named ‘Outbound_Access’ that will meet the
l.c
criteria outlined above. This ACL has to be an extended ACL as you are concerned
about source, destination, ports and protocols. Standard ACLs are only interested in
the source of a packet.
ba
Permit ONLY DNS requests via the ISP Server.
om
Branch# conf t
Branch(config)# ip access-list extended Outbound_Access
Branch(config-ext-nacl)# permit udp 10.1.1.0 0.0.0.255 host
db
209.165.202.30 eq 53
vi
In this access control list entry (ACE), UDP is the transport protocol, the network
da
10.1.1.0 /24 is the source, the ISP DNS server is the destination and DNS is
identified as the destination port.
Rev 1.0.1 L3.3-10

Step 10: During each access list entry, verify the access-list is being created
correctly.
Branch(config-ext-nacl)# do sh ip access-list Outbound_Access

Extended IP access list Outbound_Access
permit udp 10.1.1.0 0.0.0.255 host 209.165.202.30 eqdomain
Notice that the router has changed the port number of 53 to the word ‘domain’. You
can actually write the word or the port number for many of the ‘well-known’ service
ports. Both are supported.
Step 11: In order to know how to create the access-list entries in this case you will
om
need to discover what the server application addresses are on the Internet. In order
to do this connect to PC1 and open a Command Prompt.
Using the appropriate command, confirm the ISP server is your DNS server. Once
l.c
confirmed, use the nslookup utility to discover the server addresses involved in the
lab.
ba
om
db
vi
da
The ipconfig /all displays the DNS server at 209.165.202.30
Using the nslookup utility on PC1, verify the IP addresses of the cisco.com,
facebook.com, twitter.com and google.com servers ready to create the ACL entries.
Rev 1.0.1 L3.3-11

Note:
nslookup or name server lookup is an operating system command
line tool for querying the Domain Name System (DNS) to obtain the
domain name IP address mapping. Other tools are DIG and Hosts in
om
the Unix/Linux arena.
l.c
ba
om
db
vi
da
Rev 1.0.1 L3.3-12

We can now confirm that DNS resolves the Servers to the following IP Addresses
Cisco.com: 23.43.20.35
Facebook.com: 31.13.65.38
Twitter.com: 104.244.42.65
Google.com: 216.58.206.132
Step 12: Using the nslookup information, we can now create the ACL entries.
 Permit PC1 (network admin user) to access Cisco, Twitter and Google secure
Website’s ONLY. Facebook access is NOT allowed
 Permit PC2 (standard user) to access Cisco and Google Web and Secure
om
Websites ONLY. Facebook and Twitter access is not permitted
l.c
Return to the Branch Router to create the permit conditions for PC1 and PC2
Website access. We will also add in a ‘remark’ to comment on the detail of the ACL
entries so you and other engineers who view the ACL will follow the statements
ba
easier.
PC1 entries are:

om
Branch(config-ext-nacl)# permit tcp host 10.1.1.100 host 23.43.20.35

eq 443
Branch(config-ext-nacl)# remark cisco.com IP:23.43.20.35
db
Branch(config-ext-nacl)# permit tcp host 10.1.1.100 host

104.244.42.65 eq 443
vi
Branch(config-ext-nacl)# remark twitter.com IP:104.244.42.65

da
216.58.206.132 eq 443
Branch(config-ext-nacl)# remark google.com IP:216.58.206.132
Note:
Port 443 referenced in the ACL entries is the Secure Web Server port.
Any traffic sent and received over these connections is encrypted by
SSL/TLS (Secure Sockets Layer/Transport Layer Security)
Rev 1.0.1 L3.3-13

PC2 entries are:

Branch(config-ext-nacl)# permit tcp host 10.1.1.101 host 23.43.20.35
eq 443
216.58.206.132 eq 443
Note:
You do not need to make explicit DENY statements to prevent
Facebook.com or other http sites as the implicit deny at the end of the
ACL will take care of this for us.
Step 13: Next are the following entries:
om
 Permit PC1 to Ping and Trace to any devices for connectivity testing
purposes.
 Deny ALL other users Ping and Trace tool access to external resources.
l.c
Branch(config-ext-nacl)# permit icmp host 10.1.1.100 any echo
ba
Branch(config-ext-nacl)# permit icmp host 10.1.1.100 any echo-reply
Branch(config-ext-nacl)# permit udp host 10.1.1.100 any gt 33434
om
Branch(config-ext-nacl)# remark trace uses udp ports 33434 and

above
db
Note:
Remember, although the criteria talks about all other users being
vi
denied, you do not need to make explicit DENY statements to prevent

ping and trace as the implicit deny at the end of the ACL will take care
da
of this for us. Another ‘remark’ is entered to explain the complexities of

trace in Cisco IOS. In practice, many companies will prevent ping and
trace functions, although this will hamper troubleshooting efforts.
Rev 1.0.1 L3.3-14

Step 14: Next are the final conditions of the ACL.
 Permit ALL users on the internal network to access the Gmail server for their
business mail accounts.
 Permit ALL users on the internal network to access to the HQ Server network
Web Servers.
 All other traffic should be denied and logged to adhere to the company
acceptable use policy.
Recall that nslookup provided you with the IP Address of the Google.com server.
Create the ACL entry to permit ALL users access to their Gmail accounts.
Branch(config-ext-nacl)# permit tcp any host 216.58.206.132 eq 25

Branch(config-ext-nacl)# permit tcp any host 216.58.206.132 eq 110
Branch(config-ext-nacl)# remark Googlemail uses SMTP and POP3 ports
in Packet Tracer.
om
Branch(config-ext-nacl)#
Branch(config-ext-nacl) #permit tcp 10.1.1.0 0.0.0.255 172.16.0.0
0.0.255.255 eq 80
Branch(config-ext-nacl)# permit tcp 10.1.1.0 0.0.0.255 172.16.0.0
l.c
0.0.255.255 eq 443
Branch(config-ext-nacl)#
Branch(config-ext-nacl)# deny ip any any
ba
om
Note:
Remember, Packet Tracer does not allow logging, but will show the
deny statement written at the end of the ACL if it is typed in.
db
vi
da
Rev 1.0.1 L3.3-15

Step 15: Review the complete ACL. (Packet Tracer does not add in sequence
numbering to the ACL entries if you use the specific show ip access-list
Outbound_Access’ – try this for yourself!) ACL entries are sequenced in increments
of 10 from the first entry in order to indicate the order of processing and the ability to
EDIT or remove individual statements. This is ONLY the case in NAMED ACLs,
hence why named ACLs are the recommended method for packet filtering on
interfaces. Packet Tracer will however, show the sequencing in the ACL if you omit
the nameof the ACL on the verification step as shown below.
Branch(config-ext-nacl)# do sh ip access-list
10 permit udp 10.1.1.0 0.0.0.255 host 209.165.202.30 eq domain
20 permit tcp host 10.1.1.100 host 23.43.20.35 eq 443
om
70 permit icmp host 10.1.1.100 any echo
80 permit icmp host 10.1.1.100 any echo-reply
90 Permit udp host 10.1.1.100 any gt 33434
l.c
100 permit tcp any host 216.58.206.132 eqsmtp
110 permit tcp any host 216.58.206.132 eq pop3
120 permit tcp 10.1.1.0 0.0.0.255 172.16.0.0 0.0.255.255 eq www
ba
130 permit tcp 10.1.1.0 0.0.0.255 172.16.0.0 0.0.255.255 eq 443
140 deny ip any any
om
Also, observe that there are no remarks in the above output. The ‘comments’ are
visible when a ‘show run’ command is executed.
db
Branch# sh run | begin access-list extended

vi
ip access-list extended Outbound_Access

permit udp 10.1.1.0 0.0.0.255 host 209.165.202.30 eq domain
! permit tcp host 10.1.1.100 host 23.43.20.35 eq 443
da
remark cisco.com IP:23.43.20.35

permit tcp host 10.1.1.100 host 104.244.42.65 eq 443
remark facebook.com IP:104.244.42.65
remark google.com IP:216.58.206.132
permit icmp host 10.1.1.100 any echo
permit icmp host 10.1.1.100 any echo-reply
permit udp host 10.1.1.100 any gt 33434
remark trace uses udp ports 33434 and above
permit tcp any host 216.58.206.132 eqsmtp
permit tcp any host 216.58.206.132 eq pop3
remark Googlemail uses SMTP and POP3 ports in Packet Tracer.
permit tcp 10.1.1.0 0.0.0.255 172.16.0.0 0.0.255.255 eq www
permit tcp 10.1.1.0 0.0.0.255 172.16.0.0 0.0.255.255 eq 443
deny ip any any
Rev 1.0.1 L3.3-16

Step 16: Save your running configuration

[OK]
Task 2. Verify Connectivity.

Prior to attaching the ACL to an interface to filter the packets, take a moment to
verify that connections and services are available. Once you have verified working
connections, the ACL will then be attached to and further verification steps will
confirm the successful workings of the ACL.
om
Step 1: Access PC1 Desktop tab. Open the Web Browser and test connections to
the Web Servers on the Internet
l.c
PC1 Cisco.com http and https access
ba
om
db
vi
da
Result: The Cisco.com Training and Certifications page opens successfully.
Rev 1.0.1 L3.3-17

PC1 Facebook.com access:
om
l.c
ba
Result: The Facebook.com login page opens successfully.
om
PC1 Twitter.com access:

db
vi
da
Result: The twitter.com login page opens successfully.
Rev 1.0.1 L3.3-18

PC1 Google.com access:
om
l.c
ba
Result: The google.com search engine opens successfully.
om
db
vi
da
Rev 1.0.1 L3.3-19

Task 3: Apply the ACL and Verify Counters

Step 1: Return to the Branch router and apply the ACL in the inbound direction on
the G0/1 (LAN) interface. The directionality is very important and the way to
understand this is from the Router viewpoint. In this case, the ACL is viewed from the
routers perspective as the traffic come inbound on the LAN interface G0/1.
Save your configuration.
Branch# conf t
Branch(config)# int g0/1
Branch(config-if)# ip access-group Outbound_Access in
Branch(config-if)# end
Branch#

om
[OK]
l.c
Note:
ACLs are applied using the ip access-group [name|number] [in|out]
ba
command
Step 2: Using the appropriate command verify the ACL is attached to the G0/1
om
interface
db
Branch# sh ip interface g0/1

GigabitEthernet0/1 is up, line protocol is up (connected)
Internet address is 10.1.1.1/24
vi
Broadcast address is 255.255.255.255

Address determined by setup command
da
MTU is 1500 bytes

Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is Outbound_Access
Proxy ARP is enabled
Security level is default
Split horizon is enabled
The ACL is correctly applied and packet filtering can now be tested.
Rev 1.0.1 L3.3-20

Step 3: Return to PC1. Test secure http access to cisco.com, twitter.com and
google.com
om
l.c
Result: Success on https access. ba
om
db
Result: Failure on http access

vi
da
Rev 1.0.1 L3.3-21

om
l.c
ba
Result: Success on https access
om
db
Result: Failure on http access

vi
da
Rev 1.0.1 L3.3-22

om
l.c
Result: Success on https access.
ba
om
db
vi
Result: Failure on http access.

da
Rev 1.0.1 L3.3-23

Step 4: From PC1, Test access to facebook.com
Result: Failure on https access.
om
l.c
Result: Failure on https access.
ba
The access list is working as expected so far. You may need to view the access-list
counters to confirm that the pages are trying to connect and refresh to verify the
om
ACL. To do this return to the Branch router and recall the appropriate command to
view the ACL counters
db
vi
da
Rev 1.0.1 L3.3-24

Branch# sh ip access-list
Standard IP access list 1
10 permit 10.1.0.0 0.0.255.255 (108 match(es))
These are the NAT matches

(22 match(es))
DNS is working
20 permit tcp host 10.1.1.100 host 23.43.20.35 eq 443 (130

match(es))
cisco.com is working
match(es))
twitter.com is working
match(es))
om
google.com is working
70 permit icmp host 10.1.1.100 any echo
l.c
90 permit udp host 10.1.1.100 any gt 33434
ba
120 permit tcp 10.1.1.0 0.0.0.255 172.16.0.0 0.0.255.255 eq www
130 permit tcp 10.1.1.0 0.0.0.255 172.16.0.0 0.0.255.255 eq 443
140 deny ip any any (139 match(es))
om
facebook.com is being denied!

refreshing the page will see the counters increment
db
vi
da
Rev 1.0.1 L3.3-25

Step 5: From PC2, Test access to permitted cisco.com and google.com Secure Web
Sites.
om
l.c
ba
om
db
Result: https connections are successful, http fails.

vi
da
Rev 1.0.1 L3.3-26

om
l.c
ba
om
db
Result: https connections are successful, http fails.

vi
Note:
da
Connections attempted to either plain http or secure-http sessions with

twitter.com and facebook.com are denied for PC2. If you verify this, the
‘deny ip any any’ line will increment by 12 packets matched each
time a connection is attempted with the denied services until the
connection receives a ‘timeout request’.
This way, you can be sure that it is a denial from the ACL and not a
routing issue.
Rev 1.0.1 L3.3-27

Step 6: From PC1, open a command prompt from the desktop tab to verify the Ping
and Trace utilities work.
C:\> ping cisco.com
Pinging 23.43.20.35 with 32 bytes of data:

Reply from 23.43.20.35: bytes=32 time=1ms TTL=126
Reply from 23.43.20.35: bytes=32 time<1ms TTL=126
Ping statistics for 23.43.20.35:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 13ms, Average = 3ms
om
C:\> ping twitter.com

l.c
ba
om
C:\> ping facebook.com

db

vi

da

C:\> ping google.com



Rev 1.0.1 L3.3-28

Step 7: Sixteen successful round trip pings are completed.
Verify the counters by repeating the access-list verification counters on the Branch
Router.
10 permit udp 10.1.1.0 0.0.0.255 host 209.165.202.30 eq domain (40
match(es))
match(es))
match(es))
match(es))
match(es))
om
match(es))
70 permit icmp host 10.1.1.100 any echo (16 match(es))
l.c
120 permit tcp 10.1.1.0 0.0.0.255 172.16.0.0 0.0.255.255 eq www
ba
130 permit tcp 10.1.1.0 0.0.0.255 172.16.0.0 0.0.255.255 eq 443
om
db
vi
da
Rev 1.0.1 L3.3-29

Step 8: From PC1, verify that Trace also works as a tool.
C:\> tracert cisco.com
Tracing route to 23.43.20.35 over a maximum of 30 hops:

1 0 ms 0 ms 1 ms 10.1.1.1
2 0 ms 13 ms 0 ms 209.165.201.2
3 0 ms 0 ms 11 ms 23.43.20.35
Trace complete.
C:\> tracert twitter.com
om
1 0 ms 0 ms 0 ms 10.1.1.1
2 0 ms 0 ms 0 ms 209.165.201.2
3 12 ms 13 ms 3 ms 104.244.42.65
Trace complete.
l.c
ba
C:\> tracert facebook.com
om
1 0 ms 0 ms 0 ms 10.1.1.1
2 0 ms 1 ms 12 ms 209.165.201.2
3 1 ms 1 ms 3 ms 31.13.65.38
db
Trace complete.
vi
C:\>tracert google.com
da
1 0 ms 0 ms 0 ms 10.1.1.1
2 0 ms 0 ms 15 ms 209.165.201.2
3 0 ms 1 ms 0 ms 216.58.206.132
Trace complete.
Result: All tracert lookups complete successfully.
Rev 1.0.1 L3.3-30

Step 9: Verify the counters by repeating the access-list verification counters on the
Branch Router to confirm that Tracert is allowed and the counters are incrementing.
(46 match(es))
match(es))
match(es))
match(es))
match(es))
match(es))
om
70 permit icmp host 10.1.1.100 any echo (70 match(es))
l.c
120 permit tcp 10.1.1.0 0.0.0.255 172.16.0.0 0.0.255.255 eq www
130 permit tcp 10.1.1.0 0.0.0.255 172.16.0.0 0.0.255.255 eq 443
ba
Matches on the icmp permit are allowing the PC tracert utility to complete
om
successfully.
db
Step 10: From PC2, open a command prompt from the desktop tab to verify the Ping
and Trace utilities are denied through the Branch router.
vi
da
C:\> ping cisco.com

Reply from 10.1.1.1: Destination host unreachable.

C:\> ping facebook.com


Rev 1.0.1 L3.3-31

C:\> ping twitter.com




om

l.c

ba
C:\> tracert cisco.com
om

1 0 ms 0 ms 1 ms 10.1.1.1
2 0 ms 0 ms 0 ms 10.1.1.1
db
3 0 ms 0 ms 0 ms 10.1.1.1
Control-C
Trace complete.
vi
da

1 0 ms 0 ms 0 ms 10.1.1.1
2 0 ms 0 ms 0 ms 10.1.1.1
3 1 ms 0 ms 0 ms 10.1.1.1
Control-C

1 0 ms 0 ms 0 ms 10.1.1.1
2 0 ms 0 ms 0 ms 10.1.1.1
3 1 ms 0 ms 0 ms 10.1.1.1
Control-C
Rev 1.0.1 L3.3-32

C:\> tracert facebook.com

1 0 ms 10 ms 0 ms 10.1.1.1
2 0 ms 1 ms 6 ms 10.1.1.1
3 0 ms 0 ms 0 ms 10.1.1.1
Control-C
C:\> tracert google.com

1 0 ms 0 ms 1 ms 10.1.1.1
2 0 ms 9 ms 0 ms 10.1.1.1
3 4 ms 0 ms 0 ms 10.1.1.1
Control-C
^C
om
Note:
All Pings and Tracert tools are denied. The Branch router returning
unreachable or ONLY its gateway address on a trace respectively. No
l.c
packets for these utilities are allowed through the router from PC2
ba
The Lab is complete.
om
db
vi
da
Rev 1.0.1 L3.3-33

Task 4: Can you complete the Lab – Troubleshooting IP Access-

lists
Assessment File: CCENT Lab 3-3: Troubleshooting access-lists
Tyrell Corporation have just called to say that some of their users are now accessing
web pages that should be blocked. They are quite anxious to have this resolved as
soon as possible as it is effecting genuine users accessing external business sites
essential for the business.
Also, one of the first line support team at Tyrell have also noticed that they can use
telnet to access the Branch router. They have also noticed that when they login to
PC2, it is also possible to connect to the Branch router. They have escalated this to
you to check and resolve.
om
You have been asked to resolve this a soon as possible and report back to Tyrell
when it is resolved.
Access Credentials:
l.c
Username: ccna
Password: cisco
ba
Enable Password: secret123
om
Your task is to ensure the following Policy is set:
1. PC1 can access the Branch Router securely only. PC2 should have no
db
access and any attempts should be logged. Currently PC1 and PC2 can
access the Branch router by telnet
vi
2. PC1 must be able to access cisco.com, twitter.com and google.com websites

via https only.
da
3. PC2 should only be able to access google.com and cisco.com via https. PC2
should have no access to any insecure sites. Facebook and twitter should be
block for PC2. Currently PC1 and PC2 can access all sites including
gambling and other sites.
4. Only PC1 should be able to use command line troubleshooting tools of ping
and trace to discover any initial problems and then escalate them for fixes.
Currently, PC2 has this ability
5. PC1 should be able to continue to access the Branch router securely after the
access-list troubleshooting is complete.
6. All users are complaining that they cannot access their cloud googlemail
accounts. No mail has been received this morning.
Rev 1.0.1 L3.3-34

CCENT Lab 3 3 Traffic Filtering With ACLs v1.0.1

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CCENT Lab 3 3 Traffic Filtering With ACLs v1.0.1

Uploaded by

Copyright:

Available Formats

CCENT L A B GUIDE 3 -3

Interconnecting Cisco Network Devices

Lab 3-3: Traffic Filtering with Access Control

Task 2: Verify Connectivity

Task 3: Apply the ACL and Verify Counter

Task 4: Can you complete the Lab – Troubleshooting IP Access-lists

Visual Objective Lab 3-3: Traffic Filtering with ACL's

Rev 1.0.1 L3.3-1

Lab 3-3: Topology and IP Addressing Job Aid

Device Interface IP Addressing Services

Branch Router G0/0 209.165.201.1

Access list numbers:

 1-99 Standard IP ACL

 100-199 Extented IP ACL

Rev 1.0.1 L3.3-2

Access list filtering options:

 Standard - Source address

Other things to remember:

 Named ACLs can be either standard or extended.

 Always create the ACL before binding it to an interface.

Rev 1.0.1 L3.3-3

Command List Useful Shortcut Description

#configure #conf t Activates configuration Mode from the

(config)#ip Configures an extended IP ACL

#show ip #sh ip int ‘in Displays IP statistics for an interface

#show access- Displays ACL statistics information

#copy run start

Saves the running configuration to NVRAM

Rev 1.0.1 L3.3-4

Task 1: Initial Lab setup

ACL’s enable administrators to control access to network resources based on packet

Rev 1.0.1 L3.3-5

Step 1: Access the Branch router

Press RETURN to get started!

User Access Verification

Branch(config-std-nacl)# permit host 10.1.1.100

Branch(config-std-nacl)# deny any

Rev 1.0.1 L3.3-6

Branch(config)# ip access-list standard Remote_Access

%SEC-6-IPACCESSLOGNP: list 1 Remote_Access denied 0

was the ACL used for NAT traffic in earlier labs.

Rev 1.0.1 L3.3-7

Branch(config-std-nacl)# line vty 0 4

Rev 1.0.1 L3.3-8

Neither of the attempts were successful from PC2.

Rev 1.0.1 L3.3-9

Configure an extended IP access-list named ‘Outbound_Access’ that will meet the

Rev 1.0.1 L3.3-10

Branch(config-ext-nacl)# do sh ip access-list Outbound_Access

The ipconfig /all displays the DNS server at 209.165.202.30

Rev 1.0.1 L3.3-11

Rev 1.0.1 L3.3-12

PC1 entries are:

Branch(config-ext-nacl)# permit tcp host 10.1.1.100 host 23.43.20.35

Branch(config-ext-nacl)# permit tcp host 10.1.1.100 host

Branch(config-ext-nacl)# remark twitter.com IP:104.244.42.65

Rev 1.0.1 L3.3-13

PC2 entries are:

Step 13: Next are the following entries:

Branch(config-ext-nacl)# remark trace uses udp ports 33434 and

denied, you do not need to make explicit DENY statements to prevent

of this for us. Another ‘remark’ is entered to explain the complexities of

Rev 1.0.1 L3.3-14