Topology
Addressing Table
Device
|
Interface
|
IP Address
|
Subnet Mask
|
Default Gateway
|
HQ
|
G0/1
|
192.168.1.1
|
255.255.255.0
|
N/A
|
|
S0/0/1
|
10.1.1.2
|
255.255.255.252
|
N/A
|
|
Lo0
|
192.168.4.1
|
255.255.255.0
|
N/A
|
ISP
|
G0/1
|
192.168.3.1
|
255.255.255.0
|
N/A
|
|
S0/0/0 (DCE)
|
10.1.1.1
|
255.255.255.252
|
N/A
|
S1
|
VLAN 1
|
192.168.1.11
|
255.255.255.0
|
192.168.1.1
|
S3
|
VLAN 1
|
192.168.3.11
|
255.255.255.0
|
192.168.3.1
|
PC-A
|
NIC
|
192.168.1.3
|
255.255.255.0
|
192.168.1.1
|
PC-C
|
NIC
|
192.168.3.3
|
255.255.255.0
|
192.168.3.1
|
Objectives
Part 1: Build the Network and
Configure Basic Device Settings
Part 2: Troubleshoot Internal Access
Part 3: Troubleshoot Remote Access
Background / Scenario
An access control list (ACL) is a series
of IOS commands that can provide basic traffic filtering on a Cisco router.
ACLs are used to select the types of traffic to be processed. A single ACL statement
is called and access control entry
(ACE). The ACEs in the ACL are evaluated from top to bottom with an implicit
deny all ACE at the end of the list. ACLs can also control the types of traffic
into or out of a network by the source and destination hosts or network. To
process the desired traffic correctly, the placement of the ACLs is critical.
In this lab, a small company has just
added a web server to the network to allow customers to access confidential
information. The company network is divided into two zones: Corporate network
zone and Demilitarized Zone (DMZ). The corporate network zone houses private
servers and internal clients. The DMZ houses the externally accessible web
server (simulated by Lo0 on HQ). Because the company can only administer its
own HQ router, all ACLs must be applied to the HQ router.
·
ACL 101 is implemented to limit
the traffic out of the corporate network zone. This zone houses the private
servers and internal clients (192.168.1.0/24). No other network should be able
to access it.
·
ACL 102 is used to limit the traffic
into the corporate network. Only responses to requests that originated from within
the corporate network are allowed back into that network. This includes TCP-based
requests from internal hosts such as Web and FTP. ICMP is allowed into the
network for troubleshooting purposes so that incoming ICMP messages generated
in response to pings can be received by internal hosts.
·
ACL 121 controls outside traffic
to the DMZ and corporate network. Only HTTP traffic is allowed to the DMZ web
server (simulated by Lo0 on R1). Other network related traffic, such as EIGRP,
is allowed from outside networks. Furthermore, valid internal private
addresses, such as 192.168.1.0, loopback address such as 127.0.0.0 and
multicast addresses are denied entrance to the corporate network to prevent
malicious network attacks from outside users.
Note: The routers used with CCNA hands-on labs
are Cisco 1941 Integrated Services Routers (ISRs) with Cisco IOS Release 15.2(4)M3
(universalk9 image). The switches used are Cisco Catalyst 2960s with Cisco IOS Release
15.0(2) (lanbasek9 image). Other routers, switches and Cisco IOS versions can
be used. Depending on the model and Cisco IOS version, the commands available
and output produced might vary from what is shown in the labs. Refer to the
Router Interface Summary Table at the end of the lab for the correct interface
identifiers.
Note: Make sure that the routers and switches have been erased and have
no startup configurations. If you are unsure, contact your instructor.
Required Resources
·
2 Routers (Cisco 1941 with
Cisco IOS Release 15.2(4)M3 universal image or comparable)
·
2 Switches (Cisco 2960 with
Cisco IOS Release 15.0(2) lanbasek9 image or comparable)
·
2 PCs (Windows 7, Vista, or XP
with terminal emulation program, such as Tera Term)
·
Console cables to configure the
Cisco IOS devices via the console ports
·
Ethernet and serial cables as
shown in the topology
Part 1:
Build the Network and Configure
Basic Device Settings
In Part 1, you set up the network
topology and configure the routers and switches with some basic settings, such
as passwords and IP addresses. Preset configurations are also provided for you
for the initial router configurations. You will also configure the IP settings
for the PCs in the topology.
Step 1:
Cable the network as shown in
the topology.
Step 2:
Configure PC hosts.
Step 3:
Initialize and reload the
routers and switches as necessary.
Step 4:
(Optional) Configure basic settings for each
switch.
a.
Disable DNS lookup.
b.
Configure host names as shown
in the Topology.
c.
Configure IP address and
default gateway in Addressing Table.
d.
Assign cisco as the console and vty passwords.
e.
Assign class as the privileged EXEC password.
f.
Configure logging synchronous to prevent console messages from interrupting
command entry.
Step 5:
Configure basic settings for
each router.
a.
Disable DNS lookup.
b.
Configure host names as shown
in the topology.
c.
Assign cisco as the console and vty passwords.
d.
Assign class as the privileged EXEC password.
e.
Configure logging synchronous to prevent console messages from interrupting
command entry.
Step 6:
Configure HTTP access and user
credentials on HQ router.
Local user credentials are configured to
access the simulated web server (192.168.4.1).
HQ(config)# ip
http server
HQ(config)# username
admin privilege 15 secret adminpass
HQ(config)# ip
http authentication local
Step 7:
Load router configurations.
The configurations for the routers ISP
and HQ are provided for you. There are errors within these configurations, and
it is your job to determine the incorrect configurations and correct them.
Router ISP
hostname ISP
interface GigabitEthernet0/1
ip address 192.168.3.1 255.255.255.0
no
shutdown
interface Serial0/0/0
ip address 10.1.1.1 255.255.255.252
clock rate 128000
no shutdown
router eigrp 1
network 10.1.1.0 0.0.0.3
network 192.168.3.0
no auto-summary
end
Router HQ
hostname HQ
interface Loopback0
ip address 192.168.4.1 255.255.255.0
interface GigabitEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip access-group 101 out
ip access-group 102 in
no shutdown
interface Serial0/0/1
ip address 10.1.1.2 255.255.255.252
ip access-group 121 in
no shutdown
router eigrp 1
network 10.1.1.0 0.0.0.3
network 192.168.1.0
network 192.168.4.0
no auto-summary
access-list 101 permit ip 192.168.11.0
0.0.0.255 any
access-list 101 deny ip any any
access-list 102 permit tcp any any
established
access-list 102 permit icmp any any
echo-reply
access-list 102 permit icmp any any
unreachable
access-list 102 deny ip any any
access-list 121 permit tcp any host
192.168.4.1 eq 89
access-list 121 deny icmp any host
192.168.4.11
access-list 121 deny ip 192.168.1.0
0.0.0.255 any
access-list 121 deny ip 127.0.0.0
0.255.255.255 any
access-list 121 deny ip 224.0.0.0
31.255.255.255 any
access-list 121 permit ip any any
access-list 121 deny ip any any
end
Part 2:
Troubleshoot Internal Access
In Part 2, the ACLs on router HQ are
examined to determine if they are configured correctly.
Step 1:
Troubleshoot ACL 101
ACL 101 is implemented to limit the
traffic out of the corporate network zone. This zone houses only internal
clients and private servers. Only 192.168.1.0/24 network can exit this
corporate network zone.
a.
Can PC-A ping its default
gateway? ______________
b.
After verifying that the PC-A
was configured correctly, examine the HQ router to find possible configuration
errors by viewing the summary of ACL 101. Enter the command show access-lists 101.
HQ# show
access-lists 101
Extended IP access list 101
10 permit ip 192.168.11.0 0.0.0.255 any
20 deny ip any any
c.
Are there any problems with ACL
101?
____________________________________________________________________________________
d.
Examine the default gateway interface
for the 192.168.1.0 /24 network. Verify that the ACL 101 is applied in the
correct direction on the G0/1 interface. Enter the show ip interface g0/1 command.
HQ# show
ip interface g0/1
GigabitEthernet0/1 is up, line protocol is
up
Internet address is 192.168.1.1/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU
is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Multicast reserved groups joined: 224.0.0.10
Outgoing access list is 101
Inbound access list is 102
Is the direction for interface G0/1
configured correctly for ACL 101?
____________________________________________________________________________________
e.
Correct the errors found regarding
ACL 101 and verify the traffic from network 192.168.1.0 /24 can exit the
corporate network. Record the commands used to correct the errors.
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
f.
Verify PC-A can ping its
default gateway interface.
Step 2:
Troubleshoot ACL 102
ACL 102 is implemented to limit traffic
into the corporate network. Traffic originating from the outside network is not
allowed onto the corporate network. Remote traffic is allowed into the
corporate network if the established traffic originated from the internal
network. ICMP reply messages are allowed for troubleshooting purposes.
a.
Can PC-A ping PC-C?
____________
b.
Examine the HQ router to find
possible configuration errors by viewing the summary of ACL 102. Enter the
command show access-lists 102.
HQ# show access-lists
102
Extended IP access list 102
10 permit tcp any any established
20 permit icmp any any echo-reply
30 permit icmp any any unreachable
40 deny ip any any (57 matches)
c.
Are there any problems with ACL
102?
____________________________________________________________________________________
.
d.
Verify that the ACL 102 is
applied in the correct direction on G0/1 interface. Enter the show ip interface g0/1 command.
HQ# show
ip interface g0/1
GigabitEthernet0/1 is up, line protocol is up
Internet address is 192.168.1.1/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU
is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Multicast reserved groups joined: 224.0.0.10
Outgoing access list is 101
Inbound access list is 101
e.
Are there any problems with the
application of ACL 102 to interface G0/1?
____________________________________________________________________________________
f.
Correct any errors found
regarding ACL 102. Record the commands used to correct the errors.
g.
Can PC-A ping PC-C now?
__________
Part 3:
Troubleshoot Remote Access
In Part 3, ACL 121 is configured to
prevent spoofing attacks from the outside networks and allow only remote HTTP
access to the web server (192.168.4.1) in DMZ.
a.
Verify ACL 121 has been
configured correctly. Enter the show ip
access-list 121 command.
HQ# show
ip access-lists 121
Extended IP access list 121
10 permit tcp any host 192.168.4.1 eq 89
20 deny icmp any host 192.168.4.11
30 deny ip 192.168.1.0 0.0.0.255 any
40 deny ip 127.0.0.0 0.255.255.255 any
50 deny ip 224.0.0.0 31.255.255.255 any
60 permit ip any any (354 matches)
70 deny ip any any
Are there any problems with this ACL?
____________________________________________________________________________________
____________________________________________________________________________________
b.
Verify that the ACL 121 is
applied in the correct direction on the R1 S0/0/1 interface. Enter the show ip interface s0/0/1 command.
HQ# show
ip interface s0/0/1
Serial0/0/1 is up, line protocol is up
Internet address is 10.1.1.2/30
Broadcast address is 255.255.255.255
<output omitted>
Multicast reserved groups joined: 224.0.0.10
Outgoing access list is not set
Inbound access list is 121
Are there any problems with the
application of this ACL?
____________________________________________________________________________________
____________________________________________________________________________________
c.
If any errors were found, make and
record the necessary configuration changes to ACL 121.
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
d.
Verify that PC-C can only
access the simulated web server on HQ by using the web browser. Provide the
username admin and password adminpass to access the web server
(192.168.4.1).
Reflection
1.
How should the ACL statement be
ordered? From general to specific or vice versa?
_______________________________________________________________________________________
2.
If you delete an ACL by using the
no access-list command and the ACL
is still applied to the interface, what happens? _______________________________________________________________________________________
Router Interface Summary Table
Router Interface Summary
|
||||
Router Model
|
Ethernet Interface #1
|
Ethernet Interface #2
|
Serial Interface #1
|
Serial Interface #2
|
1800
|
Fast Ethernet 0/0 (F0/0)
|
Fast Ethernet 0/1 (F0/1)
|
Serial 0/0/0 (S0/0/0)
|
Serial 0/0/1 (S0/0/1)
|
1900
|
Gigabit Ethernet 0/0 (G0/0)
|
Gigabit Ethernet 0/1 (G0/1)
|
Serial 0/0/0 (S0/0/0)
|
Serial 0/0/1 (S0/0/1)
|
2801
|
Fast Ethernet 0/0 (F0/0)
|
Fast Ethernet 0/1 (F0/1)
|
Serial 0/1/0 (S0/1/0)
|
Serial 0/1/1 (S0/1/1)
|
2811
|
Fast Ethernet 0/0 (F0/0)
|
Fast Ethernet 0/1 (F0/1)
|
Serial 0/0/0 (S0/0/0)
|
Serial 0/0/1 (S0/0/1)
|
2900
|
Gigabit Ethernet 0/0 (G0/0)
|
Gigabit Ethernet 0/1 (G0/1)
|
Serial 0/0/0 (S0/0/0)
|
Serial 0/0/1 (S0/0/1)
|
Note: To find out how the router is configured, look at the interfaces
to identify the type of router and how many interfaces the router has. There
is no way to effectively list all the combinations of configurations for each
router class. This table includes identifiers for the possible combinations
of Ethernet and Serial interfaces in the device. The table does not include
any other type of interface, even though a specific router may contain one.
An example of this might be an ISDN BRI interface. The string in parenthesis
is the legal abbreviation that can be used in Cisco IOS commands to represent
the interface.
|
No comments:
Post a Comment