Addressing Table

Objectives

Part 1: Configure a Named Extended ACL

Part 2: Apply and Verify the Extended ACL

Background / Scenario

In this scenario, specific devices on the LAN are allowed to various services on servers located on the Internet.

Part 1: Configure a Named Extended ACL
Use one named ACL to implement the following policy:

· Block HTTP and HTTPS access from PC1 to Server1 and Server2. The servers are inside the cloud and you only know their IP addresses.

· Block FTP access from PC2 to Server1 and Server2.

· Block ICMP access from PC3 to Server1 and Server2.

Note: For scoring purposes, you must configure the statements in the order specified in the following steps.

Step 1: Deny PC1 to access HTTP and HTTPS services on Server1 and Server2.

a. Create an extended IP access list named ACL which will deny PC1 access to the HTTP and HTTPS services of Server1 and Server2. Because it is impossible to directly observe the subnet of servers on the Internet, four rules are required. What is the command to begin the named ACL?

RT1>en
RT1#config t
Enter configuration commands, one per line. End with CNTL/Z.
RT1(config)#
RT1(config)#ip access-list ex
RT1(config)#ip access-list extended ACL


b. Record the statement that denies access from PC1 to Server1, only for HTTP (port 80).

RT1(config-ext-nacl)#deny tc
RT1(config-ext-nacl)#deny tcp host
RT1(config-ext-nacl)#deny tcp host 172.31.1.101 host
RT1(config-ext-nacl)#deny tcp host 172.31.1.101 host 64.101.255.254 eq 80

c. Record the statement that denies access from PC1 to Server1, only for HTTPS (port 443).

RT1(config-ext-nacl)#deny
RT1(config-ext-nacl)#deny tcp hos
RT1(config-ext-nacl)#deny tcp host 172.31.1.101 host
RT1(config-ext-nacl)#deny tcp host 172.31.1.101 host 64.101.255.254 eq 443

d. Record the statement that denies access from PC1 to Server2, only for HTTP.

RT1(config-ext-nacl)#deny
RT1(config-ext-nacl)#deny tcp host
RT1(config-ext-nacl)#deny tcp host 172.31.1.101 hos
RT1(config-ext-nacl)#deny tcp host 172.31.1.101 host 64.103.255.254 eq 80

e. Record the statement that denies access from PC1 to Server2, only for HTTPS.

RT1(config-ext-nacl)#deny
RT1(config-ext-nacl)#deny tcp host
RT1(config-ext-nacl)#deny tcp host 172.31.1.101 hos
RT1(config-ext-nacl)#deny tcp host 172.31.1.101 host 64.103.255.254 eq 443

Step 2: Deny PC2 to access FTP services on Server1 and Server2.

a. Record the statement that denies access from PC2 to Server1, only for FTP (port 21 only).

RT1(config-ext-nacl)#deny tcp host
RT1(config-ext-nacl)#deny tcp host 172.31.1.102 hos
RT1(config-ext-nacl)#deny tcp host 172.31.1.102 host 64.101.255.254 eq 21

b. Record the statement that denies access from PC2 to Server2, only for FTP (port 21 only).

RT1(config-ext-nacl)#deny tcp
RT1(config-ext-nacl)#deny tcp host 172.31.1.102
RT1(config-ext-nacl)#deny tcp host 172.31.1.102 host 64.103.255.254 eq 21

Step 3: Deny PC3 to ping Server1 and Server2.

a. Record the statement that denies ICMP access from PC3 to Server1.

RT1(config-ext-nacl)#deny icmp
RT1(config-ext-nacl)#deny icmp host 172.31.1.103
RT1(config-ext-nacl)#deny icmp host 172.31.1.103 host 64.101.255.254


b. Record the statement that denies ICMP access from PC3 to Server2.

RT1(config-ext-nacl)#deny icmp
RT1(config-ext-nacl)#deny icmp host 172.31.1.103
RT1(config-ext-nacl)#deny icmp host 172.31.1.103 host 64.103.255.254
RT1(config-ext-nacl)#

Step 4: Permit all other IP traffic.

By default, an access list denies all traffic that does not match any rule in the list. What command permits all other traffic?


RT1(config-ext-nacl)#permit
RT1(config-ext-nacl)#permit ip any any

Part 2: Apply and Verify the Extended ACL
The traffic to be filtered is coming from the 172.31.1.96/27 network and is destined for remote networks. Appropriate ACL placement also depends on the relationship of the traffic with respect to RT1.

Step 1: Apply the ACL to the correct interface and in the correct direction.

a. What are the commands you need to apply the ACL to the correct interface and in the correct direction?

RT1(config-ext-nacl)#int gi0/0
RT1(config-if)#ip access-group ACL ?
in inbound packets
out outbound packets
RT1(config-if)#ip access-group ACL in

Step 2: Test access for each PC.

a. Access the websites of Server1 and Server2 using the Web Browser of PC1 and using both HTTP and HTTPS protocols.

PC1 and using both HTTP protocols couldn’t reachable
PC1 and using both HTTPS protocols couldn’t reachable

b. Access FTP of Server1 and Server2 using PC1. The username and password is “cisco”.

Access FTP of Server1 and Server2 using PC1 can reachable

c. Ping Server1 and Server2 from PC1.

Ping Server1 and Server2 from PC1

d. Repeat Step 2a to Step 2c with PC2 and PC3 to verify proper access list operation.

Packet Tracer – Configuring Extended ACLs – Scenario 3

By Admin

7 thoughts on “Configuring Extended ACLs – Scenario 3”
  1. Hi there, I discovered your site by way of Google even as looking for a related matter, your web site got here
    up, it appears good. I have bookmarked it in my google bookmarks.

    Hello there, just became aware of your blog through Google, and
    located that it’s truly informative. I’m gonna be careful for brussels.
    I will appreciate for those who proceed this in future.
    Numerous folks will probably be benefited out of your writing.

    Cheers!

  2. I’m really inspired with your writing talents and also with the layout to your weblog.
    Is that this a paid subject matter or did you customize it yourself?
    Either way stay up the nice quality writing, it’s uncommon to look a
    nice blog like this one today..

  3. I do not know whether it’s just me or if everybody else encountering
    issues with your blog. It appears as if some of the written text within your content are running
    off the screen. Can somebody else please comment and let me
    know if this is happening to them as well? This may be a issue with my internet
    browser because I’ve had this happen previously. Appreciate it

  4. Definitely believe that that you stated. Your favorite justification seemed
    to be at the internet the simplest factor to take into account of.
    I say to you, I certainly get irked whilst folks consider concerns that they just
    do not realize about. You controlled to hit the nail upon the top as
    well as outlined out the whole thing without having side-effects , other folks
    could take a signal. Will likely be again to get more. Thanks

  5. Great items from you, man. I have take into accout your
    stuff previous to and you are just too excellent. I really like what you have received here,
    really like what you are saying and the best way by
    which you are saying it. You’re making it entertaining and you still take
    care of to stay it wise. I cant wait to learn much more from you.

    This is actually a wonderful website.

Leave a Reply

Your email address will not be published. Required fields are marked *