Uncategories Router Extended Acess Control List

Router Extended Acess Control List

8:30 PM

1. Router HQ

====================ROUTER HQ:
hostname ROUTER-HQ

interface fa0/0
 ip address 10.0.1.1 255.255.255.0
 no shutdown

interface fa0/1
 ip address 192.168.1.9 255.255.255.248
 no shutdown

interface serial0/1/0
 ip address 192.168.1.1 255.255.255.252
 clock rate 2000000
 no shutdown

--------Static Route:

ip route 10.1.1.0 255.255.255.0 192.168.1.2 : option 1
ip route 10.1.1.0 255.255.255.0 se0/1/0     : option 2

ip route 10.2.1.0 255.255.255.0 192.168.1.10
ip route 10.3.1.0 255.255.255.0 192.168.1.11


show ip route : check routing table on this router

2. Router KCM

====================ROUTER KCM:

hostname ROUTER-KCM

interface fa0/0
 ip address 10.1.1.1 255.255.255.0
 no shutdown
 exit

interface se0/0
 ip address 192.168.1.2 255.255.255.252
 no shutdown

--------Default Route:

ip route 0.0.0.0 0.0.0.0 192.168.1.1


--------Static Route:

ip route 10.0.1.0 255.255.255.0 192.168.1.1
ip route 10.2.1.0 255.255.255.0 192.168.1.1
ip route 10.3.1.0 255.255.255.0 192.168.1.1


3. Router BTB

====================ROUTER BTB:

hostname ROUTER-BTB

interface fa0/0
 ip address 192.168.1.10 255.255.255.248
 no shutdown
 exit

interface fa0/1
 ip address 10.2.1.1 255.255.255.0
 no shutdown


--------Static & Default Route:

ip route 10.3.1.0 255.255.255.0 192.168.1.11
ip route 0.0.0.0 0.0.0.0 192.168.1.9

4. Router SRP

====================ROUTER SRP:

hostname ROUTER-SRP

interface fa0/0
 ip address 192.168.1.11 255.255.255.248
 no shutdown
 exit

interface fa0/1
 ip address 10.3.1.1 255.255.255.0
 no shutdown

--------Static & Default Route:

ip route 10.2.1.0 255.255.255.0 192.168.1.10

option a:
ip route 0.0.0.0 0.0.0.0 192.168.1.9

option b:
ip route 10.0.1.0 255.255.255.0 192.168.1.9
ip route 10.1.1.0 255.255.255.0 192.168.1.9


5. Extended Access Control List Configuration

Requirement 1:
Block laptop 1 (10.0.1.2) in LAN HQ from accessing all laptops
in LAN SRP (10.3.1.0/24). But other laptops in LAN HQ allowed.

( can be use with standard access-list (router-SRP applying )
    ans:    access-list 10 deny host 10.0.1.2
        access-list 10 permit any
        int f0/1 
        ip access-group 10 out
)

Extended Access-List

ROUTER HQ:

(formula: access-list acl-id permit/deny protocol1 src-ip dst-ip)



access-list 100 deny ip     host 10.0.1.2     10.3.1.0 0.0.0.255
access-list 100 permit ip     any         any

======= filter inbound (apply)
interface fa0/0
 ip access-group 100 in

======= filter inbound (remove)

no access-list 100

interface fa0/0
 no ip access-group 100 in

------------------------------

======= filter outbound (apply)

access-list 100 deny ip host 10.0.1.2 10.3.1.0 0.0.0.255
access-list 100 permit ip any any

interface fa0/1
 ip access-group 100 out
==============================================================================

+( + add-1 more block webserver 10.0.1.3 access to Lan SRP(10.3.1.0/24) into acl-id 100 )

-->
    RouterHQ(config)# do show access-list
    RouterHQ(config)#ip access-list extended 100
    RouterHQ(config-ext-nacl)#15 deny ip host 10.0.1.3 10.3.1.0 0.0.0.255
==============================================================================
****Remove index(15) from acl-id 100 *********************
--> RouterHQ(config)# do show access-list
    RouterHQ(config)#ip access-list extended 100
    RouterHQ(config-ext-nacl)#no 15
==============================================================================
+( Remove acl-id 100)

--> RouterHQ(config)#no ip access-list extended 100

######################################################

Requirement 2:

Block laptop 2 (10.1.1.2) in LAN KCM from ping to web server (10.0.1.3)
But it can use web browser to access web server
and ping laptop 6 (10.3.1.2).
Other traffic from laptop 2 denied.

Must apply ACL into ROUTER KCM.
protocol1 are: ip, icmp, rip, ospf, eigrp, tcp, udp

ROUTER KCM:

access-list 110 deny icmp host 10.1.1.2 host 10.0.1.3
access-list 110 permit tcp host 10.1.1.2 host 10.0.1.3 eq 80
access-list 110 permit tcp host 10.1.1.2 host 10.0.1.3 eq 443
access-list 110 permit icmp host 10.1.1.2 host 10.3.1.2
access-list 110 deny ip host 10.1.1.2 any
access-list 110 permit ip any any

======= filter outbound (apply)

interface se0/0
 ip access-group 110 out


---------SPLIT NEW ACL STATEMENT INTO THE EXISTING ACL ID 110

Allow laptop 2 (10.1.1.2) in LAN KCM can use web browser & ping to access
web server (10.3.1.3) in LAN SRP.
And remove ping access to laptop 6 (10.3.1.2).

ip access-list extended 110
 41 permit icmp host 10.1.1.2 host 10.3.1.3
 42 permit tcp host 10.1.1.2 host 10.3.1.3 eq 80
 no 40


######################################################
Requirement 2:
Block laptop 2 (10.1.1.2) in LAN KCM from ping to web server (10.0.1.3)
But it can use web browser to access web server and ping laptop 6 (10.3.1.2).
Other traffic from laptop 2 denied.

Named ACL: For Requirement 2
(checklaptop2: is acl-name=acl-id)

(config#) ip access-list extended checklaptop2
       deny icmp host 10.1.1.2 host 10.0.1.3
       permit tcp host 10.1.1.2 host 10.0.1.3 eq 80
       permit tcp host 10.1.1.2 host 10.0.1.3 eq 443
      permit icmp host 10.1.1.2 host 10.3.1.2
      deny ip host 10.1.1.2 any

======= filter outbound (apply)

interface se0/0
 ip access-group checklaptop2 out

---------SPLIT NEW ACL STATEMENT INTO THE EXISTING NAMED ACL:

Allow laptop 2 (10.1.1.2) in LAN KCM can use web browser & ping to access
web server (10.3.1.3) in LAN SRP.
And remove ping access to laptop 6 (10.3.1.2).

(config#) ip access-list extended checklaptop2
      41 permit icmp host 10.1.1.2 host 10.3.1.3
      42 permit tcp host 10.1.1.2 host 10.3.1.3 eq 80
      no 40



*************** Lesson ********************


Apply Extended Access Control List (ACL):
- Permit or deny traffic of data flow
- Check Source, Destination, and Protocol
- acl-id = 100 ---> 199 or 2000 --->2699
- apply it into router near to the source

Sample config:

Step 1A: create Extended acl statements:

(config)# access-list acl-id permit/deny protocol1 src-ip dst-ip

if protocol1 are: ip, icmp, rip, ospf, eigrp, tcp, udp

-icmp: command for ping (ex: ping 1.1.1.1 )
-rip : command for routing

==========
Step 1B: create Extended acl statements:

(config)# access-list acl-id permit/deny protocol2 src-ip dst-ip eq port-number

if protocol2 are: tcp, udp

(tcp: application of web that have (ftp,ssh,telnet,smtp,imap4,pop3,http, https ....)
(udp: application of server like (DNS,SNMP,TFTP,DHCP)

port-number:
3 type of Port Number:
1) Well-known Port: 1     ---> 1023  : for server used (80: web server,
2) Register Port:   1024  ---> 49151
3) Dynamic Port:    49152 ---> 65535 : for client used

Application Protocol: TCP : Transmission Control Protocol
- FTP (File Transfer Protocol) : 20/tcp (for download/upload file) & 21/tcp (for establish connection)
- SSH (Secure SHell Protocol) OR SFTP (Secure File Transfer Protocol) : 22/tcp
- Telnet (Telnet Protocol)     : 23/tcp
- SMTP (Simple Mail Transfer Protocol) : 25/tcp (use for send email)
- IMAP4 (Internet Message Access Protcol) : 143/tcp (use for recieve email)
- POP3 (Post Office Protocol)  : 110/tcp (use for recieve email)
- HTTP (Hyper Text Transfer Protocol) : 80/tcp
- HTTPS (Hyper Text Transfer Protocol for Secure) : 443/tcp

Application Protocol: UDP : User Datagram Protocol
- DNS (Domain Name System)  : 53/udp
- SNMP (Simple Network Management Protocol) : 161/udp
- TFTP (Trivial File Transfer Protocol) : 69/udp
- DHCP (Dymanic Host Configuration Protocol) : 67/udp & 68/udp

Register-Port and Dynamic-Port
- RDP (Remote Desktop Protocol) : 3389/tcp
- Lotusnote email              : 1352/tcp
- TightVNC                     : 5900/tcp

Step 2: apply standard acl into interface

(config)# interface name
(config-if)# ip access-group acl-id in/out


******************* Exercise *********************


Requirement 1:

Block laptop X (10.0.1.150) in LAN HQ from accessing all laptops
in LAN BTB (10.2.1.0/24). But other laptops in LAN HQ allowed.

ROUTER HQ:
????
access-list 100 deny ip host 10.0.1.150 10.2.1.0 0.0.0.255
access-list 100 permit ip any any

======= filter inbound (apply)
???
int f0/0
ip access-group 100 in

======= filter inbound (remove)

???

no access-list 100
int f0/0
no ip access-group 100 in

------------------------------

======= filter outbound (apply)

????

int f0/1
ip access-group 100 out
exit


######################################################

Requirement 2:

Block laptop 5 (10.2.1.3) in LAN BTB from ping to web server (10.0.1.3) in lan HQ
But it can use web browser to access web server and can ping laptop 6 (10.3.1.2).
Other traffic from laptop 5 denied.

Must apply ACL into ROUTER BTB.

ROUTER BTB:

???

access-list 199 deny icmp host 10.2.1.3 host 10.0.1.3
access-list 199 permit tcp host 10.2.1.3 host 10.0.1.3 eq 80
access-list 199 permit tcp host 10.2.1.3 host 10.0.1.3 eq 443
access-list 199 permit icmp host 10.2.1.3 host 10.3.1.2
access-list 199 deny ip host 10.2.1.3     any
access-list 199 permit ip any any

======= filter inbound (apply)

???

int f0/1
ip access-group 199 in

---------SPLIT NEW ACL STATEMENT INTO THE EXISTING ACL ID 199

Allow laptop 5 (10.2.1.3) in LAN BTB can use web browser to access
web server (10.3.1.3) in LAN SRP.
And remove ping access to laptop 6 (10.3.1.2).

???

RouterBTB(config)#ip access-list extended 199
        45 permit tcp host 10.2.1.3 host 10.3.1.3 eq 80
        46 permit tcp host 10.2.1.3 host 10.3.1.3 eq 443
         no 40


######################################################
Requirement 2:
Block laptop 5 (10.2.1.3) in LAN BTB from ping to web server (10.0.1.3)
But it can use web browser to access web server and ping laptop 6 (10.3.1.2).
Other traffic from laptop 5 denied.

Named ACL: For Requirement 2: we have to remove access number above first.

???

======= filter outbound (apply)

???

---------SPLIT NEW ACL STATEMENT INTO THE EXISTING NAMED ACL:

Allow laptop 5 (10.2.1.3) in LAN BTB can use web browser to access
web server (10.3.1.3) in LAN SRP.
And remove ping access to laptop 6 (10.3.1.2).

???


EmoticonEmoticon

Subscribe to: Post Comments (Atom)