Cisco Discovery 3 Module 8 Course Curriculum Picture Descriptions 8.0.0 - Chapter Introduction 8.0.1 ? Introduction The diagram depicts a woman sitting in front of her computer at the authentication screen of a Windows OS. The comment in the background reads, ?Enterprise networks need security to ensure that only authorized users access the network.? The next image in the slideshow depicts a man working in front of his computer and the comment, ? Traffic filtering tools like Access Control Lists are an important component of enterprise network security. The next image in the slideshow depicts a laptop computer with a stream of information (binary 0 and 1) flowing out of the laptop. The comment, ? ACL?s permit and deny specific types of inbound and outbound traffic.? The next slide in the slideshow depicts a man sitting in front of a wiring closet with his laptop connected to the console port for administration duties. The comment, ?Network engineers and technicians plan, configure and verify ACL?s on routers and other networking devices.? After completing this module, you should be able to: - Describe traffic filtering - Explain how Access Control Lists (ACL?s) can filter traffic at router interfaces - Analyze the use of wildcard masks - Configure and implement ACL?s - Create and apply ACL?s to control specific types of traffic - Log ACL activity and ACL best practice Module 8.1 ? Using Access Control Lists 8.1.1 ? Traffic Filtering Two Diagrams Diagram 1, Image Traffic Filtering The picture depicts the use of traffic filtering. There is a circle with an internal network inside, the internal network contains four hosts connected to a Switch, and a Router connects the internal network to the outside world. The router has multiple different external packets coming in labeled HTTP, Network 172.16.0.0, IP Address 192.168.1.5, which have all been allowed access into the network, and a packet labeled Telnet, which has been blocked from accessing the network. The internal network uses MAC Address filtering and shows that one host has been blocked from using the network. Diagram 2, Image Traffic Filtering The picture depicts several devices, which include: Cisco Security Appliances Server-Based Firewall Linksys Wireless Router with Integrated Firewall Cisco Router with IOS Firewall 8.1.2 ? Access Control Lists One Diagram Diagram 1, Image Access Control Lists The picture depicts the placement of Access Control Lists. There are two ACLs, which have been placed strategically in the network, which block particular traffic from accessing certain parts of the network. 8.1.3 ? Types and Usage of ACLs Two Diagrams Diagram 1, Tabular Types of IOS Access Lists Type of ACL - Standard Sample ACL - access-list 1 permit host 172.16.2.88 Purpose of statement - Permits a specific IP address Type of ACL - Extended Sample ACL - access-list 100 deny top 172.16.2.0 0.0.0.255 any eel telnet Purpose of statement - Denies access from the 172.16.2.0/24 subnet to any other host if they are attempting to use telnet Type of ACL - Named Sample ACL ? Router (comfit)#imp access-list standard permit-imp Router(config-ext-nacl)#permit host 192.168.5.47 Purpose of statement - Creates a standard access list named permit-ip Allows access from IP address 192.168.5.47 The first command puts the router into NACL subcommand mode. Diagram 2, Activity Types and Usage of ACLs Determine whether the following are Standard, Extended or Named ACLs 1. Simplest type of ACL 2. Uses a special sub-configuration mode 3. Uses a numeric identifier and can filter on protocol and port numbers 4. Can create both standard and extended access lists 5. Identified by number range from 100-199 6. Can only filter on source IP address or range 7. Uses a numeric identifier and can filter on source or destination IP address 8. Identified by number range from 1-99 9. Can be assigned a meaningful descriptive identifier 8.1.4 - ACL Processing Three Diagrams Diagram 1, Animation ACL Processing The Animation depicts the use of ACLs to limit traffic on a network. Network There is a cloud with two Hosts(H1 IP: 192.168.1.1, H2 IP: 192.168.1.5) One Router(R1) One Switch(S1) R1 is connected to the cloud via S0/0/0 R1 is connected to S1 via S0/0/1 S1 has two Hosts(H1, H2) A packet is sent from H1 in the cloud to R1, R1 has an ACL, which is as follows: Access-list 1 permit host 192.168.1.1 Access-list 1 deny any (implied) The packet matches a statement so the packet is forwarded A packet is sent from H2 in the cloud to R1, R1 denies the packet from being forwarded as the packet does not match any criteria. Diagram 2, Animation ACL Processing The Animation depicts inbound and outbound ACLs. Network There is a cloud with one Hosts(H1 IP: 192.168.1.1) One Router(R1) One Switch(S1) R1 is connected to the cloud via S0/0/0 R1 is connected to S1 via Fa0/0 S1 has two Hosts(H2 IP: 172.22.4.1, H3 IP: 172.22.4.2) Inbound A packet is sent from H1 to R1, R1 has a caption, which says ?I have an ACL associated with the S0/0/0 interface?, Packet reaches R1 ACL is applied to Interface S0/0/0 inbound R1 has a caption which says ?I have to filter traffic inbound?, ?You match the permit statement of the ACL therefore move ahead?. The packet is forwarded to its destination. Outbound A packet is sent from H1 to R1, R1 has a caption, which says ?I will switch you to the Fa0/0 interface to reach your destination?, the packet reaches R1, R1 has a caption, which says ?I have an ACL associated with the Fa0/0 interface?, ACL is applied to Interface Faa0/0 outbound, R1 has a caption, which says ?I have to filter traffic outbound?, ?You match the permit statement of the ACL therefore move ahead?. The packet is forwarded to its destination. R1 ACL: Access-list 1 permit host 192.168.1.1 Access-0-list 1 deny any (implied) Diagram 3, Activity ACL Processing Determine if the packet will be permitted or denied for the given source IP addresses. Source IP Address - 192.168.1.133 ACL Statements ? Access-list 1 permit host 192.168.1.33 Access-list 1 permit host 192.168.1.233 Source IP Address - 192.168.1.228 ACL Statements ? Access-list 2 permit host 192.168.1.215 Source IP Address - 10.10.10.5 ACL Statements ? Access-list 3 permit host 10.10.10.5 Access-list 3 deny host 172.22.4.1 Source IP Address - 172.22.4.1 ACL Statements ? Access-list 4 deny host 172.22.4.1 Access-list 4 permit host 172.22.5.2 Source IP Address - 172.22.4.1 ACL Statements ? Access-list 5 permit host 10.10.10.5 Access-list 5 permit host 172.22.4.1 Source IP Address - 172.22.4.3 ACL Statements ? Access-list 6 deny host 172.22.4.3 8.2 - Using a Wildcard Mask 8.2.1 - ACL Wildcard Mask Purpose and Structure Three Diagrams Diagram 1, Image User is sitting at a workstation has the following information displayed on her screen: Wildcard masks that permit a single host: 172.16.22.87 0.0.0.0 host 172.22.8.17 Wildcard mask that permits a range of hosts for a /24 network: 1 72.16.22.0 0.0.0.255 Wildcard mask that permits an entire /16 network: 172.16.0.0 0.0.255.255 Wildcard mask that permits an entire /8 network: 10.0.0.0 0.255.255.255 Diagram 2, Image R1(config)#access-list 1 permit 192.168.1.0 0.0.0.255 Step 1 Comparison Address Decimal equivalent: 192.168.1.0 Binary equivalent: 11000000.10101000.00000001.00000000 Convert the decimal comparison to binary. Step 2 Wildcard Mask Decimal equivalent: 0.0.0.255 Binary equivalent: 00000000.00000000.00000000.11111111 Convert the decimal wildcard mask to binary. Step 3 Comparison Address bits to match Decimal equivalent: 192.168.1.X Binary equivalent: 11000000.10101000.00000001.XXXXXXXX Compare the wildcard mask match bits (24 zeros) with comparison address bits. Step 4 Incoming Packet Address Decimal equivalent: 192.168.1.27 Binary equivalent: 11000000.10101000.00000001.00011011 Compare the first 24 bits of an incoming packet IP address to the first 24 bits of the comparison address. Step 5 If the bits match, the packet is permitted by the ACL. Incoming packet IP address is a match with comparison address and wildcards. Diagram 3, Activity Determine the wildcard mask based on the ACL statement objective. ACL Statement Objective Deny all hosts from the 192.168.55.0/24 network Permit all hosts from the 172.20.4.0/24 subnet Permit only host 10.10.10.1 Deny only host 192.168.93.240 Deny all hosts from the 172.30.0.0/16 network Deny all hosts from the 172.25.0.0/16 network Permit all hosts from the 10.0.0.0/8 network Deny all hosts from the 10.0.0.0/16 network 8.2.2 - Analyzing the Effects of the Wildcard Mask Four Diagrams Diagram 1, Image A router is connected to a switch with the following ACL inbound on Fa0/0: Access-list 9 deny host 192.168.15.99 #access-list 9 permit any Four hosts are connected to the switch. The host with the IP address 192.168.15.77 can transmit ok. The host with the IP address 192.168.15.99 cannot transmit. The host with the IP address 192.168.15.22 can transmit ok. The host with the IP address 192.168.15.33 can transmit ok. Diagram 2, Tabular Subnet address: 192.168.77.32 255.255.255.224 Comparison/Base Address:192.168.77.32 0.0.0.31 Bit value (for one octet): 128, 64, 32, 16, 8, 4, 2 and 1 All 1s (for binary octet): 1, 1, 1,1 1, 1, 1 and 1 gives a decimal value of 255 Subnet Mask: 1, 1, 1, 0, 0, 0, 0 and 0 gives a decimal value of 224 Wildcard Mask: 0, 0, 0, 1, 1, 1, 1 and 1 gives a decimal value of 224 Match Bits: First three bits of the above octet. Non-Match Bits: Last five bits of the above octet. More Information A network that is a full Class A, B or C has a subnet mask and a wildcard mask that divide evenly at an octet boundary. Subnets that do not break on an octet boundary, produces a different wildcard mask value. An octet boundary is a place between the first and second or second and third octet. Example: A default Class A subnet falls between bit positions 8 and 9. This breaks at the end of one octet and the beginning of the next, said to be at the boundary of the next octet. Diagram 3, Image A router has an ACL outbound on s0/0/0. This router is also connected to four networks on Fast Ethernet ports. Network 192.168.77.192/26 is blocked. Network 192.168.77.128/26 is blocked. Network 192.168.77.64/26is OK. Network 192.168.77.0/26is OK. OPTION A: access-list 55 permit 192.168.77.0 0.0.0.63 access-list 55 permit 192.168.77.0 0.0.0.63 (implied deny any) OPTION B: access-list 5 permit 192.168.77.0 0.0.0.127 (implied deny any) Diagram 4, Activity Activity Determine whether the IP packet is permitted or denied by analyzing the comparison address and wildcard mask. Check Permit or Deny after comparing the IP address with the ACL statement. ACL Statements:access-list 66 permit 192.168.122.128 0.0.0.63 IP Packet Address 192.168.122.195 ACL Statements: access-list 66 permit 192.168.223.64 0.0.0.31 IP Packet Address: 192.168.223.27 ACL Statements: access-list 66 permit 192.168.223.32 0.0.0.31 IP Packet Address: 192.168.223.60 ACL Statements: access-list 66 permit 192.168.155.0 0.0.0.255 IP Packet Address: 192.168.155.245 ACL Statements: access-list 66 permit 10.93.76.8 0.0.0.3 IP Packet Address: 10.93.76.10 ACL Statements: access-list 66 permit 192.168.155.0 0.0.0.255 IP Packet Address: 192.168.156.245 ACL Statements: access-list 66 permit 172.16.0.0 0.0.255. IP Packet Address: 255 172.17.0.5 8.3 ? Configuring Access Control Lists 8.3.1 - Placing Standard and Extended ACL?s 4 Diagrams Diagram 1, Image The diagram depicts a boardroom type environment with several people sitting at the boardroom table. The people are viewing a graphic on the overhead projector. Diagram 2, Image The diagram depicts four routers directly connected to each other by serial link. Each of these routers has its Fast Ethernet port in use and the network addresses for each connected network are as follows: Router 1: 192.168.1.0/24 Router 2: 192.168.2.0/24 Router 3: 192.168.3.0/24 Router 3: 192.168.4.0/24 There are two blocks at router 1 and router 4 in between the router and its fast Ethernet port. These blocks indicate that this is where an ACL may be placed. Standard ACL Placement Requirement ? Prevents traffic from the 192.168.1.0 network from entering the 192.168.4.0 network. Allow 192.168.1.0 to reach other networks. Bad Location ? Meets some of the requirements. Prevents traffic from 192.168.1.0 network from reaching networks 192.168.2.0 and 192.168.3.0 Good Location ? Meets all requirements Extended ACL Placement Requirement ? Use extended ACL to prevent traffic from the 192.168.1.0 network from entering the 192.168.4.0 network but allow it to reach other networks. Good Location ? Extended ACL is placed closest to source which prevents traffic from 192.168.1.0 network from reaching 192.168.4.0 but also allows it to reach other networks. Diagram 3, Animation The diagram depicts three routers directly connected to each other by serial link. Each router has been named R1, R2 and R3 and the network address assignments are listed below: R1: Fa0/0: 192.168.4.0/24 Fa0/1: 192.168.1.0/24 R2: Fa0/0: 192.168.2.0/24 R3: Fa0/0: 192.168.3.0/24 The requirements are that we need to prevent traffic from the 192.168.1.0 network from entering the 192.168.2.0 network but allow it to reach other networks. The Standard ACL and Extended ACL commands are listed below: Standard ACL Access-list 1 deny 192.168.1.0 Access-list 1 permit any Extended ACL Access-list 101 deny 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 Access-list 101 permit ip any any The extended ACL is placed on the interface fa0/0 on router R1 to control access to the 192.168.1.0 network. Diagram 4, Activity Determine the correct router, interface and direction for placement of the ACL from the list below. Read the requirements and ACL?s and then choose from the selection. Requirement 1. You have an extended ACL that prevents traffic from the 172.16.1.0 network from reaching the 172.16.3.0 network but allows it to reach 172.16.2.0 network and the ISP. You need to minimize traffic on the WAN links and can only place the ACL on one interface. ACL Access-list 101 deny ip 172.16.1.0 0.0.0.255 172.16.3.0 0.0.0.255 Access-list 101 permit ip any any Requirement 2. You have a standard ACL that permits all traffic from any 172,16.0.0 network to reach the ISP network but blocks all other traffic. ACL Access-list permit 172.16.0.0 0.0.255.255 The diagram depicts three routers named R1, R2 and R3 directly connected by serial link to each other. The networks connected to each routers fast Ethernet port are listed below: R1 Fa0/0: 172.16.1.0/24 R2 S0/1/0: 172.16.2.0/24 R3 Fa0/0: 172.16.3.0/24 Options List Router, Interface and Direction S0/0/1, R3, S0/0/0, R2, S0/1/0, OUT, IN, R1, Fa0/0 8.3.2 ? Basic ACL Configuration Process 2 Diagrams Diagram 1, Image The diagram depicts a woman with a clipboard outlining the points below. ACL Processing and Creation Guidelines * Configuring only one access list per protocol per direction * Apply standard access lists closest to the destination * Apply extended access lists closest to the source * Use the correct number range for the type of list. * Determine the inbound or outbound direction looking at the port from inside the router * Process statements sequentially from the top of the list to the bottom * Deny packet if no match is found * Enter the Access list statements in order from specific to general * Configure an ACL with a permit statement or all traffic will be denied. Diagram 2, Image The diagram depicts two routers directly connected to each other by serial link. Router R1 has its two Ethernet ports in use and the network addresses assigned to these networks are 192.168.1.0/24 and 192.168.2.0/24. Router R2 has its two fast Ethernet ports in use and the assigned network addresses for these networks are 192.168.3.0/24 and 192.168.4.0/24. There is a server connected at the address 192.168.3.200 and a client computer connected at address 192.168.4.12. The ACL commands are listed below for the placement on R2 on Fast Ethernet Fa0/0. R2(config)# access-list 3 remark to departmental server R2(config)# access-list 3 deny host 192.168.4.12 R2(config)# access-list 3 permit 192.168.4.0 0.0.0.255 R2(config)# access-list 3 permit 192.168.1.66 8.3.3 ? Configuring Numbered Standard ACL?s 4 Diagrams Diagram 1, Animation The diagram depicts two routers connected by serial link. There is a server and computer connected to each of R2?s fast Ethernet ports and one computer connected to R1?s fast Ethernet port. The commands for implementing an ACL are listed below: R2(config)# access-list 3 remark to departmental server R2(config)# access-list 3 deny host 192.168.4.12 R2(config)# access-list 3 permit 192.168.4.0 0.0.0.255 R2(config)# access-list 3 permit 192.168.1.66 R2(config)# interface fa0/0 R2(config)# ip access-group 3 out Diagram 2, Image The diagram depicts two routers connected by serial link. There is a server and computer connected to each of R2?s fast Ethernet ports and one computer connected to R1?s fast Ethernet port. The commands show ip interface, show access-list and show running-config show the additions of the ACL to the configuration. Applying ACL?s is covered in the labs and the outputs to these commands are available once ACL has been placed. Diagram 3, Activity Determine the proper sequence of commands to configure and apply a standard ACL that will control entry into the 192.168.1.0 LAN. The 192.168.3.77 host should not be able to access this LAN but all other hosts on the 192.168.3.0 and 192.168.4.0 network should be permitted access. The list of commands stated below are not in the correct order. 1. access-list 44 deny any 2. ip access-group 44 out 3. access-list 44 permit 192.168.4.0 0.0.0.255 4. interface fa0/0 5. access-list 44 deny 192.168.3.77 0.0.0.0 6. access-list 44 permit 192.168.3.0 0.0.0.255 Diagram 4, Hands on Lab 8.3.4 ? Configuring Numbered ACL?s The diagram depicts the ACL fields and a brief description of what they contain. The fields are listed below: Destination IP address Identifies the IP address of the destination of the packets. This value can be: * An individual host address * A range of host addresses * The host parameter * The any parameter Matching Condition Determines whether certain fields must match the application equally, greater than, less than and so on. Condition Identifies whether a packet is to be permitted or denied. Source IP address Identifies the IP address of the source of the packet. This value can be: * An individual host address * A range of host addresses * The host parameter * The any parameter ACL Number Identifies an ACL with a unique number. A standard ACL uses numbers in the ranges 1-99 and 1300 to 1999. Extended ACL?s use numbers in the ranges 100-199 and 2000-2699. Protocol Identifies Layer 3 / 4 protocols. Common options include: EIGRP - Cisco?s EIGRP routing protocol ESP ? Encapsulation Security Payload GRE ? Cisco?s GRE tunneling ICMP - Internet Control Message Protocol IGMP ? Internet Gateway Message Protocol IP ? Any internet protocol TCP Application Identifies the application either by port number or acronym. Diagram 2, Image The diagram depicts two routers directly connected by serial link. There is a server and computer directly connected to each of R2?s fast Ethernet ports and one computer directly connected to R1?s fast Ethernet port. The commands show ip interface, show access-list and show running-config show the additions of the ACL to the configuration. Option A R2(config)# access-list 103 permit ip 192.168.2.0 0.0.0.255 host 192.168.3.75 R2(config)# access-list 103 permit ip host 192.168.1.66 host 192.168.3.75 R2(config)# access-list 103 deny ip 192.168.4.0 0.0.0.255 host 192.168.3.75 R2(config)# access-list 103 permit ip any any R2(config)# interface Fa0/0 R2(config-if)# ip access-group 103 out Option B R2(config)# access-list 103 deny 192.168.4.0 0.0.0.255 host 192.168.3.75 R2(config)# access-list 103 permit any any R2(config)# interface fa0/0 R2(config-if)# ip access-group 103 out Diagram 3, Activity Based on the ACL listed below, determine if packets will be permitted or denied. The topology shows a network as follows: Host 192.168.1.66 connects to router R1, Fa0/0 Network 192.168.2.0/24 connects to R1, Fa0/1 R1 S0/0/0, 172.16.1.0/30 connects to R2,. R2 connects to LAN 192.168.4.0/24 where a host is connected, 192.169.4.12 (sic) on Fa0/1 R2, Fa0/0 connects to server 192.168.3.200/24 ACL 103 Applied to R1 interface Fa0/0 - Inbound Access-list 103 permit ip host 192.168.1.66 host 192.168.3.75 Access-list 103 permit ip host 192.168.1.77 host 192.168.3.75 Access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.3.75 Access-list 103 deny ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255 Access-list 103 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 Access-list 103 deny any any (implied) Source IP: 192.168.1.66 Destination IP: 192.168.3.51 Source IP: 192.168.1.66 Destination IP: 192.168.3.75 Source IP: 192.168.1.88 Destination IP: 192.168.2.51 Source IP: 192.168.1.88 Destination IP: 192.168.3.75 Source IP: 192.168.1.77 Destination IP: 192.168.3.75 Source IP: 192.168.1.33 Destination IP: 192.168.2.34 Diagram 4, Hands on Lab 8.3.5 ? Configuring Named ACL?s 4 Diagrams Diagram 1, Image The diagram depicts a woman sitting in front of a desktop computer while in the process of configuring a router. The commands used to configure the router are listed below: R1(config)# ip access-list extended SALES-ONLY R1(config)# permit ip 192.168.1.66 0.0.0.0 any R1(config)# permit ip 192.168.1.77 0.0.0.0 any R1(config)#interface fa0/0 R1(config-if)# ip access-group SALES-ONLY in Diagram 2, Image The diagram depicts the Delete/Change and Insert options for use as editing techniques. The commands used to execute these processes is listed below: Delete/Change R1(config)# ip access-list extended SERVER-ACCESS R1(config-ext-nacl)# no 20 R1(config-ext-nacl)# 20 permit ip host 192.168.1.77 any R1(config-ext-nacl)# end R1# show access-list Extended IP access list SERVER-ACCESS 10 permit ip host 192.168.1.66 host 192.168.3.75 20 permit ip host 192.168.1.77 any 30 deny ip 192.168.1.0 0.0.0.255 host 192.168.3.75 Insert R1(config)# ip access-list extended SERVER-ACCESS R1(config-ext-nacl)# 25 deny ip host 192.168.1.88 any R1(config-ext-nacl)# end R1# show access-lists Extended IP access-list SERVER ?ACCESS 10 permit ip host 192.168.1.66 host 192.168.3.75 20 permit ip host 192.168.1.77 any 25 deny ip host 192.168.1.88 any 30 deny ip 192.168.1.0 0.0.0.255 host 192.168.3.75 Diagram 3, Packet Tracer Exploration Lab Diagram 4, Hands On Lab 8.3.6 ? Configure Router VTY Access 4 Diagrams Diagram 1, Image The diagram depicts an Internet cloud and router 0,1,2,3,4 is directly connected by serial link to the internet cloud. Also connected to the internet cloud is the network administrator who telnets in from his local machine with the IP address 209.165.202.130 and the telnet address of 209.165.200.225. The last connection is from the Hacker located on the outside of the internet cloud by serial link and his ip address 209.165.201.5 and he has the telnet address 209.165.202.130 for router 01234. The router has the following commands entered at the console session: R1(config)# access-list 3 permit host 209.165.202.130 R1(config)# line vty 0 4 R1(config-line)# access-class 3 in Diagram 2, Image The diagram depicts two routers R1 and R2 directly connected by serial link to each other. The network address bound to this link is 192.168.2.0. Connected to R2?s Fast Ethernet Fa0/0 is the network 192.168.3.0 and the network connected to R1?s Fast Ethernet port is 192.168.1.0. Within this network connected to R1, is the client 192.168.1.23. The client announces, ? I need to configure a Standard Numbered ACL so that only I can configure the router remotely.? The command listed below is used to configure access to the router R1: R1(config)# access-list 2 permit host 192.168.1.23 The client then announces, ? I need to configure the VTY Lines and apply the ACL.? The client then sets about entering the commands listed below: R1(config)# line vty 0 4 R1(config-line)# login R1(config-line)# password itsasecret R1(config-line)# access-class 2 in Diagram 3, Hands on Lab Diagram 4, Packet Tracer Exploration Module 8.4 ? Permitting and Denying Specific Types of Traffic 8.4.1 ? Configuring ACLs for Application and Port Filtering Three Diagrams Diagram 1, Image Configuring ACLs for Application and Port Filtering The picture depicts a frame header with the Source and Destination IP, and Destination Port Number highlighted, which match the following ACL: Access-list 101 permit tcp host 192.168.1.5 host 192.168.3.7 eq 80 Diagram 2, Image Configuring ACLs for Application and Port Filtering The picture depicts a list of tcp protocols and port numbers, which are displayed after entering the access-list 101 permit tcp host 192.168.1.1 host 192.168.2.89 eq ? command. There is a caption ?I need to filter email traffic. What port numbers should I filter??. The pop3 Post Office Protocol v3 (110) And smtp Simple Mail Transport Protocol (25) protocols have been highlighted. Diagram 3, Packet Tracer Lab 8.4.2 ? Configuring ACLs to Support Established Traffic Two Diagrams Diagram 1, Animation Configuring ACLs to Support Established Traffic The Animation shows the use of an ACL, to filter specific traffic from entering an internal network, but allows the same traffic access from the internal network. There is a screen capture of a routers command prompt, which is as follows: R1(config)#access-list 101 permit tcp any any established R1(config)#access-list 101 permit icmp any any R1(config)#access-list 101 permit icmp any any unreachable R1(config)#access-list 101 deny any any R1(config)# interface fa0/0 R1(config-if)# ip access-group 101 out Diagram 2, Activity Configuring ACLs to Support Established Traffic Determine whether the packets will be allowed or blocked given the following ACL statements (based on Source and Destination address) ACL Statements R1(config)#access-list 101 permit tcp any any established R1(config)#access-list 101 permit icmp any 192.168.3.0 0.0.0.255 echo-reply R1(config)# interface S0/0/0 R1(config-if)#ip access-group 101 in Network Two Routers(R1, R2) R1 is connected to R2 via serial link (R1:S0/0/0, R2: S0/0/0) R1 has network 192.168.2.0 attached R1 has network 192.168.3.0 attached R2 has network 192.168.1.0 attached to interface Fa0/0 Packets Source IP ? 192.168.1.77 Destination IP ? 192.168.3.75 Packet type ? echo-reply Source IP ? 192.168.1.77 Destination IP ? 192.168.2.75 Packet type ? echo-request Source IP ? 192.168.1.15 Destination IP ? 192.168.2.44 Packet Type ? FTP response Source IP ? 192.168.1.25 Destination IP ? 192.168.3.44 Packet type ? Web response Source IP ? 192.168.1.66 Destination IP ? 192.168.3.12 Packet type ? Web request Source IP ? 192.168.1.66 Destination IP 192.168.2.12 Packet type ? echo-reply 8.4.3 ? Effects of NAT and PAT on ACL Placement Diagram 1, Image Effects of NAT and PAT on ACL Placement The picture depicts a conflict between NAT and an ACL statement that has been implemented. Users from outside 10.1.0.0/16 network have been given access to a Server in an ACL statement, however NAT has blocked the traffic from entering the network. ACL Statement R1(config#access-list 101 permit 10.1.0.0 R1(config)# interface S0/0/0 R1(config-if)# ip access-group 101 out Network Two Routers(R1, R2) R1 is connected to R2 via Serial link(R1: S0/0/0) R1 has network 19.1.0.0/16 attached on the Fa0/0 interface R2 is connected to a cloud (ISP) with a Web server in it Diagram 2, Hands On Lab Effects of NAT and PAT on ACL Placement 8.4.4 ? Analyzing Network ACLs and Placement Diagram 1, Image Analyzing Network ACLs and Placement The picture depicts the placement and use of ACLs to filter traffic to and from specific parts of a network. Four Routers (Main, Sales Hq R1) Hq is attached to Main via Serial link HQ is attached to Sales via Serial link HQ is attached to R1 via Serial link (HQ: S0/0/0) Main is attached to Sales via Serial link Main has Network 192.168.5.0/24 attached on Interface Fa0/0 Network 192.168.5.0/24 has a Payrol Server attached (Server IP: 192.168.5.57) HQ has Network 192.168.1.0/24 attached to interface Fa0/0 Network 192.168.1.0/24 has a Server Farm with three servers, and two Hosts(Net Admin, H1) (Server Farm IP: 192.168.1.3 - .15, Net Admin: 192.168.1.2, H1: 192.168.1.30) Sales has Network 192.168.3.0/24 attached on Interface Fa0/0 Network 192.168.3.0/24 has a File Server attached (Server IP: 192.168.3.39) There are Calls on the Fa0/0 interface of the HQ, Main, Sales Routers There is an ACL on the S0/0/0 interface of HQ HQ S0/0/0 ACL HQ ? Extended ACL 105 ? Interface S0/0/0 IN Access-list 105 permit icmp any any echo-reply ? allow pings from inside to return from Internet Access-list 105 permit icmp any any unreachable ? Allow error messages to return from Internet Access-list 105 permit tcp any any established ? Allow established TCP sessions from Internet HQ Fa0/0 ACL HQ ? Extended ACL 100 ? Interface Fa0/0 IN Access-list 100 permit ip 192.168.1.0 0.0.0.15 any ? Allow Net Admin and Server Farm full Access Access-list 100 deny tcp 192.168.1.0 0.0.0.255 eq 23 ? Deny user PCs Telnet access Access-list 100 permit ip any any ? Allow all other traffic Sales Fa0/0 ACL Sales ? Extended ACL 122 ? Interface Fa0/0 IN Access-list 122 deny ip 192.168.3.0 0.0.0.255 host 192.168.5.57 ? Deny access from this net to Payroll Server Access-list 122 permit udp 192.168.3.0 0.0.0.255 any range 20 21 ? Allow all users on this net access to FTP Data and FTP session control Access-list 122 permit udp 192.168.3.0 0.0.0.255 any eq 53 ? Allow all users on this net access to remote DNS Access-list 122 permit tcp 192.168.3.0 0.0.0.255 any eq 80 ? Allow all users on this net access to Web services Main Fa0/0 ACL Main ? Extended ACL 111 ? Interface Fa0/0 IN Access-list 111 permit ip host 192.168.5.57 any ? Allow Payroll server access to anywhere Access-list 111 permit udp 192.168.5.0 0.0.0.255 any eq 53 ? Allow all users on this net access t remote DNS Access-list 111 permit tcp 192.168.5.0 0.0.0.255 any eq 80 ? Allow all users on this net access to Web services Diagram 2, Activity Analyzing Network ACLs and Placement Create an extended ACL given the following requirements and Network Topology (Some components will not be used) Network Two Routers(R1, R2) R1 is connected to R2 via serial link (R1: S0/0/0, R2: S0/0/0) R2 has network 10.1.1.0/24 attached to interface Fa0/0 R2 has network 10.1.2.0/24 attached to interface Fa0/1 R1 has network 182.168.1.0/25 attached to interface Fa0/0 R1 has Web Server attached to interface Fa0/0 (Web Server IP: 182.168.1.84) Create the Numbered Extended ACL statement The ACL will only allow users on network 10.1.1.0/24 HTTP access to the Web Server on network 192.168.1.0. The ACL will be applied to R2?s S0/0/0 interface outbound Components 99 ip 192.168.1.0 deny 0.0.255.255 access-list 10.1.2.0 192.168.1.84 permit 10.1.1.0 udp eq 80 0.0.0.255 101 eq 21 Host Any Tcp 8.4.5 ? Configuring ACLs with Inter-VLAN Routing Three Diagrams Diagram 1, Image Configuring ACLs with Inter-VLAN Routing The picture depicts the use of VLANs to separate network devices, There are two VLANs, VLAN1 contains three Servers, and VLAN2 contains three Hosts. Both VLANs run through a Switch(S1), which is connected to a Router(R1). Diagram 2, Hands On Lab Diagram 3, Packet Tracer Lab 8.5 - Filtering Traffic Using Access Control Lists 8.5.1 - Using Logging to Verify ACL Functionality Three Diagrams Diagram 1, Animation Default Host H1 has the IP address 192.168.1.2. Host H2 has the IP address 192.168.1.3. Both of these hosts are router Fa0/0 of router R1. The access lists have been placed on this port of this router. R1 connects via S0/0/0 to the S0/0/0 port of router R2. The link between these two routers is on the network 192.168.2.0. R2 is connected via Fa0/0 to host H3. H3 has the address 192.168.3.11. When the animation is played both hosts H1 and H2 both send packets onto the network. By looking at the text taken from the end of the following router config and subsequent show access list command you can see what has happened with those packets. R1(config)#access-list 123 deny tcp host 192.168.1.2 host 192.168.3.11 eq 23 R1(config)#access-list 123 permit ip host 192.168.1.0 0.0.0.255 any R1(config)# R1(config)#int fa0/0 R1(config-if)#ip access-group 123 in R1(config)#end R1#show access-list 123 Extended IP Access list 123 10 deny tcp host 192.168.1.2 host 192.168.3.11 eq telnet (1 matches) 20 permit ip 192.168.1.0 0.0.0.255 any (1matches) Logging Host H1 has the IP address 192.168.1.2. This host connects to the Fa0/0 of router R1. R1 connects via S0/0/0 to the S0/0/0 port of router R2.The link between these two routers is on the network 192.168.2.0. R2 is connected via Fa0/0 to host H2. H2 has the address 192.168.3.11. The animation shows H1 sending three packets onto the network. You can see what happened to these packets by reading the logged entries in the following exert from the router configuration. R1(config)#no access-list 123 R1(config)#access-list 123 deny tcp host 192.168.1.2 host 192.168.3.11 eq 23 log R1(config)#access-list 123 permit ip host 192.168.1.0 0.0.0.255 any log R1(config)# access-list 123 deny ip R1(config)#end R1# *sep 9 20:02:11.979: %SEC-6-IPACCESSLOGP: list 123 permitted udp 192.168.1.2(2138) 192.168.3.11(30), 1 packet R1# *sep 9 20:02:53.067: %SEC-6-IPACCESSLOGP: list 123 permitted tcp 192.168.1.2(1141) 192.168.3.11(23), 1 packet R1# *sep 9 20:03:48.279: %SEC-6-IPACCESSLOGP: list 123 permitted icmp 192.168.1.2 192.168.3.20(8/0), 1 packet Diagram 2, Image A desktop PC with a large red alert sign displayed on the screen. A more info text box contains: Logging Levels: alerts ? Immediate action needed Severity Level: (severity=1) Logging Levels: critical ? critical conditions Severity Level: (severity=2) Logging Levels: debugging ? debugging messages Severity Level: (severity=7) Logging Levels: emergencies ? system is unusable Severity Level: (severity=0) Logging Levels: errors ? error conditions Severity Level: (severity=3) Logging Levels: filtered ? Enable filtered logging Severity Level: Logging Levels: guaranteed ? Guarantee console messages Severity Level: Logging Levels: informational ? informational messages Severity Level: (severity=6) Logging Levels: notifications ? Normal but significant conditions Severity Level: (severity=5) Logging Levels: warnings ? warning conditions Severity Level: (severity=4) Logging Levels: xml ? Enable logging in XML Severity Level: Diagram 3, Hands-on Lab 8.5.2 - Analyzing Router Logs Three Diagrams Diagram 1, Image A man on his cellular phone is thinking ?The router is alerting me to an emergency on the network.? On the other side of the image a router is sending out an emergency message to the man. Diagram 2, Image Map of the world with a vertical line going through Greenwich England, indicated the Greenwich Mean Time (GMT). Diagram 3, Hands-on Lab 8.5.3 - ACL Best Practices Single Diagram Diagram 1, Image An image of a note with the following message on it: Best Practices: Create and edit ACLs in a text editor, such as notepad, do not edit a live ACL Always test basic connectivity before applying ACLs When logging, add the deny ip any any statement to end of ACL Use the reload in 30 command when working with remote routers and testing ACL functionality 8.6 ? Chapter Summary 8.6.1 ? Summary 5 Slide Positions Slide 1, Image The diagram depicts a router directly connected to a switch and connected to the switch are four computers. The switch and the four computers make up the internal network and one of the computers has its MAC address displayed, its address is xx:xx:xx:xx:xx:xx. Incoming messages to the router are defined in the following way, message 1 ? IP address 192.168.1.5 ? denied access, message 2 ? HTTP protocol ? message accepted, message 3 ? IP address 172.16.0.0 ? message accepted and finally message 4 ? Telnet access ? message denied. The following points are mentioned: * Traffic filtering is the process of analyzing the contents of a packet to determine if the packet should be allowed or blocked. * ACL?s enable management of traffic and security access to and from a network and its resources. * There are three types of ACL?s, Standard, Extended and Named ACL. * ACL?s filter traffic based on source and destination IP address, application and protocol. * Apply and ACL to a router interface to examine packets that are inbound or outbound. Slide Position 2, Image The diagram depicts four lines of information as listed below. Wildcard masks that permit a single host 172.16.22.87 0.0.0.0 host 172.22.8.17 Wildcard mask that permits a range of hosts for a /24 network 172.16.22.0 0.0.0.255 Wildcard mask that permits an entire /16 network 172.16.0.0 0.0.255.255 Wildcard mask that permits an entire /8 network 10.0.0.0 0.255.255.255 * Using a wildcard mask provides flexibility and can block a range of addresses or whole networks with one statement * The wildcard mask compares the incoming address to a comparison address to determine which bits match. * To determine the wildcard mask, subtract the decimal subnet mask to an address or range from the all 255?s mask (255.255.255.255) * The keyword ANY refers to all hosts and the keyword HOST refers to an individual IP address. Slide Marker 3, Image ACL Processing and Creation Guidelines * Configuring only one access list per protocol per direction * Apply standard access lists closest to the destination * Apply extended access lists closest to the source * Use the correct number range for the type of list. * Determine the inbound or outbound direction looking at the port from inside the router * Process statements sequentially from the top of the list to the bottom * Deny packet if no match is found * Enter the Access list statements in order from specific to general * Configure an ACL with a permit statement or all traffic will be denied. Information also available on this page includes: - Standard ACL?s filter on source IP address, and are placed as close to the destination as possible. - Extended ACL?s can filter on source and destination addresses, as well as on protocol and port number, and should be placed as close to the source as possible - Decide placement of ACL?s based on type of ACL and requirements - Each interface supports one ACL per direction per protocol - Create an ACL using a unique identifier and apply either inbound or outbound on an interface using the ip access group command. - The show ip interface, show access-list and show running-config commands allow a network administrator to view all ACL?s that have been configured on a router. - Named ACL?s offer all the functionality and advantages of Standard and Extended ACL?s. - ACL?s restrict VTY access to increase network security. The access-class command is used to apply VTY ACL. Slide Position 4, Image The diagram depicts the image of an Ethernet frame. The frame is as follows: MAC address header IP Header addresses TCP header ports Data FCS - Extended ACL filter on source and destination IP addresses, protocol and the destination application port number in a frame. - ACL?s filter a range of ports using gt, lt or range operators - Use the established parameters to filter traffic that is a response to a request - The order in which the statements are written has an impact on how the router performs - There are different ways to approach writing ACL?s: permit specific traffic first and then deny general traffic or deny specific traffic first then permit general traffic - Network administrators account for NAT when creating and applying ACL?s. - Apply ACL?s to VLAN interfaces just as with physical interfaces Slide Position 5, Image The image depicts a map of the world with the GMT Greenwich Mean Time shown. The relevant information is shown in a summary: - An ACL statement captures the number of matches and displays them at the end of each statement matched - Logging gives additional details on packets permitted or denied. To activate logging add the log option to the end of each ACL statement - Add the deny ip any any log to monitor the number of packets that are not matched by previous ACL statements - The process if logging events, places an additional load on the router - The log contents can be sent to an external syslog server - Always set the service timestamp for logging and be sure the router date and time are set correctly so that Log files display the proper stamp