Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
35 views12 pages

Network ACL Configuration Guide

The document discusses configuring IP ACLs on routers to secure access and filter traffic. It describes creating standard and extended ACLs, applying them to router interfaces, and testing connectivity with pings. Specific ACLs are created to block remote router access except from an internal PC, and permit certain server services while denying HTTPS.

Uploaded by

vinay009pal
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOC, PDF, TXT or read online on Scribd
35 views12 pages

Network ACL Configuration Guide

The document discusses configuring IP ACLs on routers to secure access and filter traffic. It describes creating standard and extended ACLs, applying them to router interfaces, and testing connectivity with pings. Specific ACLs are created to block remote router access except from an internal PC, and permit certain server services while denying HTTPS.

Uploaded by

vinay009pal
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOC, PDF, TXT or read online on Scribd
You are on page 1/ 12

PRACTICAL NO 4: Configure IP ACLs to Mitigate

Attacks.

Access Control Lists (ACLs)


Network administrators must figure out how to deny unwanted access to the
network while allowing internal users appropriate access to necessary services.
Although security tools, such as passwords, callback equipment, and physical
security devices are helpful, they often lack the flexibility of basic traffic filtering and
the specific controls most administrators prefer.
For example, a network administrator may want to allow users access to the
Internet, but not permit external users telnet access into the LAN.
Routers provide basic traffic filtering capabilities, such as blocking Internet traffic,
with access control lists (ACLs).
An ACL is a sequential list of permit or deny statements that apply to
addresses or upper-layer protocols.
The router examines each packet to determine whether to forward or drop it, based
on the conditions specified in the ACL.
Some ACL decision points are:
1) IP source address
2) IP destination addresses
3) UDP or TCP protocols
4) Upper-layer (TCP/UDP) port numbers

ACLs must be defined on a:


1) Per-protocol (IP, IPX, AppleTalk)
2) Per direction (in or out)
3) Per port (interface) basis.
4) ACLs control traffic in one direction at a time on an interface.
5) A separate ACL would need to be created for each direction, one for
inbound and one for outbound traffic.
6) Finally every interface can have multiple protocols and directions
defined.

An ACL is a group of statements that define whether packets are


accepted or rejected coming into an interface or leaving an interface.
1) ACL statements operate in sequential, logical order (top down).
2) If a condition match is true, the packet is permitted or denied and the
rest of the ACL statements are not checked.
3) If all the ACL statements are unmatched, an implicit "deny any"
statement is placed at the end of the list by default. (not visible)
When first learning how to create ACLs, it is a good idea to add the
implicit deny at the end of ACLs to reinforce the dynamic presence
of the command line.

Standard IP ACLs
 Can only filter on source IP addresses

Extended IP ACLs Can filter on:


1) Source IP address
2) Destination IP address
3) Protocol (TCP, UDP)
4) Port Numbers (Telnet – 23, http – 80, etc.) and other parameters

An access list is a sequential series of commands or filters. These lists tell the
router what types of packets to: accept or deny Acceptance and denial can be
based on specified conditions. ACLs applied on the router's interfaces

We use the following topology to study the present case

2
Configuring PC1

Configuring Server0

3
Configuring Router0

4
Configuring Router1

Configuring Router2
5
The serial interface in each Router are added as follows

6
Set the RIP on each Router

7
Part 1: Verify Basic Connectivity
8
We can now verify the connectivity by pinging Server from PC

We can now verify the connecticity by pinging PC from Server

9
Part 2: Secure Access to Routers
We configure ACL 10 to block all remote access to the Routers and allow remote
access only from PC. We type the following commands in all the Routers (Router0,
Router1, and Router2). This part is divided in 2 subparts

Part a) Set up the SSH protocol

Enter the following commands in CLI mode of all Routers

Router>enable
Router#configure t
Router(config)#ip domain-name ismail.com
Router(config)#hostname R0
R0(config)#
R0(config)#crypto key generate rsa
R0(config)#line vty 0 4
R0(config-line)#transport input ssh
R0(config-line)#login local
R0(config-line)#exit
R0(config)#username SSHadmin privilege 15 password ismail
R0(config)#exit
R0#

Part b) Create an ACL 10 to permit remote access to PC only

Enter the following commands in CLI mode of all Routers

Router>enable
Router#configure terminal
Router(config)#access-list 10 permit host 192.168.4.2
Router(config)#line vty 0 4
Router(config-line)#access-class 10 in

Now we verify the remote access from PC using the following and find it to be successful

10
Now we verify the remote access from Server using the following and find it to be a Failure

11
Part 3: Create a Numbered IP ACL 120 on R1
We need to perform the following in this part

1) Create an IP ACL numbered 120 on R1 using the following rules


2) Permit any outside host to access DNS, SMTP, and FTP services on server
3) Deny any outside host access to HTTPS services on server
4) Permit PC to access R1 via SSH. (done in previous part)

Enter the following commands in the CLI mode of Router1

R1>enable
R1#
R1#configure terminal
R1(config)#access-list 120 permit udp any host 192.168.1.2 eq domain
R1(config)#access-list 120 permit tcp any host 192.168.1.2 eq smtp
R1(config)#access-list 120 permit tcp any host 192.168.1.2 eq ftp
R1(config)#access-list 120 deny tcp any host 192.168.1.2 eq 443
R1(config)#exit
R1#
R1#configure terminal
R1(config)#interface Serial0/1/1
R1(config-if)#ip access-group 120 in
R1(config-if)#exit

Verify the above entering the following commands in the PC

Hence we have applied and verified all the required ACLs


12

You might also like