Monday, April 11, 2016

CCNAv2 Completed Packet Tracer 9.3.2.12

Greetings, and welcome to Seeseenayy.
Packet Tracer Details: This packet tracer tasks us with configuring a named extended ACL, to which we will apply and have to verify functionality for. The packet tracer asks us to use a single named Access Control List / ACL to use the following policy:
  a. Block HTTP/HTTPS access from PC1 to Server1 & Server2. The servers are inside the   cloud and we are the only ones who know it's address. 
  b. Block FTP access from PC2 to Server1 and Server2. 
  c. Block ICMP access from PC3 to Server1 and Server 2.

The following description within the PT Side Window is more or less useless to us, it provides nothing other than the order (which is important, but we should know this already). 
We would then need to verify it's configuration, using certain commands and testing the use of the devices to the devices or addresses we had blocked with our ACLs.


Below you will find a download of the completed packet tracer file. It is recommended that you read the tutorial, it provides knowledge on the configuration of this ACL.


Download(s)

Alternatively, you may use the commands from the tutorial.

Tutorial / Walk-through 
Our scenario starts off with (most likely, I didn't check) full access to devices all across this LAN/Network. We need to stop and restrict some access from some networks. Specifically, the access of Server 1 & Server 2's FTP access from PC2, HTTP/HTTPS from PC1, and ICMP from PC3, in order, of course.

So, lets start off. Open Router 1. Basic intro.
RT1>en
RT1#conf t

Lets create an extended Access Control List
RT1(config)#ip access-list extended ACL

Using your Addressing Table from either the PDF or the Side Window from the PT, match the correct addresses that the PT wants to have the ACL block to the correct server and their respective features. 

Deny HTTP(80) and HTTPS(443) for the appropriate PC.
RT1(config-ext-nacl)#deny tcp host 172.31.1.101 host 64.101.255.254 eq 80
RT1(config-ext-nacl)#deny tcp host 172.31.1.101 host 64.101.255.254 eq 443

Deny HTTP(80) and HTTPS(443) for the appropriate PC.
RT1(config-ext-nacl)#deny tcp host 172.31.1.101 host 64.103.255.254 eq 80
RT1(config-ext-nacl)#deny tcp host 172.31.1.101 host 64.103.255.254 eq 443

Deny FTP (21) for the appropriate devices.
RT1(config-ext-nacl)#deny tcp host 172.31.1.102 host 64.101.255.254 eq 21
RT1(config-ext-nacl)#deny tcp host 172.31.1.102 host 64.103.255.254 eq 21

Deny ICMP/PINGING from the appropriate devices.
RT1(config-ext-nacl)#deny icmp host 172.31.1.103 host 64.101.255.254
RT1(config-ext-nacl)#deny icmp host 172.31.1.103 host 64.103.255.254
RT1(config-ext-nacl)#permit ip any any

Configure the interface with this ACL, so that access we configured to block will be in effect on all traffic. 
RT1(config-ext-nacl)#ex
RT1(config)#int g0/0

I personally am confused why we would use 'in' for the ACL-- I understand that the inward traffic will be denied if it is categorized in our ACL, but it seems unnessesary, honestly, as if it was blocked outwards the servers wouldn't have to waste resources trying to respond to a host that won't respond. Rather, have the option to respond.

Either way, this will work, but it honestly should be the other way if possible. But this is just me, the command works so listen to that. 
RT1(config-if)#ip access-group ACL in

(END OF TUTORIAL, FOLLOWING IS A REMINDER)
Some of you might of watched a YouTube video on this, or other custom ACL Videos for PTs like this. REMEBER, that "ACL" after 'access-group' is the name/ID for an ACL, so when you put this command all the way at the top: 
RT1(config)#ip access-list extended ACL

You named your ACL just "ACL", so when you assign it somewhere make sure you're using the right name. 

PDF Answers / 9.3.2.12 Configuring Extended ACLs PDF/DOC Completed / Instructor / Instructions


The PDF provided with the packet tracer is essentially asking what commands we used for our ACL and how to apply it. 

Create an extended IP access list named ACL which will deny PC1 access to the HTTP and HTTPS services of Server1 and Server2. Because it is impossible to directly observe the subnet of servers on the Internet, four rules are required.

What is the command to begin the named ACL? 
Depends on what name you want to use, but the command is "ip access-list extended ACL" in this Packet Tracer. Otherwise, the name for the Extended ACL, you'd need to replace "ACL" with a name.

Record the statement that denies access from PC1 to Server1, only for HTTP (port 80).
deny tcp host 172.31.1.101 host 64.101.255.254 eq 80

Record the statement that denies access from PC1 to Server1, only for HTTPS (port 443).
deny tcp host 172.31.1.101 host 64.101.255.254 eq 443

Record the statement that denies access from PC1 to Server2, only for HTTP.
deny tcp host 172.31.1.101 host 64.103.255.254 eq 80

Record the statement that denies access from PC1 to Server2, only for HTTPS.
deny tcp host 172.31.1.101 host 64.103.255.254 eq 443

Record the statement that denies access from PC2 to Server1, only for FTP (port 21 only).

deny tcp host 172.31.1.102 host 64.101.255.254 eq 21

Record the statement that denies access from PC2 to Server2, only for FTP (port 21 only).
deny tcp host 172.31.1.102 host 64.103.255.254 eq 21

Record the statement that denies ICMP access from PC3 to Server1. 
deny tcp host 172.31.1.102 host 64.101.255.254 eq 21

Record the statement that denies ICMP access from PC3 to Server2. 
deny tcp host 172.31.1.102 host 64.103.255.254 eq 21

By default, an access list denies all traffic that does not match any rule in the list. What command permits all other traffic? permit ip any any

What are the commands you need to apply the ACL to the correct interface and in the correct direction? You need to be in the interface you want to configure (in this case, g0/0), and use 'ip access-group ACL' followed by the direction (in/out), in which we use in. 





3 comments:

  1. From what I understand, The ACL should be put in the in position, so it will not waste resources by the router having to pass the packet to the outbound interface.

    ReplyDelete
  2. Regarding the placement of the ACL, would it better to place it on the inbound interface (G0/0) or outbound interface (S0/0/0)?

    In this situation, I do feel like the inbound interface is the better option, since the packet doesn't have to be passed to the outgoing interface. The ACL filtering prevents packets from be moved to the going interface unnecessarily.

    At the same time, there may be scenarios where it may be better to apply it on the S0/0/0 interface. For example, there are multiple networks and interfaces on RT1. It may be better to apply it on the outgoing interface as this may save the router from having to unnecessarily process the ACL statements unless it's required, local traffic will be routed across to the intended and only external traffic will be processed in this scenario.

    Is there a best practices guide on determining the most optimal placement?

    ReplyDelete
  3. Hey thanks for sharing your labs. They've been a great help. I was doing the http strings wrong and this made them make sense.

    It looks like you doubled up on the FTP strings by copying them into the ICMP strings in your notes (in red). I was able to get icmp to work with:
    deny icmp host 172.31.1.103 host 64.101.255.254
    deny icmp host 172.31.1.103 host 64.103.255.254

    Thanks again!

    ReplyDelete

Feel free to comment if you have a question, commendation, or concern. We love to hear your feedback!

Please do not share links to external websites if it not relevant to discussion. We reserve our right to remove any content we deem advertising.