%20in%20CISCO%20Router.png)
Tasks:
Configure ACLs as follows (hints below):
1) Restrict traffic internally as follows:
- Use access list number 100
- Inside PC 1 on subnet 10.1.2.0/24 can only access HTTP servers 1 and 2 on subnet 10.1.1.0/24 using HTTP and HTTPS (Use only two lines in your ACL to accomplish this).
- No other PCs or servers on subnet 10.1.2.0/24 can access subnet 10.1.1.0/24 (Explicitly add this line. This is normally done to log the traffic with the word log, but PT does not support logging)
- Hosts on subnet 10.1.2.0/24 can access any other network
- Bind access list in the most efficient place on Router1
2) Restrict traffic externally as follows:
- Use access list number 101
- Any external device can access internal HTTP Servers using HTTP or HTTPS
- No external device can access the user subnet 10.1.2.0/24 (Explicitly add this line. This is normally done to log the traffic with the word log, but PT does not support logging)
- Bind access list in the most efficient place on Router1
3) Verification:
- Verify that Inside PC1 can access the internal HTTP servers 1 and 2, but not other HTTP servers (server 3 and 4)
- Verify that Inside PC2 cannot access the internal HTTP servers
- Verify that both inside PC1 and PC2 can browse to cisco.com and facebook.com
- Verify that Outside PC1 can access both internal servers using HTTP (server 1) and HTTPS (Server), but not ping the inside PCs
Hints:
1) Think about how binary works
2) Think about DNS traffic
3) Think about return traffic from the Internet servers
Download Solved Lab
Solution:
Here is a basic format for the extended access-list
(config) access-list NUMBER permit|deny IP_PROTOCOL SOURCE_ADDRESS WILDCARD_MASK [PROTOCOL_INFORMATION] DESTINATION_ADDRESS WILDCARD_MASK PROTOCOL_INFORMATION
PC1 is assigned IP Address 10.1.2.101 and Server1 is assigned IP Address 10.1.1.100 whereas Server 2 is assigned IP Address 10.1.1.101.We need to add allow access list 100 for http and https from 10.1.2.101 to 10.1.1.100 and 10.1.1.101Router1(config)#access-list 100 permit tcp 10.1.2.101 0.0.0.0 10.1.1.100 0.0.0.1 eq 80
Router1(config)#access-list 100 permit tcp 10.1.2.101 0.0.0.0 10.1.1.100 0.0.0.1 eq 443
Next, we need to add a deny access-list from 10.1.2.0/24 to 10.1.1.0/24
Router1(config)#access-list 100 deny ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255
Further, we need to allow hosts at 10.1.2.0/24 to access any subnet
Router1(config)#access-list 100 permit ip 10.1.2.0 0.0.0.255 any
We need to bind access-list 100 at Router 1 interface GigabitEthernet0/0/0
Router1(config)#interface GigabitEthernet0/0/0
Router1(config-if)#ip access-group 100 in
For access list 101 we need to allow any external device in subnet 8.8.8.0/24 to access internal HTTP and HTTPS servers
Router1(config)#access-list 101 permit tcp any 10.1.1.0 0.0.0.255 eq 80
Router1(config)#access-list 101 permit tcp any 10.1.1.0 0.0.0.255 eq 443
A last deny any to 10.1.2.0/24 acl will block all traffic from 8.8.8.0/24 to 10.1.2.0/24 but we still need to pass external web servers traffic from 8.8.8.0/24 to 10.1.2.0/24 but only for established TCP connections, we can achieve that with
Router1(config)#access-list 101 permit tcp any 10.1.2.0 0.0.0.255 established
We also need to pass DNS traffic from 8.8.8.0/24 to 10.1.2.0/24. We know that DNS works at port 53 (domain) so we are defining source port as 53 and destination port as any
Router1(config)#access-list 101 permit udp host 8.8.8.8 eq domain 10.1.2.0 0.0.0.255
And finally deny any entry
Router1(config)#access-list 101 deny ip any 10.1.2.0 0.0.0.255
We need to bind access-list 101 at Router 1 interface GigabitEthernet0/0/1
Router1(config)#interface GigabitEthernet0/0/1
Router1(config-if)#ip access-group 101 in
