Options
ACL help
barryn13087
Member Posts: 10 ■□□□□□□□□□
in CCNA & CCENT
this is the issue:
There are several security concerns in the internetwork. Develop a Access Control LIsts (ACLs) to address security issues. the following are the concerns:
1. The company has an intranet web server host that all systems can reach at ip address 172.16.0.1 with only http access. no other protocols will be permitted to this site.
2. The company also has a server pool in the 209.0.0./24 network. The server pool addresses are divided in half. The servers in the upper half of the address range are reachable only by management host using all possible IP protocols. The servers in the upper half of the address range are not reachable by production hosts using all IP protocols. The server should not be accessible by any other hosts.
3. The company has discovered an Internet Web server at 198.0.0.1 that is known to contain viruses. All hosts are to be banned from reaching this site.
4. The web browser on both hosts can bring up login of ip address 62.0.0.1
These security requirements should be accomplished with a single access list. PLan the access list required to accomplish these tasks, to which interface this will be applied, and the direction the list will be applied.
my info is:
Location: Boaz
version: 8
WAN IP: 192.168.108.0/24
subnet mask: 255.255.255.0
Local LAN ip address 200.100.57.0
Subnets required 10 host addressses
Use 3rd subnet for the LAN. do not use subnet zero as the first subnet
igrp number is: 8
what i have found and assigned are:
Interface Serial 0: ip address 192.168.108.2, subnet: 255.255.255.0
Interface Ethernet 0: ip address 200.100.57.62, subnet: 255.255.255.240
Production host: ip address 200.100.57.49, subnet: 255.255.255.240
Management host: ip address 200.100.57.54, subnet: 255.255.255.240
1.
access-list 101 permit tcp 200.100.57.0 0.0.0.255 host 172.16.0.1 eq 80
access-list 101 deny tcp 200.100.57.0 0.0.0.255 host 172.16.0.1 eq 23
access-list 101 icmp 200.100.57.0 0.0.0.255 host 172.16.0.1 echo
2.
access-list 101 deny tcp 200.100.57.48 0.0.0.7 209.0.0.128 0.0.0.127
access-list 101 permit tcp 200.100.57.54 0.0.0.7 209.0.0.0 0.0.0.127
3. access-list 101 deny tcp any host 198.0.0.1
4.
access-list 101 permit tcp 200.100.57.0 0.0.0.255 host 62.0.0.1
access-list 101 permit tcp any any
There are several security concerns in the internetwork. Develop a Access Control LIsts (ACLs) to address security issues. the following are the concerns:
1. The company has an intranet web server host that all systems can reach at ip address 172.16.0.1 with only http access. no other protocols will be permitted to this site.
2. The company also has a server pool in the 209.0.0./24 network. The server pool addresses are divided in half. The servers in the upper half of the address range are reachable only by management host using all possible IP protocols. The servers in the upper half of the address range are not reachable by production hosts using all IP protocols. The server should not be accessible by any other hosts.
3. The company has discovered an Internet Web server at 198.0.0.1 that is known to contain viruses. All hosts are to be banned from reaching this site.
4. The web browser on both hosts can bring up login of ip address 62.0.0.1
These security requirements should be accomplished with a single access list. PLan the access list required to accomplish these tasks, to which interface this will be applied, and the direction the list will be applied.
my info is:
Location: Boaz
version: 8
WAN IP: 192.168.108.0/24
subnet mask: 255.255.255.0
Local LAN ip address 200.100.57.0
Subnets required 10 host addressses
Use 3rd subnet for the LAN. do not use subnet zero as the first subnet
igrp number is: 8
what i have found and assigned are:
Interface Serial 0: ip address 192.168.108.2, subnet: 255.255.255.0
Interface Ethernet 0: ip address 200.100.57.62, subnet: 255.255.255.240
Production host: ip address 200.100.57.49, subnet: 255.255.255.240
Management host: ip address 200.100.57.54, subnet: 255.255.255.240
1.
access-list 101 permit tcp 200.100.57.0 0.0.0.255 host 172.16.0.1 eq 80
access-list 101 deny tcp 200.100.57.0 0.0.0.255 host 172.16.0.1 eq 23
access-list 101 icmp 200.100.57.0 0.0.0.255 host 172.16.0.1 echo
2.
access-list 101 deny tcp 200.100.57.48 0.0.0.7 209.0.0.128 0.0.0.127
access-list 101 permit tcp 200.100.57.54 0.0.0.7 209.0.0.0 0.0.0.127
3. access-list 101 deny tcp any host 198.0.0.1
4.
access-list 101 permit tcp 200.100.57.0 0.0.0.255 host 62.0.0.1
access-list 101 permit tcp any any
Comments
-
Options
Drakonblayde
Member Posts: 542
I'm not going to answer the question directly, but I will point out a couple mistakes that will hopefully help you.
1.
access-list 101 permit tcp 200.100.57.0 0.0.0.255 host 172.16.0.1 eq 80
access-list 101 deny tcp 200.100.57.0 0.0.0.255 host 172.16.0.1 eq 23
access-list 101 icmp 200.100.57.0 0.0.0.255 host 172.16.0.1 echo
[/quote]
Ok, the second line is unnecessary. You have an implicit deny all all at the end of the ACL, so you only need to define the traffic that is allowed. So the deny between the two permits is totally unncessary. When this ACL is applied, only the traffic. This is, of course, if the third line is supposed to be a permit. But looking back at original problem, it's probably supposed to be a deny. That means only the first line is necessary.2.
access-list 101 deny tcp 200.100.57.48 0.0.0.7 209.0.0.128 0.0.0.127
access-list 101 permit tcp 200.100.57.54 0.0.0.7 209.0.0.0 0.0.0.127
Again, the end of *every* ACL contains an implicit deny any any, so the very first line is unnecessary. All you need to do is define what traffic is permitted, and everything else is denied by default.3. access-list 101 deny tcp any host 198.0.0.1
Well if you were to apply this statement to an interface all by it's lonesome, you would deny all traffic because, once again, there is an implicit deny all at the end of the ACL (that is a very key thing to remember when dealing with ACL's). To make this work, you would need to add a permit ip any any. In that case, all traffic to the designated host would be denied, and the permit ip any any would let all other traffic pass through,
[/quote]4.
access-list 101 permit tcp 200.100.57.0 0.0.0.255 host 62.0.0.1
access-list 101 permit tcp any any
OK, this statement makes the first line totally worthless. You're permitting all tcp traffic, which means that any host would be able to hit that IP.
Basically the way it works with ACL's is you either define what you're going to allow, and then it'll automatically deny everything else, or you define what you're going to deny and then allow everything else. You usually don't mix permit and deny statements.
Ok, I changed my mind, I'm going to show the answers as soon as I work it out, I'm intrigued by the requirements here, they make for some dicey stuff= Marcus Drakonblayde
================
CCNP-O-Meter:
=[0%]==[25%]==[50%]==[75%]==[100%]
==[X]===[X]====[ ]=====[ ]====[ ]==
=CCNA==BSCI==BCMSN==BCRAN==CIT= -
OptionsDrakonblayde
Member Posts: 542
Ok, there's two ways to do this.
In the first instance, if the hosts are not supposed to have any internet access, this is the way I'd do it (since the problem specifies that it should be done with a single access list, that's what I'm going to show)
;permit only http traffic to the webserver
access-list 101 permit tcp any host 172.16.0.1 eq 80
;permit management access to the upper end server farm
access-list 101 permit tcp host 200.100.57.54 209.0.0.128 0.0.0.127
;permit all hosts on the subnet access to the lower end servers
access-list 101 permit tcp 200.100.57.48 0.0.0.207 209.0.0.0 0.0.0.127
;permit all hosts on the subnet access to http on the speficied host
access-list 101 permit tcp 200.100.57.48 0.0.0.207 host 62.0.0.1 eq 80
;deny all other traffic (implicit, but shown for clarification)
access-list 101 deny ip any any
In this instance, you wouldn't need to specify anything at all to meet condition number 3, the only problem is that this will block all outgoing traffic. Basically, all that's shown is allowed, the router will drop everything else.
;permit all http traffic to the web server, deny everything else
access-list 101 permit tcp any host 172.16.0.1 eq 80
access-list 101 deny tcp any host 172.16.0.1
;permit management console to hit all servers
access-list 101 permit ip host 200.100.57.54 209.0.0.0 0.0.0.255
;deny lower end hosts access to upperlevel servers
access-list 101 deny 200.100.57.48 0.0.0.207 209.0.0.128 0.0.0.127
;deny virus infected web-host
access-list 101 deny ip any host 198.0.0.1
;permit all other traffic
access-list 101 permit ip any any
This one isn't quite as restrictive. It's one of the few times you'd be likely to mix permit and deny statements. When doing so, it's important to make sure the permit statements are done first since ACL's are processed sequentially. The first line would allow http traffic to the web server, but the second line stops anything else going to that host cold. For the second condition, again it's a mixed permit and deny. First you permit the management host to hit the entire /24 subnet that those servers are on, then you deny the entire subnet to the upper end servers (again, since the ACL is processed sequentially, it's not a problem to deny the entire subnet... if the .54 host was trying to hit the upper end servers, it's explicitly allowed to do so, the ACL would process the packet from .54, see it meets the condition, and then stop processing the ACL. For any other host from that subnet, it would only qualify for the deny). The third condition is met by the deny statement to that specific IP, and the fourh condition is satisfied by the permit ip any any, as well as all other traffic (including internet traffic) allowed to make it out. The fact that the fourth condition mentions bringing up a login via the web browser means it needs at least http traffic. It's not saying to deny everything else, but you could do the same thing as you did in the first two lines and pemit port 80 and then deny everything else.
That's it in a nutshell. My syntax may be incorrect in some places, I'm bad about that, I usually need the routers online help to make sure I get it correct, but the concept remains the same. You have to permit and/or deny traffic in the proper order otherwise something is going to go wrong
Oh, as for where this ACL should be applied... for minimal impact on the router, it should be applied to the LAN inteface incoming= Marcus Drakonblayde
================
CCNP-O-Meter:
=[0%]==[25%]==[50%]==[75%]==[100%]
==[X]===[X]====[ ]=====[ ]====[ ]==
=CCNA==BSCI==BCMSN==BCRAN==CIT= -
OptionstunerX
Member Posts: 447 ■■■□□□□□□□
access-list 101 permit tcp any host 172.16.0.1 eq www
access-list 101 deny ip any host 172.16.0.1
access-list 101 permit ip host 200.100.57.54 209.0.0.128 0.0.0.127
access-list 101 deny ip any 209.0.0.128 0.0.0.127
access-list 101 permit tcp host 200.100.57.54 host 62.0.0.1 eq 49
access-list 101 permit tcp host 200.100.57.49 host 62.0.0.1 eq 49
access-list 101 permit tcp any host 62.0.0.1 eq 80
access-list 101 deny ip any host 62.0.0.1
access-list 101 deny ip any host 198.0.0.1
access-list 101 permit ip any any
I would assgin this access list inbound on the e0 interface. It wouldn't stop hosts from the s0 side from doing all of the stuff that we want to restrict but you should actually create a difference access list for serial 0. Are you missing any restrictions or any other information. -
Optionsbarryn13087
Member Posts: 10 ■□□□□□□□□□
Basically the way it works with ACL's is you either define what you're going to allow, and then it'll automatically deny everything else, or you define what you're going to deny and then allow everything else. You usually don't mix permit and deny statements.
thanks this cleared up a lot, my teacher just says, "make a acl list permit and denying blah blah blah... makes sure you have permit and deny statements in your acl statement" i think i understand it better now. thanks for clearing this up... but one question.
my teacher said i should have a statement
access-list 101 permit tcp 200.100.57.48 0.0.0.7 209.0.0.128 0.0.0.127, the wild card mask of 0.0.0.7, whats difference between this one statement and the other two
[/quote]access-list 101 permit tcp host 200.100.57.54 209.0.0.128 0.0.0.127
access-list 101 permit tcp 200.100.57.48 0.0.0.207 209.0.0.0 0.0.0.127 -
OptionstunerX
Member Posts: 447 ■■■□□□□□□□
access-list 101 permit tcp 200.100.57.48 0.0.0.7 209.0.0.128 0.0.0.127, the wild card mask of 0.0.0.7
This will allow addresses 200.100.57.48 - 200.100.57.55 in the source address. The specifications for your question only mentioned allowing two hosts .49 and .54. Your instructor's statement will allow .49, .50, .51, .52, .53, .54, and .55 into the interface. To figure out the range of addresses that the wild card mask includes, you add it to the source address
200.100.57.48
+ 0. 0. 0. 7
200.100.57.55
This gives you your range .48-59. You usually figure it out the other way (i.e.). I want to allow the network 192.168.1.0 255.255.255.252, which will be 4 addresses.
255.255.255.255
-255.255.255.252
0.0.0.3
The inverse mask will be 0.0.0.3.
With the last requirement it mentioned web and login. The only well known "login" protocol that I know about is TACACS. Was the actual requirement to allow the use of "login" via a web browser? That is why I included the web statement and the two "login" protcol 49 statements. -
OptionsDrakonblayde
Member Posts: 542
[/quote]barryn13087 wrote:Basically the way it works with ACL's is you either define what you're going to allow, and then it'll automatically deny everything else, or you define what you're going to deny and then allow everything else. You usually don't mix permit and deny statements.
thanks this cleared up a lot, my teacher just says, "make a acl list permit and denying blah blah blah... makes sure you have permit and deny statements in your acl statement" i think i understand it better now. thanks for clearing this up... but one question.
my teacher said i should have a statement
access-list 101 permit tcp 200.100.57.48 0.0.0.7 209.0.0.128 0.0.0.127, the wild card mask of 0.0.0.7, whats difference between this one statement and the other twoaccess-list 101 permit tcp host 200.100.57.54 209.0.0.128 0.0.0.127
access-list 101 permit tcp 200.100.57.48 0.0.0.207 209.0.0.0 0.0.0.127
Actually, I screwed up with the .207 wildcard mask. Got my binary a little confuzzled.
access-list 101 permit tcp 200.100.57.48 0.0.0.15 209.0.0.0. 0.0.0.127
access-list 101 permit tcp host 200.100.57.54 209.0.0.128 0.0.0.127
access-list 101 deny tcp 200.100.57.48 0.0.0.15 209.0.0.128 0.0.0.127
Ok, the first statement allows the entire subnet your hosts are on to access the lower end of the server farm subnet. The second statement permits your management host access to the upper end of the server farm, and the third statement denies the entire host subnet access to the upper end of the server farm.
That allows the entire subnet access to the lower end of the server farm.
The problem I have with the statement
access-list 101 permit tcp 200.100.57.48 0.0.0.7 209.0.0.128 0.0.0.127
Is that it allows the first half of the subnet access to the upper end servers, and the second condition states that those addresses should only be reached by the management host. If it was
access-list 101 permit tcp 200.100.57.48 0.0.0.7 209.0.0.0 0.0.0.127
Then that would be correct, that would allow the lower end of the subnet access to the lower end of the server farm, and that would satisfy the conditions of the statement (personally I think that's a stupid way to do it, the only servers specifically mentioned as restricted are the upper half of the server farm, so I'd only restrict that and allow the entire host subnet to hit the lower end)= Marcus Drakonblayde
================
CCNP-O-Meter:
=[0%]==[25%]==[50%]==[75%]==[100%]
==[X]===[X]====[ ]=====[ ]====[ ]==
=CCNA==BSCI==BCMSN==BCRAN==CIT= -
OptionsFire Starter
Member Posts: 14 ■□□□□□□□□□
Hi Dragonblayde and others,
If we change the scenario where we have:
new info is:
Location: Anniston
version: 1st Subnet
WAN IP: 192.168.1.0/24
subnet mask: 255.255.255.0
Local LAN ip address 195.30.30.0
Subnets required 14 host addressses
Use 1st subnet for the LAN. do not use subnet zero as the first subnet
igrp number is: 1
and the same scenario........
There are several security concerns in the internetwork. Develop a Access Control LIsts (ACLs) to address security issues. the following are the concerns:
1. The company has an intranet web server host that all systems can reach at ip address 172.16.0.1 with only http access. no other protocols will be permitted to this site.
2. The company also has a server pool in the 209.0.0./24 network. The server pool addresses are divided in half. The servers in the upper half of the address range are reachable only by management host using all possible IP protocols. The servers in the upper half of the address range are not reachable by production hosts using all IP protocols. The server should not be accessible by any other hosts.
3. The company has discovered an Internet Web server at 198.0.0.1 that is known to contain viruses. All hosts are to be banned from reaching this site.
4. The web browser on both hosts can bring up login of ip address 62.0.0.1
These security requirements should be accomplished with a single access list. PLan the access list required to accomplish these tasks, to which interface this will be applied, and the direction the list will be applied.
What would be the newer ACL plan ? -
Optionsbarryn13087
Member Posts: 10 ■□□□□□□□□□
Location: Anniston
version: 1st Subnet
WAN IP: 192.168.1.0/24
subnet mask: 255.255.255.0
Local LAN ip address 195.30.30.0
Subnets required 14 host addressses
Use 1st subnet for the LAN. do not use subnet zero as the first subnet
igrp number is: 1
so hmm im done my skills exam i passed woot...
as for you hmm:
Interface Serial 0: ip address 192.168.1.2, subnet: 255.255.255.0
Interface Ethernet 0: ip address 195.30.30.30, subnet: 255.255.255.240
Production host: ip address 195.30.30.16, subnet: 255.255.255.240
Management host: ip address 195.30.30.24, subnet: 255.255.255.240
Igrp: 1
networks: 192.168.1.0, 195.30.30.0
starters before going to acls make sure u can ping GAD which should be 192.168.1.1 (do the Show Cdp Neighbors detail command to see if GAD is there and then ping the ip address it is)
word of advice as well do show ip route after 90 seconds after you enable router igrp 1...
!allows any host to access the 172.16.0.1 server pool www(http) wise
access-list 101 permit tcp any host 172.16.0.1 eq 80
!allows host 195.30.30.24 to accessing hosts in the 209.0.0.128 upper half
access-list 101 permit tcp host 195.30.30.24 209.0.0.128 0.0.0.127
!allows hosts in the 195.30.30.24 server pool to access the 209.0.0.128 lower half
access-list 101 permit tcp 195.30.30.24 0.0.0.7 209.0.0.0 0.0.0.127
!allows hosts in the 195.30.30.16 to access 62.0.0.1 server
access-list 101 permit tcp 195.30.30.16 0.0.0.255 62.0.0.1
thank drakonblayde for showing me how to do this an well for the template for these commands.[/b]
