Di Posting Oleh : Simple Learning
Kategori : Security
Prerequisites: CCNP level skills.
Topology
Pic 1. Topology Diagram.
Task 1
R3 is the edge router for subnets 172.16.x.0/24 and 10.0.x.0/24. Ensure BB1 can reach all destination behind R3. Use static route on BB1 in order to accomplish the task.
Task 2
Configure R3 in such a way that traffic sent from BB1 (any source address) destined to any subnet behind R3 is being blocked except for traceroute. Traffic originated by 172.16.x.0/24 or 10.0.x.0/24 subnets towards BB1 (any destination address) should be allowed back in. Use two ACLs to accomplish the task (one inbound and one outbound ACL).
Solution
Task 1
R3 is the edge router for subnets 172.16.x.0/24 and 10.0.x.0/24. Ensure BB1 can reach all destination behind R3. Use static route on BB1 in order to accomplish the task.
BB1 Config:
!
ip route 10.0.0.0 255.255.0.0 203.0.113.3
ip route 172.16.0.0 255.255.0.0 203.0.113.3
!
! For testing purpose let's enable HTTP server on BB1.
ip http server
!
R3 Config:
!
ip route 0.0.0.0 0.0.0.0 203.0.113.254
!
router eigrp 1
redistribute static
network 10.0.3.3 0.0.0.0
network 172.16.123.3 0.0.0.0
no auto-summary
!
interface FastEthernet0/0
ip address 203.0.113.3 255.255.255.0
ip access-group INBOUND in
ip access-group OUTBOUND out
speed 100
full-duplex
!
Verification:
Task 2
Configure R3 in such a way that traffic sent from BB1 (any source address) destined to any subnet behind R3 is being blocked except for traceroute. Traffic originated by 172.16.x.0/24 or 10.0.x.0/24 subnets towards BB1 (any destination address) should be allowed back in. Use two ACLs to accomplish the task (one inbound and one outbound ACL).
R1 Config:
!
ip access-list extended OUTBOUND
permit ip 172.16.0.0 0.0.255.255 any reflect ALLOW_THIS_IN
permit ip 10.0.0.0 0.0.255.255 any reflect ALLOW_THIS_IN
!
ip access-list extended INBOUND
evaluate ALLOW_THIS_IN
permit udp any 172.16.0.0 0.0.255.255 gt 33433
permit udp any 10.0.0.0 0.0.255.255 gt 33433!
Verification:
Traceroute in Cisco IOS sends UDP datagrams starting at port 33434 with the ttl max 30 hops.
R3 is the edge router for subnets 172.16.x.0/24 and 10.0.x.0/24. Ensure BB1 can reach all destination behind R3. Use static route on BB1 in order to accomplish the task.
Task 2
Configure R3 in such a way that traffic sent from BB1 (any source address) destined to any subnet behind R3 is being blocked except for traceroute. Traffic originated by 172.16.x.0/24 or 10.0.x.0/24 subnets towards BB1 (any destination address) should be allowed back in. Use two ACLs to accomplish the task (one inbound and one outbound ACL).
Solution
Task 1
R3 is the edge router for subnets 172.16.x.0/24 and 10.0.x.0/24. Ensure BB1 can reach all destination behind R3. Use static route on BB1 in order to accomplish the task.
BB1 Config:
!
ip route 10.0.0.0 255.255.0.0 203.0.113.3
ip route 172.16.0.0 255.255.0.0 203.0.113.3
!
! For testing purpose let's enable HTTP server on BB1.
ip http server
!
R3 Config:
!
ip route 0.0.0.0 0.0.0.0 203.0.113.254
!
router eigrp 1
redistribute static
network 10.0.3.3 0.0.0.0
network 172.16.123.3 0.0.0.0
no auto-summary
!
interface FastEthernet0/0
ip address 203.0.113.3 255.255.255.0
ip access-group INBOUND in
ip access-group OUTBOUND out
speed 100
full-duplex
!
Verification:
Pic. 2 - BB1 Connectivity towards 172.16.x.0/24 and 10.0.x.0/24.
Task 2
Configure R3 in such a way that traffic sent from BB1 (any source address) destined to any subnet behind R3 is being blocked except for traceroute. Traffic originated by 172.16.x.0/24 or 10.0.x.0/24 subnets towards BB1 (any destination address) should be allowed back in. Use two ACLs to accomplish the task (one inbound and one outbound ACL).
R1 Config:
!
ip access-list extended OUTBOUND
permit ip 172.16.0.0 0.0.255.255 any reflect ALLOW_THIS_IN
permit ip 10.0.0.0 0.0.255.255 any reflect ALLOW_THIS_IN
!
ip access-list extended INBOUND
evaluate ALLOW_THIS_IN
permit udp any 172.16.0.0 0.0.255.255 gt 33433
permit udp any 10.0.0.0 0.0.255.255 gt 33433!
Verification:
Pic. 3 - Traffic from the INSIDE towards BB1.
Pic. 4 - Stateful Entry Created on R3.
Pic. 5 - Traffic Originated from BB1 towards our INSIDE subnets.
NOTE!Traceroute in Cisco IOS sends UDP datagrams starting at port 33434 with the ttl max 30 hops.
0 Response to "Lab 219 - Reflexive ACL"
Post a Comment