Lab 219 - Reflexive ACL

Lab 219 - Reflexive ACL
Di Posting Oleh : Simple Learning
Kategori : Security

Prerequisites: CCNP level skills.

Topology

Pic 1. Topology Diagram.

Task 1
R3 is the edge router for subnets 172.16.x.0/24 and 10.0.x.0/24. Ensure BB1 can reach all destination behind R3. Use static route on BB1 in order to accomplish the task.

Task 2
Configure R3 in such a way that traffic sent from BB1 (any source address) destined to any subnet behind R3 is being blocked except for traceroute. Traffic originated by 172.16.x.0/24 or 10.0.x.0/24 subnets towards BB1 (any destination address) should be allowed back in. Use two ACLs to accomplish the task (one inbound and one outbound ACL).

Solution

Task 1
R3 is the edge router for subnets 172.16.x.0/24 and 10.0.x.0/24. Ensure BB1 can reach all destination behind R3. Use static route on BB1 in order to accomplish the task.

BB1 Config:
!
ip route 10.0.0.0 255.255.0.0 203.0.113.3
ip route 172.16.0.0 255.255.0.0 203.0.113.3

!
! For testing purpose let's enable HTTP server on BB1.
ip http server
!

R3 Config:
!
ip route 0.0.0.0 0.0.0.0 203.0.113.254
!
router eigrp 1
 redistribute static
 network 10.0.3.3 0.0.0.0
 network 172.16.123.3 0.0.0.0
 no auto-summary
!

interface FastEthernet0/0
 ip address 203.0.113.3 255.255.255.0
 ip access-group INBOUND in
 ip access-group OUTBOUND out
 speed 100
 full-duplex

!


Verification:

Pic. 2 - BB1 Connectivity towards 172.16.x.0/24 and 10.0.x.0/24.


Task 2
Configure R3 in such a way that traffic sent from BB1 (any source address) destined to any subnet behind R3 is being blocked except for traceroute. Traffic originated by 172.16.x.0/24 or 10.0.x.0/24 subnets towards BB1 (any destination address) should be allowed back in. Use two ACLs to accomplish the task (one inbound and one outbound ACL).

R1 Config:
!
ip access-list extended OUTBOUND
 permit ip 172.16.0.0 0.0.255.255 any reflect ALLOW_THIS_IN
 permit ip 10.0.0.0 0.0.255.255 any reflect ALLOW_THIS_IN

!
ip access-list extended INBOUND
 evaluate ALLOW_THIS_IN

 permit udp any 172.16.0.0 0.0.255.255 gt 33433
 permit udp any 10.0.0.0 0.0.255.255 gt 33433
!



Verification:

Pic. 3 - Traffic from the INSIDE towards BB1.
 
Pic. 4 - Stateful Entry Created on R3.

Pic. 5 - Traffic Originated from BB1 towards our INSIDE subnets.
NOTE!
Traceroute in Cisco IOS sends UDP datagrams starting at port 33434 with the ttl max 30 hops.

0 Response to "Lab 219 - Reflexive ACL"

Post a Comment