Lab 7
Using ACLs to secure access to Cisco routers
Lab Objective:
The objective of this lab exercise is for you to learn and understand how implement ACLs to secure access to Cisco IOS routers.
Lab Purpose:
ACLs can be used to prevent unauthorized hosts and subnets from gaining access to Cisco IOS routers in numerous methods.
Lab Difficulty:
This lab has a difficulty rating of 5/10.
Readiness Assessment:
When you are ready for your certification exam, you should complete this lab in no more than 15 minutes.
Lab Topology:
Please use the following topology to complete this lab exercise:
NOTE:
The purpose of this lab is to understand the configuration commands. You are not required to test the configuration as the complexity is beyond the scope of the CCNA Security.
|
Lab 7 Configuration Tasks
Task 1:
Configure the hostnames and IP addresses on R1 and R2 as illustrated in the network diagram. Configure R2 to send R1 clocking information at a rate of 512Kbps. Ping between R1 and R2 to verify your configuration and ensure that the two routers have IP connectivity.
Task 2:
On R1, configure an ACL for the VTY lines that performs the following:
- Denies Telnet and SSH traffic from the RFC 1918 subnets to R1
- Denies Telnet and SSH traffic from the 127.0.0.0/8 subnet to R1
- Permits Telnet and SSH traffic from all other subnets. This permit must be logged in detail.
The VTY lines should be secured by the password cisco and provide Level 15 access by default.
Task 3:
Configure the following interfaces on R2:
Interface | Address | Mask |
Loopback160 | 160.1.1.2 | /27 |
Loopback170 | 170.1.1.2 | /22 |
Loopback180 | 180.1.1.2 | /19 |
Task 4:
Configure anti-spoofing ACLs on R2 that performs the following:
Inbound
- Denies the 127.0.0.0/8 address space and provides detailed logging
- Denies the Loopback160, Loopback170 and Loopback180 address space without logging
- Permits all other IP traffic
Outbound
- Permits the Loopback160, Loopback170 and Loopback180 address space
- Denies the RFC 1918 address space and provides detailed logging
Task 5:
Configure an ACL on R1 to restrict HTTP and HTTPS access as follows:
- Allow HTTP from the 192.168.0.0/24 subnet
- Deny HTTP from the 192.168.1.0/24 subnet
- Deny HTTP from the 127.0.0.0/8 subnet
- Allow HTTP from all other subnets
Lab 7 Configuration and Verification
Task 1:
Router(config)#hostname R1
R1(config)#int s0/0 R1(config-if)#ip add 150.1.1.1 255.255.255.0 R1(config-if)#no shutdown R1(config-if)#exit R1(config)#exit R1# |
Router(config)#hostname R2
R2(config)#int s0/0 R2(config-if)#clock rate 512000 R2(config-if)#ip address 150.1.1.2 255.255.255.252 R2(config-if)#no shutdown R2(config-if)#exit R2(config)#exit R2# R2#ping 150.1.1.1
Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 150.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms |
Task 2:
R1(config)#ip access-list extended VTY-SECURITY
R1(config-ext-nacl)#deny tcp 10.0.0.0 0.255.255.255 any eq telnet R1(config-ext-nacl)#deny tcp 10.0.0.0 0.255.255.255 any eq 22 R1(config-ext-nacl)# deny tcp 172.16.0.0 0.15.255.255 any eq telnet R1(config-ext-nacl)# deny tcp 172.16.0.0 0.15.255.255 any eq 22 R1(config-ext-nacl)#deny tcp 192.168.0.0 0.0.255.255 any eq telnet R1(config-ext-nacl)#deny tcp 192.168.0.0 0.0.255.255 any eq 22 R1(config-ext-nacl)#deny tcp 127.0.0.0 0.255.255.255 any eq telnet R1(config-ext-nacl)#deny tcp 127.0.0.0 0.255.255.255 any eq 22 R1(config-ext-nacl)#permit tcp any any eq telnet log-input R1(config-ext-nacl)#permit tcp any any eq 22 log-input R1(config-ext-nacl)#exit R1(config)#line vty 0 4 R1(config-line)#access-class VTY-SECURITY in R1(config-line)#password cisco R1(config-line)#privilege level 15 R1(config-line)#login R1(config-line)#exit R1(config)#exit R1# |
Task 3:
R2(config)#int loopback 160
R2(config-if)#ip address 160.1.1.2 255.255.255.224 R2(config-if)#exit R2(config)#int loopback 170 R2(config-if)#ip address 170.1.1.2 255.255.252.0 R2(config-if)#exit R2(config)#int loopback 180 R2(config-if)#ip address 180.1.1.2 255.255.224.0 R2(config-if)#exit R2(config)#exit R2# |
Task 4:
R2(config)#ip access-list extended ANTI-SPOOF-IN
R2(config-ext-nacl)#deny ip 127.0.0.0 0.255.255.255 any log-input R2(config-ext-nacl)#deny ip 160.1.1.0 0.0.0.31 any R2(config-ext-nacl)#deny ip 170.1.0.0 0.0.3.255 any R2(config-ext-nacl)#deny ip 180.1.0.0 0.0.31.255 any R2(config-ext-nacl)#permit ip any any R2(config-ext-nacl)#exit R2(config)#ip access-list extended ANTI-SPOOF-OUT R2(config-ext-nacl)#permit ip 160.1.1.0 0.0.0.31 any R2(config-ext-nacl)#permit ip 170.1.0.0 0.0.3.255 any R2(config-ext-nacl)#permit ip 180.1.0.0 0.0.31.255 any R2(config-ext-nacl)#deny ip 10.0.0.0 0.255.255.255 any log-input R2(config-ext-nacl)#deny ip 172.16.0.0 0.0.15.255 any log-input R2(config-ext-nacl)#no deny ip 172.16.0.0 0.0.15.255 any log-input R2(config-ext-nacl)#deny ip 172.16.0.0 0.15.255.255 any log-input R2(config-ext-nacl)#exit R2(config)#int s0/0 R2(config-if)#ip access-group ANTI-SPOOF-IN in R2(config-if)#ip access-group ANTI-SPOOF-OUT out R2(config-if)#exit R2(config)#exit R2# R2#show ip interface serial 0/0 Serial0/0 is up, line protocol is up Internet address is 150.1.1.1/30 Broadcast address is 255.255.255.255 Address determined by setup command MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is ANTI-SPOOF-OUT Inbound access list is ANTI-SPOOF-IN Proxy ARP is enabled —-[Truncated Output]—– |
Task 5:
R1(config)#access-list 50 remark “This is my HTTP/HTTPS ACL”
R1(config)#access-list 50 permit 192.168.0.0 0.0.0.255 R1(config)#access-list 50 deny 192.168.1.0 0.0.0.255 R1(config)#access-list 50 deny 127.0.0.0 0.255.255.255 R1(config)#access-list 50 permit any R1(config)#ip http server R1(config)#ip http secure-server R1(config)#ip http access-class 50 R1(config)#exit R1# |
Lab 7 Configurations
R1 Configuration
R1#show run
Building configuration…
Current configuration : 1494 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R1 ! boot-start-marker boot-end-marker ! no logging console ! no aaa new-model no network-clock-participate slot 1 no network-clock-participate wic 0 ip cef ! ! ! ! ! multilink bundle-name authenticated ! ! ! ! crypto pki trustpoint TP-self-signed-3473940174 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-3473940174 revocation-check none rsakeypair TP-self-signed-3473940174 ! ! crypto pki certificate chain TP-self-signed-3473940174 certificate self-signed 01 3082023A 308201A3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 33343733 39343031 3734301E 170D3032 30333031 30343433 31305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 34373339 34303137 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100C824 4F0BABB6 A557E3A3 3EE6D399 5A495CF6 8F7E131A 62670291 9710DF0F CB6918CB D3B817C8 51D4648C 79B882A8 637804CB 8984FB80 D9F1D86B E79C8292 E1617724 252490F4 BE0322C0 5C984515 3E0A4550 75E9BCC7 7A19900C 0084F632 19643491 5C0E821D 5442E1C8 FB4BE8A3 034E2954 01B4377C DC14AF72 0F4C92DC 70A90203 010001A3 62306030 0F060355 1D130101 FF040530 030101FF 300D0603 551D1104 06300482 02523230 1F060355 1D230418 30168014 4020A082 2373EFEF CD379B8C 2A1A4D13 43842D59 301D0603 551D0E04 16041440 20A08223 73EFEFCD 379B8C2A 1A4D1343 842D5930 0D06092A 864886F7 0D010104 05000381 81003F41 884FE500 E8EBCBF8 9711C10F 6A1F4110 B850B68D A84DDFDD D14EC73A 06B47781 3B4CAB5E 05FE96F9 AEEFD074 A49AD426 D830B3E4 468D5D98 1ADAC3C5 04958145 E99C3B0C 218EFD94 6780FE45 5AA6E608 19E067B7 A582601C 280AE0A1 135ADF47 35016D1C 6F6A7252 A054845B BF16FCA8 7873C9B3 62E09894 AC5C4375 FADB quit ! ! archive log config hidekeys ! ! ! ! ! ! ! interface FastEthernet0/0 no ip address duplex auto speed auto ! interface Serial0/0 ip address 150.1.1.1 255.255.255.252 ! ip forward-protocol nd ! ! ip http server ip http access-class 50 ip http secure-server ! ip access-list extended VTY-SECURITY deny tcp 10.0.0.0 0.255.255.255 any eq telnet deny tcp 10.0.0.0 0.255.255.255 any eq 22 deny tcp 172.16.0.0 0.15.255.255 any eq telnet deny tcp 172.16.0.0 0.15.255.255 any eq 22 deny tcp 192.168.0.0 0.0.255.255 any eq telnet deny tcp 192.168.0.0 0.0.255.255 any eq 22 deny tcp 127.0.0.0 0.255.255.255 any eq telnet deny tcp 127.0.0.0 0.255.255.255 any eq 22 permit tcp any any eq telnet log-input permit tcp any any eq 443 log-input ! access-list 50 remark “This is my HTTP/HTTPS ACL” access-list 50 permit 192.168.0.0 0.0.0.255 access-list 50 deny 192.168.1.0 0.0.0.255 access-list 50 deny 127.0.0.0 0.255.255.255 access-list 50 permit any ! ! ! ! control-plane ! ! ! line con 0 line aux 0 line vty 0 4 access-class VTY-SECURITY in privilege level 15 password cisco login ! ! end |
R2 Configuration
R2#sh run
Building configuration…
Current configuration : 1502 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R2 ! boot-start-marker boot-end-marker ! no logging console ! no aaa new-model no network-clock-participate slot 1 no network-clock-participate wic 0 ip cef ! ! ! ! no ip domain lookup ! multilink bundle-name authenticated ! ! ! ! ! archive log config hidekeys ! ! ! ! ! ! ! interface Loopback160 ip address 160.1.1.2 255.255.255.224 ! interface Loopback170 ip address 170.1.1.2 255.255.252.0 ! interface Loopback180 ip address 180.1.1.2 255.255.224.0 ! interface FastEthernet0/0 no ip address duplex auto speed auto ! interface Serial0/0 ip address 150.1.1.1 255.255.255.252 ip access-group ANTI-SPOOF-IN in ip access-group ANTI-SPOOF-OUT out clock rate 512000 ! ip forward-protocol nd ! ! ip http server ip http authentication local no ip http secure-server ! ip access-list extended ANTI-SPOOF-IN deny ip 127.0.0.0 0.255.255.255 any log-input deny ip 160.1.1.0 0.0.0.31 any deny ip 170.1.0.0 0.0.3.255 any deny ip 180.1.0.0 0.0.31.255 any permit ip any any ip access-list extended ANTI-SPOOF-OUT permit ip 160.1.1.0 0.0.0.31 any permit ip 170.1.0.0 0.0.3.255 any permit ip 180.1.0.0 0.0.31.255 any deny ip 10.0.0.0 0.255.255.255 any log-input deny ip 172.16.0.0 0.15.255.255 any log-input ! ! ! ! ! control-plane ! ! ! line con 0 line aux 0 line vty 0 4 password cisco login ! ! end |