CISCO-ACL

Figure 1：拓扑图

Question 1

Write a set of standard access list rule’s which will prevent PC3 from leaving the 192.168.1.0/26 network.

Then decide upon which router would you place this access control list.

Finally give the command to apply it to the correct interface?

Router(config)#ip access-list standard q1
Router(config-std-nacl)#deny 192.168.1.110 0.0.0.0
Router(config-std-nacl)#exit

Router(config)#inter fa 0/1
Router(config-if)#ip access-group q1 out

Question 2

Write a set of standard access list’s which will allow the Web Server to access the FTP server, but will not allow the web server to access the HR Department.

Then decide upon which router would you place this access control list.

Finally give the command to apply it to the correct interface?

Router(config)#ip access-list standard q2.allow
Router(config-std-nacl)#permit 192.168.3.2 0.0.0.0
Router(config-std-nacl)#exit

Router(config)#ip access-list standard q2.deny
Router(config-std-nacl)#permit 192.168.3.2 0.0.0.0
Router(config-std-nacl)#exit

Router(config)#inter fa 0/2
Router(config-if)#ip access-group q2.allow out

Router(config)#inter fa 0/0
Router(config-if)#ip access-group q2.deny out

Question 3

Write a set of standard access control list’s to prevent the Sales Department from accessing the IT Department, but will allow the Sales department to access the HR Department network.

Then decide upon which router would you place this access control list.

Finally give the command to apply it to the correct interface?

Questions on Extended Access Control Lists

Note: Extended include both source and destination IP address, and the port/service involved.

Remember the syntax for an extended access control list is different
命名ACL

 ip access-list {standard/extended} name
 标准
{ permit /deny} source-ip source-wildcard  
扩展          
{ permit /deny} protocol source-ip source-wildcard [operator port] destination-ip destination-wildcard [operator port] [established][log]                             

例：

ip access-list extended outbound             定义一个名为outbound的命名ACL
permit tcp 192.168.2.0 0.0.0.255 gt 1023 host 192.168.1.2 eq 80 	允许192.168.2.0网段的主机访问主机192.168.1.2的web服务

优点：可以删除/修改其中一条ACL,而不必删除整个ACL

ip access-list extend server- protect
no permit tcp 10.0.0.0 0.0.255.255 host 10.1.2.21 eq www
permit tcp 10.1.0.0 0.0.0.255 host 10.1.2.21 eq www
exit

Question 4

Write a set of extended access control lists, which will allow HR and IT to access both HTTP and HTTPS traffic on the Web Server
But will not allow the Sales department to access HTTP.
But will allow the Sales department to access HTTPS on the Web Server

Then decide upon which router would you place this access control list.

Finally give the command to apply it to the correct interface?

Router(config)#ip access-list extended q4
Router(config-ext-nacl)#deny tcp 192.168.1.0 0.0.63.255 192.168.3.2 0.0.0.3 eq www

Question 5

Write an extended set of access control lists, which will allow the IT Department to SSH to all 3 Servers but will not allow the Sales or HR Departments to SSH to any of these servers.
This set of lists should also prevent DNS requests from being sent to any of these servers from any IP address.

Then decide upon which router would you place this access control list.

Finally give the command to apply it to the correct interface?

Router(config)#ip access-list standard q3.allow1
Router(config-std-nacl)#permit 192.168.3.2 0.0.0.0
Router(config-std-nacl)#exit

Router(config)#ip access-list standard q2.deny
Router(config-std-nacl)#permit 192.168.3.2 0.0.0.0
Router(config-std-nacl)#exit

Router(config)#inter fa 0/2
Router(config-if)#ip access-group q2.allow out

Router(config)#inter fa 0/0
Router(config-if)#ip access-group q2.deny out

Question 6

Write an extended set of access control lists, to allow the HR department to access the email server via smtp(25) but to prevent the HR department to access the PC in the Sales department.

Then decide upon which router would you place this access control list.

Finally give the command to apply it to the correct interface?

Question 7

Write an extended set of access control lists, which deny all devices from accessing the IT department network.
But allows DNS and SMB(445) traffic to access this network.

Then decide upon which router would you place this access control list.

Finally give the command to apply it to the correct interface?

Question 8

Create a question for the person sat next to you, try to think of a rule which will enhance the rules which have already been implemented.

一、standard ACL

命令：access-list {1-99} {permit/deny} source-ip source-wildcard [log]
例：access-list 1 penmit 192.168.2.0 0.0.0.255      允许192.168.2.0网段的访问
           access-list 1 deny 192.168.1.0 0.0.0.255         拒绝192.168.1.0网段的访问
说明：wildcard为反掩码，host表示特定主机等同于192.168.2.3 0.0.0.0；any表示所有的源或目标等同于0.0.0.0 255.255.255.255 ；log表示有匹配时生成日志信息；标准ACL一般用在离目的最近的地方

二、extended ACL

access-list {100-199} {permit/deny} protocol source-ip source-wildcard [operator port] destination-ip destination-wildcard [operator port] [established][log]