May 1

This lab is to implement security policies in the network by using access lists (ACLs).
Please note that these solutions are not the only applicable: as often happens in the world of computing and telecommunications, there may be several solutions to the same problem.

Using access list extended

RTD (config) # access-list 100 permit tcp 192.25.0.0 192.168.1.1 0.0.0.0 eq telnet 0.0.0.127
RTD (config) # access-list 100 deny tcp 192.25.0.0 0.0.0.255 eq telnet Any
RTD (config) # access-list 100 permit ip any any
RTD (config) # interface Ethernet0
RTD (config-if) # access-group 100 in ip

An agreement stipulates that the Cisco Extended Access List is applied as close as possible to the source of traffic to monitor.

In this case you want the bottom half of the 192.25.0.0/24 network is permitted only telnet to the RTC. That’s why the access list is applied to the interface Ethernet 0 RTD through the command ip access-group 100 in.

In the first statement allows the commitment of the router interface Ethernet 0 inbound telnet traffic originating from the lower half of the network (from 192.25.0.1 to 192.25.0.127) to RTC.

In the second statement the rest of telnet traffic (the one generated by the lower half of network, but addressed to different directions by RTC and that generated by more than half the network) will be blocked.

The third statement allows the remaining IP traffic.

At this point the telnet traffic has been filtered, but the system has a security flaw nothing prevents a host part of the lower half of the network 192.25.0.0 telnet to connect to RTC and run these remote terminals to the other routers. A solution to this problem is proposed in the section using the standard access list.

To allow access to the TFTP server 192.168.0.31 only RTC is necessary in this case Cisco contravene the Convention referred to above, is whether, as required by the Convention, the access-list was applied outbound on the serial interface RTC to RTB, RTA or RTB ch could access the TFTP server.

In this case, so it is necessary to apply an access list extended (so you can check the protocol and destination) Ethernet 0 interface of RTA to allow TFTP traffic only source IP address 15.0.0.2 (serial RTC) and destination IP address 192.168.0.31 (the TFTP server):

RTA (config) # access-list 100th permit udp host 15.0.0.2 host 192.168.0.31 eq tftp
RTA (config) # access-list 100 deny udp any any eq tftp
RTA (config) # Access-list 100 permit ip any any
RTA (config) # interface Ethernet0
RTA (config-if) # ip access-group 100 out

Using standard access list

Through the use of the command access-class can not implement an access-list to an interface, but the terminals of a virtual router:

RTA (config) # access-list 1 deny any
RTA (config) # line vty 0 4
RTA (config-line) # access-class 1 in

Applying this access list on RTA, RTB and RTD can solve the security problem discussed above.

Posted in Lab, Security |

Leave a Comment

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.

Designed By :Xperwebbuilder.com  All Right Reserved