Cisco IOS Technologies

ACL Cisco Exam Lab 2017

Network Configuration

A network associate is adding security to the configuration of the Corp1 router. The user on hast C should be able to use a web browserto access financial information from the Finance Web Serve.r No other hasts from the LAN nor the Core should be able to use a web browserto access this server. Since there are multiple resources for the corporation at this location including other resources on the Finance Web Serve,r all other traffic should be allowed.

The task is to create and apply an access-list with no more than three statements that will allow ONLY hast C web access to the Finance Web Server. No other hasts will have web access to the Finance Web Server. Ali other traffic is permitted.
Access to the router CU can be gained by clicking on the appropriate hast.

Ali passwords have been temporarily set to “cisco”.
The Core connection uses an IP address of 198.18.196.65
The computers in the Hasts LAN have been assigned addresses of 192.168.33.1 -192.168.33.254.
o hast A 192.168.33.1
o hos B192.168.33.2
o hast C192.168.33.3
o hast D 192.168.33.4

The servers in the Server LAN have been assigned addresses of 172.22.242.17 – 172.22.242.30
The Finance Web Server is assigned an IP address of 172.22.242.23.

 

Answer

  1. Select the console on Corp1 router:
  2. Configuring ACL on Corp1 router: Password: cisco

Corp1>enable Password: cisco

Corp1#configure terminal

Comment: To permit only Host C (192.168.33.3) {source address} to access finance server address (172.22.242.23) {destination address} on port number 80 (web):

Corp1(config)#access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80

Comment: To deny any source to access finance server address (172.22.242.23) {destination address} on port number 80 (web):

Corp1(config)#access-list 100 deny tcp any host 172.22.242.23 eq 80

Comment: To permit ip protocol from any source to access any destination because of the implicit deny any any statement at the end of ACL:

Corp1(config)#access-list 100 permit ip any any

  1. Applying the ACL on the Interface:

Comment: Place the ACL to check for packets going outside the interface towards the finance web server:

Corp1(config)#interface fastethernet 0/1 Corp1(config-if)#ip access-group 100 out Corp1(config-if)#end

  1. Important: save your running config to startup config before exit.

Corp1#copy running-config startup-config

  1. Verifying the Configuration:

Step1: show ip interface brief command identifies the interface on which to apply access list.

Step2: Click on each host A,B,C & D . Host opens a web browser page.

    • Click on host C and open its web browser. In the address box type http://172.22.242.23 to check if you are allowed to access Finance Web Server or not. If your configuration is correct then you can access it.
    • Click on other hosts (A, B and D) and check to make sure you can’t access Finance Web Server from these hosts.

Step 3: Only Host C (192.168.33.3) has access to the server. If the other host can also access then maybe something went wrong in your configuration. Check whether you configured correctly and in order.