Master CCNA

How to Master CCNA Ebook

 

 

My book will help you Master CCNA

Master CCNP SWITCH

How to master CCNP SWITCH ebook

 

 

My book will help you Master CCNP SWITCH

Master CCNP ROUTE

How to master CCNP ROUTE Ebook

 

 

My book will help you Master CCNP ROUTE

Print

Extended Access-List

Written by Rene Molenaar on . Posted in Security

Scenario:

This morning you woke up in a cell feeling dizzy and nauseous, it appears you were kidnapped by a mixture of agents from federal agencies. Your task is to finish this security test, if you pass you might end up becoming their next security agent...with blurry eyes you start your task!

Goal:

  • All IP addresses have been configured for you, look at the topology picture for the IP addresses.
  • OSPF has been configured for full connectivity.
  • All routers are running services like HTTP, HTTPS, TELNET and SSH.
  • Make sure you use the most specific wildcard for all your access-lists.
  • You are only allowed to use extended access-lists.
  • Configure the network so traffic from router CIA's L0 interface towards the HTTP server on 3.3.3.3 is not permitted.
  • Configure the network so traffic from router FBI's L1 interface is only allowed to reach the HTTPS server on IP address 33.33.33.33.
  • Configure the network so only users from router NSA's L1 interface are allowed to telnet into router CIA.
  • Configure the network so users from router FBI's L2 interface are not allowed to ping to router's NSA L1 interface.

Topology:

Extended Access-List

Video Solution:

You need to a flashplayer enabled browser to view this YouTube video

You need to register to be able to download the GNS3 Topology File. (Registration is Free!)

Related Articles
Only registered users can write comments!

Comments (5)

  • avatar
    wbl
    2011-07-20 22:15:46

    I think you reversed the names on the labs.
    The "named" lab seems to require extended acl commands
    and vice versa

    -wbl

  • avatar
    ReneMolenaar
    2011-07-21 00:14:23

    Hi wbl,

    It's OK. The only difference with the named access-list is how to configure it, you still need to choose a standard or extended access-list.

    The named access-list lab is similar to this one with different tasks.

    Rene

  • avatar
    bluecavalry
    2012-01-10 13:42:21

    Hi Rene,
    At first, I read this task incorrectly:
    ....FBI's L1 interface is only allowed (HTTPS)

    After watching your video, I understand want was actually needed.
    But now, I am wondering how would I block all traffic (besides 443) from loopback-1 (if that was the task)? Is it possible on the same router?

    I basically created the same extended-access-list, and applied it to all of the interfaces of FBI -- but nothing will block traffic from loopback-1.

    Here is the access-list from the running-config:
    access-list 120 permit tcp 22.22.22.20 0.0.0.3 33.33.33.0 0.0.0.255 eq 443 log
    access-list 120 deny ip 22.22.22.20 0.0.0.3 any log
    access-list 120 permit ip any any


    Thanks Rene. Love your website. Makes real practice fun and easy.

  • avatar
    ReneMolenaar
    2012-01-10 14:40:00

    Hello Mark,

    If I get your question right, you are trying to block traffic from Loopback1 on router FBI right?

    Your access-list looks fine but you need to keep in mind that there's a big difference between traffic "created by your router" (locally originated) VS traffic that is flowing through your router.

    Traffic that is locally originated by your router will NOT hit the access-list, only traffic that is flowing THROUGH the router.

    If you want to test this access-list, you should replace the loopback interface for another router, you'll see that you will get another result :)

    Was this helpful?

    Rene

  • avatar
    bluecavalry
    2012-01-28 21:03:20

    Rene,
    Thank you for clarifying that for me.