PT Activity: Configure IP ACLs to Mitigate Attacks

Instructor Version Topology Diagram

Addressing Table
Device R1 Interface Fa0/1 %0/0/0 &'C() %0/0/0 R2 %0/0/1&'C() Lo0 R* PC+A PC+C Fa0/1 %0/0/1 $IC $IC IP Address 192 1!" 1 1 10 1 1 1 10 1 1 2 10 2 2 2 192 1!" 2 1 192 1!" * 1 10 2 2 1 192 1!" 1 * 192 1!" * * Subnet Mask 2## 2## 2## 0 2## 2## 2## 2#2 2## 2## 2## 2#2 2## 2## 2## 2#2 2## 2## 2## 0 2## 2## 2## 0 2## 2## 2## 2#2 2## 2## 2## 0 2## 2## 2## 0 Default Gateway $/A $/A $/A $/A $/A $/A $/A 192 1!" 1 1 192 1!" * 1

b!ectives
C ,erify connectivity a-ong .evices /efore fire0a11 configuration 2se ACLs to ensure re-ote access to t3e routers is avai1a/1e on1y fro- -anage-ent station PC+ Configure ACL4s on R1 an. R* to -itigate attacks ,erify ACL functiona1ity

A11 contents are Co5yrig3t 6 1992+2009 Cisco %yste-s7 Inc A11 rig3ts reserve. T3is .ocu-ent is Cisco Pu/1ic Infor-ation

Page 1 of 8

CC$A %ecurity

Introduction
Access to routers R17 R27 an. R* s3ou1. on1y /e 5er-itte. fro- PC+C7 t3e -anage-ent station PC+C is a1so use. for connectivity testing to PC+A7 a server 5rovi.ing '$%7 %MTP7 FTP7 an. 9TTP% services %tan.ar. o5erating 5roce.ure is to a551y ACL4s on e.ge routers to -itigate co--on t3reats /ase. on source an./or .estination IP a..ress In t3is activity7 you create ACL4s on e.ge routers R1 an. R* to ac3ieve t3is goa1 :ou t3en verify ACL functiona1ity fro- interna1 an. e;terna1 3osts T3e routers 3ave /een 5re+configure. 0it3 t3e fo11o0ing: (na/1e 5ass0or.: ciscoenpa"" Pass0or. for conso1e: ciscoconpa"" 2serna-e for ,T: 1ines: SS#admin Pass0or. for ,T: 1ines: ciscoss$pa"" IP a..ressing %tatic routing

Task %&
Step 1. Step 2. Step #. Step (.

Verify 'asic (etwork )onnectivity

From the PC-C command prompt, ping the PC-A server. From the PC-C command prompt, SSH to the router R2 Lo0 inter ace. !"it the SSH session. From PC-C, open a $e% %ro$ser to the PC-A server to disp&a' the $e% page. C&ose the %ro$ser on PC-C. From the PC-A server command prompt, ping PC-C.

,erify net0ork connectivity 5rior to configuring t3e IP ACLs

Task *&
Step ).

Secure Access to +outers

Con igure ACL 10 to %&oc* a&& remote access to the routers e"cept rom PC-C. R1(config)# access-list 10 permit 192.168.3.3 0.0.0.0 R2(config)# access-list 10 permit 192.168.3.3 0.0.0.0 R3(config)# access-list 10 permit 192.168.3.3 0.0.0.0

2se t3e access,list co--an. to create a nu-/ere. IP ACL on R17 R27 an. R*

Step +.

App&' ACL 10 to ingress tra ic on the ,-. &ines. R1(config-line)# access-class 10 in R2(config-line)# access-class 10 in R3(config-line)# access-class 10 in

2se t3e access,class co--an. to a551y t3e access 1ist to inco-ing traffic on t3e ,T: 1ines

Step /.

,eri ' e"c&usive access rom management station PC-C. PC> ssh l SSHadmin 192.168.2.1

%%9 to 192 1!" 2 1 fro- PC+C &s3ou1. /e successfu1) %%9 to 192 1!" 2 1 fro- PC+A &s3ou1. fai1)

A11 contents are Co5yrig3t 6 1992<2009 Cisco %yste-s7 Inc A11 rig3ts reserve. T3is .ocu-ent is Cisco Pu/1ic Infor-ation

Page 2 of 8

CC$A %ecurity

Task -&

)reate a (umbered IP A). %//

=n R*7 /1ock a11 5ackets containing t3e source IP a..ress fro- t3e fo11o0ing 5oo1 of a..resses: 12> 0 0 0/"7 any RFC 191" 5rivate a..resses7 an. any IP -u1ticast a..ress Step 0. Con igure ACL 100 to %&oc* a&& speci ied tra ic rom the outside net$or*.

:ou s3ou1. a1so /1ock traffic source. fro- your o0n interna1 a..ress s5ace if it is not an RFC 191" a..ress &in t3is activity7 your interna1 a..ress s5ace is 5art of t3e 5rivate a..ress s5ace s5ecifie. in RFC 191") 2se t3e access,list co--an. to create a nu-/ere. IP ACL R3(config)# R3(config)# R3(config)# R3(config)# R3(config)# R3(config)# Step 1. access-list access-list access-list access-list access-list access-list 100 100 100 100 100 100 deny ip 10.0.0.0 0.255.255.255 any deny ip 172.16.0.0 0.15.255.255 any deny ip 192.168.0.0 0.0.255.255 any deny ip 127.0.0.0 0.255.255.255 any deny ip 224.0.0.0 15.255.255.255 any permit ip any any

App&' the ACL to inter ace Seria& 02021. R3(config)# interface s0 0 1 R3(config-if)# ip access-!r"#p 100 in

2se t3e ip access,group co--an. to a551y t3e access 1ist to inco-ing traffic on interface %eria1 0/0/1

Step 10. Con irm that the speci ied tra ic entering inter ace Seria& 02021 is dropped. Fro- t3e PC+C co--an. 5ro-5t7 5ing t3e PC+A server T3e ICMP ec3o replies are /1ocke. /y t3e ACL since t3ey are source. fro- t3e 192 1!" 0 0/1! a..ress s5ace Step 11. Remove the ACL rom inter ace Seria& 02021. Re-ove t3e ACL =t3er0ise7 a11 traffic fro- t3e outsi.e net0ork &/eing a..resse. 0it3 5rivate source IP a..resses) 0i11 /e .enie. for t3e re-ain.er 2se t3e no ip access,group co--an. to re-ove t3e access 1ist fro- interface %eria1 0/0/1 R3(config)# interface s0 0 1 R3(config-if)# n" ip access-!r"#p 100 in

Task 0&

)reate a (umbered IP A). %%/

'eny a11 out/oun. 5ackets 0it3 source a..ress outsi.e t3e range of interna1 IP a..resses Step 12. Con igure ACL 110 to permit on&' tra ic rom the inside net$or*. 2se t3e access,list co--an. to create a nu-/ere. IP ACL R3(config)# access-list 110 permit ip 192.168.3.0 0.0.0.255 any Step 1#. App&' the ACL to inter ace F021. 2se t3e ip access,group co--an. to a551y t3e access 1ist to inco-ing traffic on interface F0/1 R3(config)# interface fa0 1 R3(config-if)# ip access-!r"#p 110 in

A11 contents are Co5yrig3t 6 1992<2009 Cisco %yste-s7 Inc A11 rig3ts reserve. T3is .ocu-ent is Cisco Pu/1ic Infor-ation

Page * of 8

CC$A %ecurity

Task "&

)reate a (umbered IP A). %*/

Per-it any outsi.e 3ost to access '$%7 %MTP7 an. FTP services on server PC+A7 .eny any outsi.e 3ost access to 9TTP% services on PC+A7 an. 5er-it PC+C to access R1 via %%9 Step 1(. ,eri ' that PC-C can access the PC-A via H--PS using the $e% %ro$ser. ?e sure to .isa/1e 9TTP an. ena/1e 9TTP% on server PC+A Step 1). Con igure ACL 120 to speci ica&&' permit and den' the speci ied tra ic. 2se t3e access,list co--an. to create a nu-/ere. IP ACL R1(config)# R1(config)# R1(config)# R1(config)# R1(config)# access-list access-list access-list access-list access-list 120 120 120 120 120 permit #dp any h"st 192.168.1.3 e$ d"main permit tcp any h"st 192.168.1.3 e$ smtp permit tcp any h"st 192.168.1.3 e$ ftp deny tcp any h"st 192.168.1.3 e$ 443 permit tcp h"st 192.168.3.3 h"st 10.1.1.1 e$ 22

Step 1+. App&' the ACL to inter ace S02020. 2se t3e ip access,group co--an. to a551y t3e access 1ist to inco-ing traffic on interface %0/0/0 R1(config)# interface s0 0 0 R1(config-if)# ip access-!r"#p 120 in Step 1/. ,eri ' that PC-C cannot access PC-A via H--P using the $e% %ro$ser.

Task 1&

Modify An 23isting A).

Per-it ICMP ec3o re51ies an. .estination unreac3a/1e -essages fro- t3e outsi.e net0ork &re1ative to R1)@ .eny a11 ot3er inco-ing ICMP 5ackets Step 10. ,eri ' that PC-A cannot success u&&' ping the &oop%ac* inter ace on R2. Step 11. 3odi ' ACL 120 to permit and den' the speci ied tra ic. 2se t3e access,list co--an. to create a nu-/ere. IP ACL R1(config)# R1(config)# R1(config)# R1(config)# access-list access-list access-list access-list 120 120 120 120 permit icmp any any ech"-reply permit icmp any any #nreacha%le deny icmp any any permit ip any any

Step 20. ,eri ' that PC-A can success u&&' ping the &oop%ac* inter ace on R2. Step 21. Check results. :our co-51etion 5ercentage s3ou1. /e 100A C1ick )$eck +esults to see fee./ack an. verification of 03ic3 reBuire. co-5onents 3ave /een co-51ete.

A11 contents are Co5yrig3t 6 1992<2009 Cisco %yste-s7 Inc A11 rig3ts reserve. T3is .ocu-ent is Cisco Pu/1ic Infor-ation

Page 8 of 8