Вы находитесь на странице: 1из 34

Guia CCNA Security v2

@ NMT 2013
1
ACLs Established ................................................................................................... 2
ACLs de Tiempo ................................................................................................... 6
ACLs Dinmicas .................................................................................................... 9
ACLs IP/ICMP .................................................................................................... 12
ACLs para OSPF y EIGRP .................................................................................. 18
ACLs para IPv6 .................................................................................................... 22
ACLs Reflexivas ................................................................................................... 29

Guia CCNA Security v2


@ NMT 2013
2
ACLs Established


Configure direccionamiento mostrado.
Configure OSPF como muestra la figura, publicando las interfaces directamente conectadas.
R3 es el router ASBR para este escenario. Segn polticas de la empresa solo se permitir el trfico
iniciado localmente desde los routers R1 y R2. Utilice la ACL 103.
Habilite telnet en todos los routers, utilice password cisco. Las sesiones telnet no puede cerrarse
nunca.
En R3 se deben enviar log a la consola para ambos intentos (fallidos/exitosos).


R1
router ospf 1
router-id 1.1.1.1

interface range fastEthernet 0/0 - 1
ip ospf 1 area 0
ip ospf network point-to-point

interface Loopback0
ip ospf 1 area 0

line vty 0 4
exec-timeout 0 0
password cisco
login


Guia CCNA Security v2


@ NMT 2013
3
R2
router ospf 1
router-id 2.2.2.2

interface range fastEthernet 0/0 - 1
ip ospf 1 area 0
ip ospf network point-to-point

interface Loopback0
ip ospf 1 area 0
line vty 0 4
exec-timeout 0 0
password cisco
login

R3
router ospf 1
router-id 3.3.3.3

interface range fastEthernet 0/0 - 1
ip ospf 1 area 0
ip ospf network point-to-point

interface Serial1/0
ip ospf 1 area 1

interface Loopback0
ip ospf 1 area 0

line vty 0 4
exec-timeout 0 0
password cisco
login

R4
router ospf 1
router-id 4.4.4.4

interface Serial1/0
ip ospf 1 area 1

interface Loopback0
ip ospf 1 area 1

line vty 0 4
exec-timeout 0 0
password cisco
login

Guia CCNA Security v2


@ NMT 2013
4
R3#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
1.1.1.1 0 FULL/ - 00:00:37 10.1.13.1 FastEthernet0/0
2.2.2.2 0 FULL/ - 00:00:38 10.1.23.2 FastEthernet0/1
4.4.4.4 0 FULL/ - 00:00:33 10.1.34.4 Serial1/0

R1#sh ip route ospf
10.0.0.0/8 is variably subnetted, 10 subnets, 2 masks
O 10.1.23.0/24 [110/2] via 10.1.13.3, 00:24:17, FastEthernet0/1
[110/2] via 10.1.12.2, 00:24:27, FastEthernet0/0
O IA 10.1.34.0/24 [110/65] via 10.1.13.3, 00:05:27, FastEthernet0/1
O 10.2.2.2/32 [110/2] via 10.1.12.2, 00:05:55, FastEthernet0/0
O 10.3.3.3/32 [110/2] via 10.1.13.3, 00:05:55, FastEthernet0/1
O IA 10.4.4.4/32 [110/66] via 10.1.13.3, 00:04:59, FastEthernet0/1


Comprobamos si R4 puede acceder a los routers dentro de area 0 utilizando telnet.


R4#telnet 10.2.2.2
Trying 10.2.2.2 ... Open
User Access Verification
Password:cisco
R2>

R4#telnet 10.1.1.1
Trying 10.1.1.1 ... Open
User Access Verification
Password:cisco
R1>


Configuramos la ACL 103 y la aplicamos a la entrada de la serial 1/0 de R3.


R3
access-list 103 permit ospf any any
access-list 103 permit tcp any any established log
access-list 103 deny ip any any log

interface Serial1/0
ip access-group 103 in

R4#telnet 10.1.1.1
Trying 10.1.1.1 ...
% Destination unreachable; gateway or host down

R1#telnet 10.4.4.4
Trying 10.4.4.4 ... Open
Guia CCNA Security v2


@ NMT 2013
5
User Access Verification
Password:cisco
R4>

R3#show access-lists 103
Extended IP access list 103
10 permit ospf any any (8 matches)
20 permit tcp any any established log (11 matches)


R4#telnet 10.1.1.1
Trying 10.1.1.1 ...
% Destination unreachable; gateway or host down

R3#
*Aug 29 13:27:47.747: %SEC-6-IPACCESSLOGP: list 103 denied tcp 10.1.34.4(46374) -> 10.1.1.1(23), 1
packet

R1#telnet 10.4.4.4
Trying 10.4.4.4 ... Open
User Access Verification
Password:cisco
R4>

R3#
*Aug 29 13:28:37.151: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 10.4.4.4(23) -> 10.1.13.1(45476), 1
packet

Nota: la gran limitacin del uso de la ACL en conjunto con established es que solo aplica a TCP y capas
superiores, pero no funciona para UDP o ICMP.


Guia CCNA Security v2


@ NMT 2013
6
ACLs de Tiempo


Configurar el direccionamiento mostrado y habilitar EIGRP 1 de manera que los routers publiquen
todas sus interfaces directamente conectadas.
Configurar R3 para que permita a los usuarios desde R4 navegar por Internet durante los dias de
semana unicamente, y pruebas de conectividad icmp los fines de semana.
Habilitamos EIGRP


R1
router eigrp 1
network 10.0.0.0
no auto-summary

R2
router eigrp 1
network 10.0.0.0
no auto-summary

R3
router eigrp 1
network 10.0.0.0
no auto-summary

R4
router eigrp 1
network 10.0.0.0
no auto-summary

R4#sh ip route eigrp
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 9 subnets, 2 masks
D 10.1.1.0/24 [90/161280] via 10.1.34.3, 00:01:07, FastEthernet0/0
D 10.1.12.0/24 [90/33280] via 10.1.34.3, 00:01:07, FastEthernet0/0
D 10.1.23.0/24 [90/30720] via 10.1.34.3, 00:01:07, FastEthernet0/0
D 10.2.2.0/24 [90/158720] via 10.1.34.3, 00:01:07, FastEthernet0/0
D 10.3.3.0/24 [90/156160] via 10.1.34.3, 00:01:07, FastEthernet0/0



Guia CCNA Security v2


@ NMT 2013
7
- Definimos los permisos en R3 segn lo que se explicita inicialmente.


R3
time-range SEMANA
periodic weekdays 0:00 to 23:59

time-range FINDE
periodic weekend 0:00 to 23:59

access-list 100 permit tcp any any eq www time-range SEMANA
access-list 100 permit icmp any any time-range FINDE
access-list 100 permit eigrp any any
access-list 100 deny ip any any log

interface FastEthernet0/0
ip access-group 100 in

R3#clock set 10:00:00 20 sept 2011 //martes

R4#ping 10.3.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.3.3.3, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)

%SEC-6-IPACCESSLOGDP: list 100 denied icmp 10.1.34.4 -> 10.3.3.3 (8/0), 1 packet

R3#show access-lists
Extended IP access list 100
10 permit icmp any any time-range FINDE (inactive) (5 matches)
20 permit tcp any any eq www time-range SEMANA (active)
30 permit eigrp any any (64 matches)
40 deny ip any any log (15 matches)

R4#telnet 10.2.2.2 80
Trying 10.2.2.2, 80 ...
% Connection refused by remote host

R3#show access-lists
Extended IP access list 100
10 permit icmp any any time-range FINDE (inactive) (5 matches)
20 permit tcp any any eq www time-range SEMANA (active) (1 match)
30 permit eigrp any any (70 matches)
40 deny ip any any log (15 matches)

R3#clock set 10:00:00 18 sept 2011 //fin de semana
R3#
Guia CCNA Security v2


@ NMT 2013
8
%SYS-6-CLOCKUPDATE: System clock has been updated from 10:04:55 UTC Tue Sep 20 2011 to 10:00:00
UTC Sun Sep 18 2011, configured from console by console.
R3#clear access-list counters

R3#
%SEC-6-IPACCESSLOGDP: list 100 denied icmp 10.1.34.4 -> 10.3.3.3 (8/0), 14 packets

R4#ping 10.3.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.3.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/76/116 ms

R3#show access-lists
Extended IP access list 100
10 permit icmp any any time-range FINDE (active) (5 matches)
20 permit tcp any any eq www time-range SEMANA (inactive)
30 permit eigrp any any (6 matches)
40 deny ip any any log














Guia CCNA Security v2


@ NMT 2013
9
ACLs Dinmicas

Configurar EIGRP 1 en todos los routers y publicar sus interfaces directamente conectadas. EIGRP
no debe perder adyacencias.
Habilitar Telnet en R1 yR2. Para acceder a R4 debemos usar el usuario admin4 password cisco4
R4 requiere autentificacin para poder acceder a los routers dentro de empresa A. Usar telnet
para autentificacin.
Los routers dentro de Empresa A pueden acceder a los servicios de R4 sin autentificacin.
En R3 (el router de borde) crear usuario u4 password cisco.


R1
router eigrp 1
network 10.0.0.0
no auto-summary

line vty 0 4
password cisco
login

R2
router eigrp 1
network 10.0.0.0
no auto-summary

line vty 0 4
Guia CCNA Security v2


@ NMT 2013
10
password cisco
login

R3
router eigrp 1
network 10.0.0.0
no auto-summary

line vty 0 4
password cisco
login

R4
router eigrp 1
network 10.0.0.0
no auto-summary

line vty 0 4
password cisco
login


Accedemos a los routers utilizando telnet antes de aplicar la configuracin en R3.


R4#telnet 10.2.2.2
Trying 10.2.2.2 ... Open
User Access Verification
Password:cisco
R2>

R1#telnet 10.4.4.4
Trying 10.4.4.4 ... Open
Autentificacion AAA
Usuario:admin4
Password:cisco4


Configuramos R3


R3
username u4 password cisco

access-list 100 permit tcp any host 10.1.34.3 eq telnet
access-list 100 permit eigrp any any
access-list 100 permit tcp any any established log
access-list 100 dynamic ACCESO permit ip any any

Guia CCNA Security v2


@ NMT 2013
11
interface Serial1/0
ip access-group 100 in

line vty 0 4
autocommand access-enable host //comando oculto
login local //Parece no ser necesario si el server est down.

R4#telnet 10.1.34.3
Trying 10.1.34.3 ... Open


User Access Verification

Username: u4
Password:
[Connection to 10.1.34.3 closed by foreign host]

R4#telnet 10.2.2.2
Trying 10.2.2.2 ... Open


User Access Verification

Password:

R2>en
Password:
R2#

R4#ping 10.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/82/132 ms

R3#show access-lists
Extended IP access list 100
10 permit tcp any host 10.1.34.3 eq telnet (132 matches)
20 permit eigrp any any (128 matches)
30 permit tcp any any established log (18 matches)
40 Dynamic ACCESO permit ip any any
permit ip host 10.1.34.4 any (1 match)




Guia CCNA Security v2


@ NMT 2013
12
ACLs IP/ICMP


Configrar RIPv2 para que exista NLRI completo. Las actualizaciones deben ser unicast (no
mutlicast).
En R2 debemos denegar entre 10.1.1.1 y 10.4.4.4. El resto del trfico debe ser permitido.
De haber un match respecto a esta regla, debemos ver un log de consola en R2.


R1
router rip
version 2
passive-interface FastEthernet0/0
network 10.0.0.0
neighbor 10.1.12.2
no auto-summary

R2
router rip
version 2
passive-interface FastEthernet0/0
passive-interface FastEthernet0/1
network 10.0.0.0
neighbor 10.1.12.1
neighbor 10.1.23.3
no auto-summary

R3
router rip
version 2
passive-interface FastEthernet0/0
passive-interface FastEthernet0/1
network 10.0.0.0
neighbor 10.1.34.4
neighbor 10.1.23.2
no auto-summary

R4
router rip
version 2
passive-interface FastEthernet0/0
Guia CCNA Security v2


@ NMT 2013
13
network 10.0.0.0
neighbor 10.1.34.3
no auto-summary

R1#sh ip route rip
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override

Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 9 subnets, 2 masks
R 10.1.23.0/24 [120/1] via 10.1.12.2, 00:00:12, FastEthernet0/0
R 10.1.34.0/24 [120/2] via 10.1.12.2, 00:00:12, FastEthernet0/0
R 10.2.2.0/24 [120/1] via 10.1.12.2, 00:00:12, FastEthernet0/0
R 10.3.3.0/24 [120/2] via 10.1.12.2, 00:00:12, FastEthernet0/0
R 10.4.4.0/24 [120/3] via 10.1.12.2, 00:00:12, FastEthernet0/0

R1#ping 10.4.4.4 source 10.1.1.1 repeat 2
Type escape sequence to abort.
Sending 2, 100-byte ICMP Echos to 10.4.4.4, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
!!
Success rate is 100 percent (2/2), round-trip min/avg/max = 80/106/132 ms


En R2 creamos las ACLs que filtrar el trfico entre 10.1.1.1 y 10.4.4.4. Como buena prctica verificamos
si hemos configurado alguna ACL con anterioridad con el comando show access-lists. Una de las ACL
tiene origen R1 y destino R4. La otra ACL tiene origen R4 y destino R1. Esto quiere decir que aplicaremos
cada ACL en interfaces distintas.


R2#show access-lists
R2#

R2
access-list 102 deny ip host 10.4.4.4 host 10.1.1.1 log
access-list 102 permit ip any any

access-list 122 deny ip host 10.1.1.1 host 10.4.4.4 log
access-list 122 permit ip any any

interface FastEthernet0/0
ip access-group 122 in
Guia CCNA Security v2


@ NMT 2013
14
interface FastEthernet0/1
ip access-group 102 in

R2#show access-lists
Extended IP access list 102
10 deny ip host 10.4.4.4 host 10.1.1.1 log
20 permit ip any any (3 matches)
Extended IP access list 122
10 deny ip host 10.1.1.1 host 10.4.4.4 log
20 permit ip any any (3 matches)


Prueba de conectividad


R1#ping 10.2.2.2 source 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/56/88 ms

R1#ping 10.3.3.3 source 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/74/120 ms

R1#ping 10.4.4.4 source 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.4.4.4, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
U.U.U
Success rate is 0 percent (0/5)

R2#
*Sep 5 13:14:05.527: %SEC-6-IPACCESSLOGDP: list 122 denied icmp 10.1.1.1 -> 10.4.4.4 (0/0), 1 packet

R1#sh ip route rip
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override

Guia CCNA Security v2


@ NMT 2013
15
Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 9 subnets, 2 masks
R 10.1.23.0/24 [120/1] via 10.1.12.2, 00:00:19, FastEthernet0/0
R 10.1.34.0/24 [120/2] via 10.1.12.2, 00:00:19, FastEthernet0/0
R 10.2.2.0/24 [120/1] via 10.1.12.2, 00:00:19, FastEthernet0/0
R 10.3.3.0/24 [120/2] via 10.1.12.2, 00:00:19, FastEthernet0/0
R 10.4.4.0/24 [120/3] via 10.1.12.2, 00:00:19, FastEthernet0/0


Se requieren las siguientes polticas:
- R1puede pinguear a R2 y recibir la replica de vuelta.
- R2 no puede pinguear a R1

R1
access-list 101 deny icmp host 10.1.12.2 any echo
access-list 101 deny icmp host 10.2.2.2 any echo
access-list 101 deny icmp host 10.1.23.2 any echo
access-list 101 permit ip any any

interface FastEthernet0/0
ip access-group 101 in

R1#ping 10.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/64/88 ms

R1#ping 10.1.12.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.12.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/64/96 ms

R1#ping 10.1.23.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.23.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 60/74/92 ms

R2#ping 10.1.12.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.12.1, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)

R2#ping 10.1.1.1
Type escape sequence to abort.
Guia CCNA Security v2


@ NMT 2013
16
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)

R2#ping 10.1.1.1 source 10.1.23.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 10.1.23.2
U.U.U
Success rate is 0 percent (0/5)

R2#ping 10.1.1.1 source 10.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 10.2.2.2
U.U.U
Success rate is 0 percent (0/5)


En el siguiente ejemplo configuraremos R2 de manera que si no tiene como alcanzar una red utilice a R3
como su default-gateway. Creamos una default route. Intentamos conectividad a una IP inexistente
(10.5.5.5)


R2
ip route 0.0.0.0 0.0.0.0 fastEthernet 0/1 10.1.23.3

R2#sh ip route static
Gateway of last resort is 10.1.23.3 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 10.1.23.3, FastEthernet0/1

R2#debug ip icmp
ICMP packet debugging is on

R2#ping 10.5.5.5 repeat 2
Type escape sequence to abort.
Sending 2, 100-byte ICMP Echos to 10.5.5.5, timeout is 2 seconds:
U
*Sep 5 13:35:50.603: ICMP: dst (10.1.23.2) host unreachable rcv from 10.1.23.3.
Success rate is 0 percent (0/2)


Configurar R3 de manera que no enve mensage de ICMP: dst (10.1.23.2) host unreachable.


R3
interface FastEthernet0/1
no ip unreachables

Guia CCNA Security v2


@ NMT 2013
17
R2#ping 10.5.5.5 repeat 2
Type escape sequence to abort.
Sending 2, 100-byte ICMP Echos to 10.5.5.5, timeout is 2 seconds:
..
Success rate is 0 percent (0/2)



Guia CCNA Security v2


@ NMT 2013
18
ACLs para OSPF y EIGRP



Configure EIGRP 1 en todos los routers y publique sus interfaces directamente conectadas.
Deshabilite la sumarizacin automtica.
Configure OSPF 1 area 0 en todos los routers y publique sus interfaces directamente conectadas.
No se permite la eleccin de DR/BDR. Publique las loopback en OSPF con sus mscaras correctas.
No utilizar comando network para publicar las interfaces. Remover RIPv2 de la configuracin
anterior incluyendo ACLs.


Rx
no router rip

R1
router eigrp 1
network 10.0.0.0
no auto-summary

router ospf 1
router-id 1.1.1.1

interface Loopback0
ip ospf network point-to-point
ip ospf 1 area 0

interface FastEthernet0/0
ip ospf network point-to-point
ip ospf 1 area 0

R2
router eigrp 1
network 10.0.0.0
no auto-summary

Guia CCNA Security v2


@ NMT 2013
19
router ospf 1
router-id 2.2.2.2

interface Loopback0
ip ospf network point-to-point
ip ospf 1 area 0

interface FastEthernet0/0
ip ospf network point-to-point
ip ospf 1 area 0

interface FastEthernet0/1
ip ospf network point-to-point
ip ospf 1 area 0

R3
router eigrp 1
network 10.0.0.0
no auto-summary

router ospf 1
router-id 3.3.3.3

interface Loopback0
ip ospf network point-to-point
ip ospf 1 area 0

interface FastEthernet0/0
ip ospf network point-to-point
ip ospf 1 area 0

interface FastEthernet0/1
ip ospf network point-to-point
ip ospf 1 area 0

R4
router eigrp 1
network 10.0.0.0
no auto-summary

router ospf 1
router-id 4.4.4.4

interface Loopback0
ip ospf network point-to-point
ip ospf 1 area 0

interface FastEthernet0/0
ip ospf network point-to-point
Guia CCNA Security v2


@ NMT 2013
20
ip ospf 1 area 0

R2#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
3.3.3.3 0 FULL/ - 00:00:34 10.1.23.3 FastEthernet0/1
1.1.1.1 0 FULL/ - 00:00:36 10.1.12.1 FastEthernet0/0

R2#show ip eigrp neighbors
EIGRP-IPv4 Neighbors for AS(1)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
1 10.1.23.3 Fa0/1 13 00:04:21 110 660 0 6
0 10.1.12.1 Fa0/0 11 00:04:23 124 744 0 5


Configure una ACL en R1 de manera que bloquee el trfico EIGRP y permita todo el resto del
trfico. El resultado de est configuracin la veremos en la tabla de R1 donde en lugar de redes
conocidas por EIGRP (AD 90) se instalarn redes conocidas por OSPF (AD 110).

Nota: Primero verificamos la RIB. Luego de la configuracin veremos que EIGRP pierde adyacencia.

R1#sh ip route
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 9 subnets, 2 masks
C 10.1.1.0/24 is directly connected, Loopback0
L 10.1.1.1/32 is directly connected, Loopback0
C 10.1.12.0/24 is directly connected, FastEthernet0/0
L 10.1.12.1/32 is directly connected, FastEthernet0/0
D 10.1.23.0/24 [90/30720] via 10.1.12.2, 00:10:41, FastEthernet0/0
D 10.1.34.0/24 [90/33280] via 10.1.12.2, 00:10:39, FastEthernet0/0
D 10.2.2.0/24 [90/156160] via 10.1.12.2, 00:10:41, FastEthernet0/0
D 10.3.3.0/24 [90/158720] via 10.1.12.2, 00:10:39, FastEthernet0/0
D 10.4.4.0/24 [90/161280] via 10.1.12.2, 00:10:38, FastEthernet0/0

R1#show access-lists
Extended IP access list 101
10 deny icmp host 10.1.12.2 any echo (10 matches)
20 deny icmp host 10.2.2.2 any echo (5 matches)
30 deny icmp host 10.1.23.2 any echo (5 matches)
40 permit ip any any (242 matches)

R1#conf terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#
R1(config)#no access-list 101

R1
access-list 100 deny eigrp any any
access-list 100 permit ip any any
Guia CCNA Security v2


@ NMT 2013
21

interface FastEthernet0/0
ip access-group 100 in

R1#sh ip route | begin Gateway
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 9 subnets, 2 masks
C 10.1.1.0/24 is directly connected, Loopback0
L 10.1.1.1/32 is directly connected, Loopback0
C 10.1.12.0/24 is directly connected, FastEthernet0/0
L 10.1.12.1/32 is directly connected, FastEthernet0/0
O 10.1.23.0/24 [110/2] via 10.1.12.2, 00:00:13, FastEthernet0/0
O 10.1.34.0/24 [110/3] via 10.1.12.2, 00:00:13, FastEthernet0/0
O 10.2.2.0/24 [110/2] via 10.1.12.2, 00:00:13, FastEthernet0/0
O 10.3.3.0/24 [110/3] via 10.1.12.2, 00:00:13, FastEthernet0/0
O 10.4.4.0/24 [110/4] via 10.1.12.2, 00:00:13, FastEthernet0/0



Guia CCNA Security v2


@ NMT 2013
22
ACLs para IPv6


Configure el direccionamiento mostrado en la figura. Asigne la direccin link-local en todas sus
interfaces fsicas con la siguiente disposicin:
Router Link-local ID
R1 FE80::1 1.1.1.1
R2 FE80::2 2.2.2.2
R3 FE80::3 3.3.3.3
R4 FE80::4 4.4.4.4
Configure OSPFv3 como muestra la figura. La loopback0 de R3 debe ser publicada en el dominio
OSPF. Habilite logs OSPF detalladamente y explique los estados OSPF. No debe existir eleccin de
DR/BDR. Publique las loopback0 con sus mscaras correctas.

R1
ipv6 router ospf 1
router-id 1.1.1.1
log-adjacency-changes detail

interface FastEthernet0/0
ipv6 ospf 1 area 0
ipv6 ospf network point-to-point

interface FastEthernet0/1
ipv6 ospf 1 area 0
ipv6 ospf network point-to-point

Guia CCNA Security v2


@ NMT 2013
23
interface Loopback0
ipv6 ospf 1 area 0
ipv6 ospf network point-to-point

R2
ipv6 router ospf 1
router-id 2.2.2.2
log-adjacency-changes detail

interface FastEthernet0/0
ipv6 ospf 1 area 0
ipv6 ospf network point-to-point

interface FastEthernet0/1
ipv6 ospf 1 area 0
ipv6 ospf network point-to-point

interface Loopback0
ipv6 ospf 1 area 0
ipv6 ospf network point-to-point

R2#
*Sep 7 13:44:03.863: %OSPFv3-5-ADJCHG: Process 1, Nbr 1.1.1.1 on FastEthernet0/0 from 2WAY to
EXSTART, AdjOK?
*Sep 7 13:44:04.079: %OSPFv3-5-ADJCHG: Process 1, Nbr 1.1.1.1 on FastEthernet0/0 from EXSTART to
EXCHANGE, Negotiation Done
*Sep 7 13:44:04.235: %OSPFv3-5-ADJCHG: Process 1, Nbr 1.1.1.1 on FastEthernet0/0 from EXCHANGE to
LOADING, E xchange Done
*Sep 7 13:44:04.379: %OSPFv3-5-ADJCHG: Process 1, Nbr 1.1.1.1 on FastEthernet0/0 from LOADING to
FULL, Loadi ng Done

R3
ipv6 router ospf 1
router-id 3.3.3.3
log-adjacency-changes detail

interface FastEthernet0/0
ipv6 ospf 1 area 0
ipv6 ospf network point-to-point

interface FastEthernet0/1
ipv6 ospf 1 area 0
ipv6 ospf network point-to-point

interface Loopback0
ipv6 ospf 1 area 0
ipv6 ospf network point-to-point


Guia CCNA Security v2


@ NMT 2013
24
R1#show ipv6 ospf neighbor
OSPFv3 Router with ID (1.1.1.1) (Process ID 1)
Neighbor ID Pri State Dead Time Interface ID Interface
3.3.3.3 0 FULL/ - 00:00:30 2 FastEthernet0/1
2.2.2.2 0 FULL/ - 00:00:35 2 FastEthernet0/0

R2#show ipv6 ospf neighbor
OSPFv3 Router with ID (2.2.2.2) (Process ID 1)
Neighbor ID Pri State Dead Time Interface ID Interface
3.3.3.3 0 FULL/ - 00:00:32 3 FastEthernet0/1
1.1.1.1 0 FULL/ - 00:00:38 2 FastEthernet0/0

R1#show ipv6 route ospf
IPv6 Routing Table - default - 10 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
B - BGP, R - RIP, H - NHRP, I1 - ISIS L1
I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary, D - EIGRP
EX - EIGRP external, ND - ND Default, NDp - ND Prefix, DCE - Destination
NDr - Redirect, O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1
OE2 - OSPF ext 2, ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2, l - LISP
O 2001:1:1:23::/64 [110/2]
via FE80::2, FastEthernet0/0
via FE80::3, FastEthernet0/1
O 2001:2:2:2::/64 [110/2]
via FE80::2, FastEthernet0/0
O 2001:3:3:3::/64 [110/2]
via FE80::3, FastEthernet0/1

R1#ping ipv6 2001:3:3:3::3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:3:3:3::3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/45/72 ms


Configure RIPng en R3 y R4 utilizando el identificador de proceso R34. R4 debe publicar su interface
loopback0


R3
ipv6 router rip R34

interface Serial1/0
ipv6 rip R34 enable

R4
ipv6 router rip R34

interface Serial1/0
Guia CCNA Security v2


@ NMT 2013
25
ipv6 rip R34 enable

interface Loopback0
ipv6 rip R34 enable

R3#show ipv6 route rip
IPv6 Routing Table - default - 13 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
B - BGP, R - RIP, H - NHRP, I1 - ISIS L1
I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary, D - EIGRP
EX - EIGRP external, ND - ND Default, NDp - ND Prefix, DCE - Destination
NDr - Redirect, O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1
OE2 - OSPF ext 2, ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2, l - LISP
R 2001:4:4:4::/64 [120/2]
via FE80::4, Serial1/0


Redistribuir mutuamente OSPFv3/RIPng


R3
ipv6 router ospf 1
redistribute rip R34 include-connected

ipv6 router rip R34
redistribute ospf 1 metric 2 include-connected

R1#show ipv6 route ospf
IPv6 Routing Table - default - 12 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
B - BGP, R - RIP, H - NHRP, I1 - ISIS L1
I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary, D - EIGRP
EX - EIGRP external, ND - ND Default, NDp - ND Prefix, DCE - Destination
NDr - Redirect, O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1
OE2 - OSPF ext 2, ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2, l - LISP
O 2001:1:1:23::/64 [110/2]
via FE80::2, FastEthernet0/0
via FE80::3, FastEthernet0/1
OE2 2001:1:1:34::/64 [110/20]
via FE80::3, FastEthernet0/1
O 2001:2:2:2::/64 [110/2]
via FE80::2, FastEthernet0/0
O 2001:3:3:3::/64 [110/2]
via FE80::3, FastEthernet0/1
OE2 2001:4:4:4::/64 [110/20]
via FE80::3, FastEthernet0/1

R1#ping 2001:4:4:4::4
Type escape sequence to abort.
Guia CCNA Security v2


@ NMT 2013
26
Sending 5, 100-byte ICMP Echos to 2001:4:4:4::4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/68/88 ms


Crear y publicar la loopback1 en R1 como muestra la figura.


R1
interface Loopback1
ipv6 address 2000:1:1::1/64
ipv6 address 2000:1:1:1::1/64
ipv6 address 2000:1:1:2::1/64
ipv6 address 2000:1:1:3::1/64
ipv6 address 2000:1:1:4::1/64
ipv6 address 2000:1:1:5::1/64
ipv6 address 2000:1:1:6::1/64
ipv6 address 2000:1:1:7::1/64
ipv6 ospf 1 area 0
ipv6 ospf network point-to-point

R4#show ipv6 route rip
IPv6 Routing Table - default - 19 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
B - BGP, R - RIP, H - NHRP, I1 - ISIS L1
I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary, D - EIGRP
EX - EIGRP external, ND - ND Default, NDp - ND Prefix, DCE - Destination
NDr - Redirect, O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1
OE2 - OSPF ext 2, ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2, l - LISP
R 2000:1:1::/64 [120/3]
via FE80::3, Serial1/0
R 2000:1:1:1::/64 [120/3]
via FE80::3, Serial1/0
R 2000:1:1:2::/64 [120/3]
via FE80::3, Serial1/0
R 2000:1:1:3::/64 [120/3]
via FE80::3, Serial1/0
R 2000:1:1:4::/64 [120/3]
via FE80::3, Serial1/0
R 2000:1:1:5::/64 [120/3]
via FE80::3, Serial1/0
R 2000:1:1:6::/64 [120/3]
via FE80::3, Serial1/0
R 2000:1:1:7::/64 [120/3]
via FE80::3, Serial1/0
R 2001:1:1:1::/64 [120/3]
via FE80::3, Serial1/0
R 2001:1:1:12::/64 [120/3]
via FE80::3, Serial1/0
Guia CCNA Security v2


@ NMT 2013
27
R 2001:1:1:13::/64 [120/3]
via FE80::3, Serial1/0
R 2001:1:1:23::/64 [120/3]
via FE80::3, Serial1/0
R 2001:2:2:2::/64 [120/3]
via FE80::3, Serial1/0
R 2001:3:3:3::/64 [120/3]
via FE80::3, Serial1/0


Configurar R3 de manera que R1 no pueda probar conectividad con el comando ping. Esto incluye
las interfaces loopback o la interface que comunica con R2.


R4
ipv6 access-list TEST
deny icmp 2001:1:1:13::/64 any
permit ipv6 any any

interface FastEthernet0/0
ipv6 traffic-filter TEST in

R1#debug ipv6 icmp
ICMP Packet debugging is on

R1#ping 2001:1:1:13::3 repeat 1
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 2001:1:1:13::3, timeout is 2 seconds:

ICMPv6: Sent echo request, Src=2001:1:1:13::1, Dst=2001:1:1:13::3
ICMPv6: Received N-Solicit, Src=2001:1:1:13::3, Dst=FF02::1:FF00:1
ICMPv6: Sent N-Advert, Src=2001:1:1:13::1, Dst=2001:1:1:13::3.
Success rate is 0 percent (0/1)
R1#
ICMPv6: Received N-Solicit, Src=2001:1:1:13::3, Dst=FF02::1:FF00:1
ICMPv6: Sent N-Advert, Src=2001:1:1:13::1, Dst=2001:1:1:13::3

R1#ping 2001:3:3:3::3 repeat 1 source 2001:1:1:12::1
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 2001:3:3:3::3, timeout is 2 seconds:
Packet sent with a source address of 2001:1:1:12::1
!
Success rate is 100 percent (1/1), round-trip min/avg/max = 52/52/52 ms

R1#ping 2001:3:3:3::3 repeat 1 source 2000:1:1:1::1
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 2001:3:3:3::3, timeout is 2 seconds:
Packet sent with a source address of 2000:1:1:1::1
!
Guia CCNA Security v2


@ NMT 2013
28
Success rate is 100 percent (1/1), round-trip min/avg/max = 60/60/60 ms


El primer caso solo incluye la ipv6 de origen 2001:1:1:13::1 pero no incluye las dems interfaces.
Debemos hacer una configuracin que incluya todas las IPv6 que pertenecen a R1.


R3
ipv6 access-list TEST
deny icmp 2001:1:1:13::/64 any
deny icmp 2000:1:1:0::/61 any
deny icmp 2001:1:1:12::/64 any
permit ipv6 any any

interface FastEthernet0/0
ipv6 traffic-filter TEST in

R1#ping 2001:3:3:3::3 repeat 1 source 2000:1:1:1::1
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 2001:3:3:3::3, timeout is 2 seconds:
Packet sent with a source address of 2000:1:1:1::1
S
Success rate is 0 percent (0/1)
R1#ping 2001:3:3:3::3 repeat 1 source 2001:1:1:12::1
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 2001:3:3:3::3, timeout is 2 seconds:
Packet sent with a source address of 2001:1:1:12::1
S
Success rate is 0 percent (0/1)

R3#traceroute 2001:1:1:13::3
Type escape sequence to abort.
Tracing the route to 2001:1:1:13::3

1
*Sep 7 15:22:41.667: ICMPv6: Sent Unreachable code 4, Src=2001:1:1:13::3, Dst=2001:1:1:13::3 *
*Sep 7 15:22:44.671: ICMPv6: Sent Unreachable code 4, Src=2001:1:1:13::3, Dst=2001:1:1:13::3 *
*Sep 7 15:22:47.679: ICMPv6: Sent Unreachable code 4, Src=2001:1:1:13::3, Dst=2001:1:1:13::3 *
2
*Sep 7 15:22:50.683: ICMPv6: Sent Unreachable code 4, Src=2001:1:1:13::3, Dst=2001:1:1:13::3 *
*Sep 7 15:22:53.691: ICMPv6: Sent Unreachable code 4, Src=2001:1:1:13::3, Dst=2001:1:1:13::3 *


Guia CCNA Security v2


@ NMT 2013
29
ACLs Reflexivas


Configure el direccionamiento mostrado. La red broadcast y el enlace R1-R3 no participan en este
laboratorio (las interfaces asociadas deben deshabilitarse).
Habilite EIGRP 1 publique sus interfaces directamente conectadas en todos los routers.
Las ACLs Reflexivas tienen dos usos:
- Permitir el trfico de salida de una interface desde la red interna y filtrar el trfico de entrada en
base a una sesin establecida desde dentro de la red interna.
- Permitir todo el trfico de entrada para una interface orientada hacia la red interna, y permitir
trfico de salida basado en una sesin existente originada dentro de la red interna.


R1
router eigrp 1
network 1.0.0.0
network 10.0.0.0
no auto-summary

R2
router eigrp 1
network 2.0.0.0
network 10.0.0.0
no auto-summary

R3
router eigrp 1
network 3.0.0.0
network 10.0.0.0
no auto-summary

R4
router eigrp 1
network 4.0.0.0
network 10.0.0.0
no auto-summary
Guia CCNA Security v2


@ NMT 2013
30

R2#show ip eigrp neighbors
IP-EIGRP neighbors for process 1
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
1 10.1.23.3 Se0/1 14 00:00:04 271 1626 0 16
0 10.1.12.1 Se0/0 10 00:05:56 40 240 0 14

R4#sh ip route eigrp
1.0.0.0/24 is subnetted, 1 subnets
D 1.1.1.0 [90/3321856] via 10.1.34.3, 00:00:23, Serial0/0
2.0.0.0/24 is subnetted, 1 subnets
D 2.2.2.0 [90/2809856] via 10.1.34.3, 00:00:23, Serial0/0
3.0.0.0/24 is subnetted, 1 subnets
D 3.3.3.0 [90/2297856] via 10.1.34.3, 00:05:22, Serial0/0
10.0.0.0/24 is subnetted, 3 subnets
D 10.1.12.0 [90/3193856] via 10.1.34.3, 00:00:23, Serial0/0
D 10.1.23.0 [90/2681856] via 10.1.34.3, 00:00:34, Serial0/0


R1 y R2 pertenecen a la empresa ALFA; R3 y R4 pertenecen a la empresa BETA. R2 es el router de
borde que conecta ambas empresas. R2 debe ser configurado de manera:
- Permita el trfico de retorno para HTTP, TFTP y Telnet que se haya originado
internamente.
- No debe perderse adyacencia EIGRP entre R2 y R3.

Paso 1: Crear una ACL interna que busque nuevas sesiones salientes y cree una entrada de control de
acceso temporal (reflexive ACE).

R2
ip access-list extended DE-SALIDA
permit tcp any any eq www reflect WEB
permit tcp any any eq telnet reflect TELNET
permit tcp any any eq 69 reflect TFTP
permit eigrp any any

R2#show access-lists
Extended IP access list DE-SALIDA
10 permit tcp any any eq www reflect WEB
20 permit tcp any any eq telnet reflect TELNET
30 permit tcp any any eq 69 reflect TFTP
40 permit eigrp any any
Reflexive IP access list TELNET
Reflexive IP access list TFTP
Reflexive IP access list WEB



Guia CCNA Security v2


@ NMT 2013
31
Paso 2: Crear Una ACL externa que use la ACL reflexiva para inspeccionar (examinar) el trfico de retorno.


R2
ip access-list extended DE-ENTRADA
permit eigrp any any
evaluate WEB
evaluate TELNET
evaluate TFTP

R2#show access-lists
Extended IP access list DE-ENTRADA
10 permit eigrp any any
20 evaluate WEB
30 evaluate TELNET
40 evaluate TFTP
Extended IP access list DE-SALIDA
10 permit tcp any any eq www reflect WEB
20 permit tcp any any eq telnet reflect TELNET
30 permit tcp any any eq 69 reflect TFTP
40 permit eigrp any any
Reflexive IP access list TELNET
Reflexive IP access list TFTP
Reflexive IP access list WEB


Paso 3: aplicarlo a la interface adecuada. En nuestro caso la interface de salida de R2.


R2
interface Serial0/1
ip access-group DE-ENTRADA in
ip access-group DE-SALIDA out

R4#sh ip route eigrp
1.0.0.0/24 is subnetted, 1 subnets
D 1.1.1.0 [90/3321856] via 10.1.34.3, 01:00:00, Serial0/0
2.0.0.0/24 is subnetted, 1 subnets
D 2.2.2.0 [90/2809856] via 10.1.34.3, 01:00:00, Serial0/0
3.0.0.0/24 is subnetted, 1 subnets
D 3.3.3.0 [90/2297856] via 10.1.34.3, 01:04:59, Serial0/0
10.0.0.0/24 is subnetted, 3 subnets
D 10.1.12.0 [90/3193856] via 10.1.34.3, 01:00:00, Serial0/0
D 10.1.23.0 [90/2681856] via 10.1.34.3, 01:00:12, Serial0/0

R2#show ip eigrp neighbors serial 0/1
IP-EIGRP neighbors for process 1
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
Guia CCNA Security v2


@ NMT 2013
32
1 10.1.23.3 Se0/1 14 01:00:27 271 1626 0 16
R4#debug ip icmp
ICMP packet debugging is on

R4#ping 1.1.1.1 repeat 1
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
U
Success rate is 0 percent (0/1)
R4#
ICMP: dst (10.1.34.4) administratively prohibited unreachable rcv from 10.1.23.2

R2
access-list 10 permit 10.1.34.4

R2#debug ip packet 10 detail
IP packet debugging is on (detailed) for access list 10
R2#
IP: s=10.1.34.4 (Serial0/1), d=1.1.1.1, len 100, access denied
ICMP type=8, code=0


Como vemos en la salida anterior, el trfico originado desde fuera de la empresa ALFA no puede ingresar.
Las ACLs Reflexivas no se limitan solo al trfico TCP como es el caso de las ACLs con el comando
Established.


R4#telnet 1.1.1.1
Trying 1.1.1.1 ...
% Destination unreachable; gateway or host down

R2#
IP: s=10.1.34.4 (Serial0/1), d=1.1.1.1, len 44, access denied
TCP src=49732, dst=23, seq=2499314714, ack=0, win=4128 SYN

R4
line vty 0 4
password cisco
login

R2
access-list 11 permit 1.1.1.1

R2#debug ip packet 11 detail
IP packet debugging is on (detailed) for access list 11
R1#telnet 4.4.4.4 /source-interface loopback 0
Trying 4.4.4.4 ... Open
User Access Verification
Password:cisco
Guia CCNA Security v2


@ NMT 2013
33
R4>

R2#
IP: tableid=0, s=1.1.1.1 (Serial0/0), d=4.4.4.4 (Serial0/1), routed via FIB
IP: s=1.1.1.1 (Serial0/0), d=4.4.4.4 (Serial0/1), g=10.1.23.3, len 44, forward
TCP src=12060, dst=23, seq=198473953, ack=0, win=4128 SYN

R2#show access-lists TELNET
Reflexive IP access list TELNET
permit tcp host 4.4.4.4 eq telnet host 1.1.1.1 eq 12060 (50 matches) (time left 230)


R2 ha creado una ACL temporal como muestra el comando show access-lists TELNET . Esta ACL se crea
dinmicamente usando el puerto 12060 como origen y 23 destino (telnet). Se ha creado trfico de ida y
vuelta.

Explique porque no podemos probar conectividad ICMP desde la zona protegida hacia la zona
externa.

R1#ping 4.4.4.4 source loopback 0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
U.U.U
Success rate is 0 percent (0/5)


En caso que no exista actividad durante 30 segundos (telnet R1R4) R2 debe cerrar la ACL
temporal.


R2
ip access-list extended DE-SALIDA
permit tcp any any eq telnet reflect TELNET timeout 30

R1#telnet 4.4.4.4 /source-interface loopback 0
Trying 4.4.4.4 ... Open
User Access Verification
Password:
R4>

R2#show access-lists TELNET
Reflexive IP access list TELNET
permit tcp host 4.4.4.4 eq telnet host 1.1.1.1 eq 55727 (13 matches) (time left 29)
*
*
*
R2#show access-lists TELNET
Guia CCNA Security v2


@ NMT 2013
34
Reflexive IP access list TELNET
permit tcp host 4.4.4.4 eq telnet host 1.1.1.1 eq 55727 (13 matches) (time left 2)

R2#show access-lists TELNET
Reflexive IP access list TELNET
permit tcp host 4.4.4.4 eq telnet host 1.1.1.1 eq 55727 (13 matches) (time left 1)

R2#show access-lists TELNET
Reflexive IP access list TELNET
permit tcp host 4.4.4.4 eq telnet host 1.1.1.1 eq 55727 (13 matches) (time left 0)

R2#show access-lists TELNET
Reflexive IP access list TELNET