A
network associate is adding security to the configuration of the Corp1
router. The user on host C should be able to use a web browser to access
financial information from the Finance Web Server. No other hosts from
the LAN nor the Core should be able to use a web browser to access this
server. Since there are multiple resources for the corporation at this
location including other resources on the Finance Web Server, all other
traffic should be allowed.
The
task is to create and apply a numbered access-list with no more than
three statements that will allow ONLY host C web access to the Finance
Web Server. No other hosts will have web access to the Finance Web
Server. All other traffic is permitted.
Access to the router CLI can be gained by clicking on the appropriate host.
All passwords have been temporarily set to “cisco”.
The Core connection uses an IP address of 198.18.196.65
The computers in the Hosts LAN have been assigned addresses of 192.168.33.1 – 192.168.33.254
Host A 192.168.33.1
Host B 192.168.33.2
Host C 192.168.33.3
Host D 192.168.33.4
The servers in the Server LAN have been assigned addresses of 172.22.242.17 – 172.22.242.30
The Finance Web Server is assigned an IP address of 172.22.242.23.
The Public Web Server is assigned an IP address of 172.22.242.17
Corp1>enable
Password: cisco
We
should create an access-list and apply it to the interface which is
connected to the Servers LAN interface, because it can filter out
traffic from both Sw-Hosts and Core networks. The Server LAN network has
been assigned addresses of 172.22.242.17 – 172.22.242.30 so we can
guess the interface connected to them has an IP address of 172.22.242.30
(.30 is the number shown in the figure). Use the “show ip interface
brief” command to check which interface has the IP address of
172.22.242.30.
Corp1#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.33.254 YES manual up up
FastEthernet0/1 172.22.242.30 YES manual up up
Serial0/0 198.18.196.65 YES manual up up
We
learn that interface FastEthernet0/1 is the interface connected to
Server LAN network. It is the interface we will apply our access-list
(for outbound direction).
Corp1#configure terminal
Our access-list needs to allow host C – 192.168.33.3 to the Finance Web Server 172.22.242.23 via web (port 80)
Corp1(config)#access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
Deny other hosts access to the Finance Web Server via web
Corp1(config)#access-list 100 deny tcp any host 172.22.242.23 eq 80
All other traffic is permitted
Corp1(config)#access-list 100 permit ip any any
Apply this access-list to Fa0/1 interface (outbound direction)
Corp1(config)#interface fa0/1
Corp1(config-if)#ip access-group 100 out
Notice:
We have to apply the access-list to Fa0/1 interface (not Fa0/0
interface) so that the access-list can filter traffic coming from both
the LAN and the Core networks. If we apply access list to the inbound
interface we can only filter traffic from the LAN network.
In the
real exam, just click on host C and open its web browser. In the
address box type http://172.22.242.23 to check if you are allowed to
access Finance Web Server or not. If your configuration is correct then
you can access it.
Click on other hosts (A, B and D) and check to make sure you can’t access Finance Web Server from these hosts.
Finally, save the configuration
Corp1(config-if)#end
Corp1#copy running-config startup-config
This
configuration only prevents hosts from accessing Finance Web Server via
web but if this server supports other traffic – like FTP, SMTP… then
other hosts can access it, too.
Notice:
In the real exam, you might be asked to allow other host (A, B or D) to
access the Finance Web Server so please read the requirement carefully.
Modification #1
A
network associate is adding security to the configuration of the Corp
router. The user on host B should be able to access the Finance Web
Server. Host B should be denied to access other server on S1-SRVS
network. Since there are multiple resources for the corporation at this
location including other resources on the Finance Web Server, all other
traffic should be allowed.
The
task is to create and apply a numbered access-list with no more than
three statements that will allow ONLY host B access to the Finance Web
Server. Deny host B from accessing the other servers. All other traffic
is permitted.
access-list 100 permit ip host 192.168.33.2 host 172.22.242.23
access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15
access-list 100 permit ip any any
Modification #2
A
network associate is adding security to the configuration of the Corp1
router. The user on host C should be able to access the Finance Web
Server. No other hosts from the LAN nor the Core should be able access
this server. All other traffic should be allowed.
The
task is to create and apply a numbered access-list with no more than
three statements that will allow ONLY host C access the Finance Web
Server. No other hosts will have access to the Finance Web Server. All
other traffic is permitted.
access-list 100 permit ip host 192.168.33.3 host 172.22.242.23
access-list 100 deny ip any host 172.22.242.23
access-list 100 permit ip any any
Modification #3
A
network associate is adding security to the configuration of the Corp1
router. The user on host C should be able to use a web browser to access
financial information from the Finance Web Server. Other access from
host C to Finance Web Server should be denied. No other hosts from the
LAN nor the Core should be able to access the Finance Web Server. All
other traffic should be allowed.
The
task is to create and apply a numbered access-list with no more than
three statements that will allow ONLY host C web access to the Finance
Web Server. Also host C should be denied to access any other services of
Finance Web Server. No other hosts will access to the Finance Web
Server. All other traffic is permitted.
access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
access-list 100 deny ip any host 172.22.242.23
access-list 100 permit ip any any
Modification #4
A
network associate is adding security to the configuration of the Corp1
router. The user on host D should be able to use a web browser to access
financial information from the Finance Web Server. Other access from
host C to Finance Web Server should be denied. No other hosts from the
LAN nor the Core should be able to access the Finance Web Server. All
hosts from the LAN nor the Core should able to access public web server.
The task is to create and apply a numbered access-list with no more than three statements that will allow ONLY host D should be able to use a web browser(HTTP)to access the Finance Web Server. Other types of access from host D to the Finance Web Server should be blocked. All access from hosts in the Core or local LAN to the Finance Web Server should be blocked. All hosts in the Core and local LAN should be able to access the Public Web Server.
access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
access-list 100 deny ip any host 172.22.242.23
access-list 100 permit ip any any
Download LAB file (need packet tracer to open)
https://app.box.com/s/yizuzzbkagp4v0j52a50
0 comments:
Post a Comment