Scribd Logo
Upload

Welcome to Scribd!

  • Lab 94

    Uploaded by

    Os Mayutel
    12 views4 pages
    This document provides instructions for configuring secure access and access control lists on routers R1 and R3. It describes configuring login passwords, enabling passwords, and an extended ACL on R1 to permit or deny Telnet access and ping requests to specific subnets on R3 based on the source interface. The results are then verified through Telnet and ping tests.

    Original Description:

    lab 94

    Original Title

    lab 94

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document provides instructions for configuring secure access and access control lists on routers R1 and R3. It describes configuring login passwords, enabling passwords, and an extended ACL on R1 to permit or deny Telnet access and ping requests to specific subnets on R3 based on the source interface. The results are then verified through Telnet and ping tests.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    12 views4 pages

    Lab 94

    Uploaded by

    Os Mayutel
    This document provides instructions for configuring secure access and access control lists on routers R1 and R3. It describes configuring login passwords, enabling passwords, and an extended ACL on R1 to permit or deny Telnet access and ping requests to specific subnets on R3 based on the source interface. The results are then verified through Telnet and ping tests.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 4

    Lab 91.

    Configuration and
    Verification

    Task 1:
    For reference information on configuring hostnames, please refer to
    earlier labs.

    Task 2:
    For reference information on configuring clock rates and IP
    addresses, please refer to earlier labs.

    Task 3:
    For reference information on configuring static routes, please refer to
    earlier labs.

    Task 4:
    For reference information on pinging, please refer to earlier labs.

    Task 5:
    R1#conf t
    Enter configuration commands, one per line. End with CTRL/Z.
    R1(config)#enable secret CISCO
    R1(config)#line vty 0 4
    R1(config-line)#password CISCO
    R1(config-line)#login
    R1(config-line)#end
    R1#

    R3#conf t
    Enter configuration commands, one per line. End with CTRL/Z.
    R3(config)#enable secret CISCO
    R3(config)#line vty 0 4
    R3(config-line)#password CISCO
    R3(config-line)#login
    R3(config-line)#end
    R3#

    NOTE: GNS3 has more VTY lines so use the ? to establish how
    many you need to configure.

    R1(config)#line vty 0 ?
    <1-903> Last Line number
    <cr>

    Task 6:
    R1#conf t
    Enter configuration commands, one per line. End with CTRL/Z.
    R1(config)#access-list 150 remark “Allow Telnet For R3 Loopback10”
    R1(config)#access-list 150 permit tcp 10.10.10.0 0.0.0.127 any eq telnet
    R1(config)#access-list 150 remark “Deny Telnet For R3 Loopback20”
    R1(config)#access-list 150 deny tcp 10.20.20.0 0.0.0.15 any eq telnet
    R1(config)#access-list 150 remark “Allow Telnet For R3 Loopback30”
    R1(config)#access-list 150 permit tcp 10.30.30.0 0.0.0.7 any eq telnet
    R1(config)#access-list 150 remark “Allow PING For R3 Loopback20”
    R1(config)#access-list 150 permit icmp 10.20.20.0 0.0.0.15 any echo
    R1(config)#int s0/0
    R1(config-if)#ip access-group 150 in
    R1(config-if)#end
    R1#

    NOTE: Extended ACLs have the capability to match Layer 4 protocol


    information. This means that you must know your well-known TCP
    and UDP port numbers. Fortunately, instead of having TCP and UDP
    port numbers, Cisco IOS ACLs allow you to use keywords for
    common protocols. For example, you can use the keyword telnet
    instead of having to use port number 23 to configure an ACL to
    match Telnet traffic. However, if you do decide to use a port number,
    Cisco IOS automatically converts it to the common name as
    illustrated below:

    R1#conf t
    Enter configuration commands, one per line. End with CRTL/Z.
    R1(config)#access-list 100 permit tcp any any eq 23
    R1(config)#access-list 100 permit tcp any any eq 80
    R1(config)#access-list 100 permit tcp any any eq 179
    R1(config)#access-list 100 permit udp any any eq 520
    R1(config)#access-list 100 permit 88 any any
    R1(config)#access-list 100 permit 89 any any
    R1(config)#end
    R1#
    R1#show ip access-lists 100
    Extended IP access list 100
    10 permit tcp any any eq telnet
    20 permit tcp any any eq www
    30 permit tcp any any eq bgp
    40 permit udp any any eq rip
    50 permit eigrp any any
    60 permit ospf any any

    As can be seen, while we configured the ACL using port numbers,


    IOS converted it to common names.

    Now test the ACL from the lab. To quit your Telnet access, hit the
    Control-Shift-6 key at the same time and then let go and press the X
    key. Don’t hit the enter key right after or it will resume your Telnet
    session.

    R3#telnet 172.16.1.1 /source-interface loopback10


    Trying 172.16.1.1 ... Open
    User Access Verification

    Password:
    R1#

    R3#telnet 172.16.1.1 /source-interface loopback20


    Trying 172.16.1.1 ...
    % Destination unreachable; gateway or host down

    R3#telnet 172.16.1.1 /source-interface loopback30


    Trying 172.16.1.1 ... Open

    User Access Verification

    Password:
    R1#

    R3#ping 172.16.1.1 source loopback 20

    Type escape sequence to abort.


    Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
    Packet sent with a source address of 10.20.20.3
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/8 ms

    NOTE: When you see the message % Destination unreachable; gateway or


    host down when trying to telnet to a host, it is typically because there
    is an ACL preventing Telnet to this device. Based on our
    configuration, everything works, and if we looked at the ACL
    configured on R1, we would see matches against it as follows:

    R1#show ip access-lists 150


    Extended IP access list 150
    10 permit tcp 10.10.10.0 0.0.0.127 any eq telnet (66 matches)
    20 deny tcp 10.20.20.0 0.0.0.15 any eq telnet (3 matches)
    30 permit tcp 10.30.30.0 0.0.0.7 any eq telnet (465 matches)
    40 permit icmp 10.20.20.0 0.0.0.15 any echo (15 matches

    You might also like