Computer Network Security – Lab 2 Week 1/ January 20, 2009

Computer Network Security – In Class Exercise Week2

Extended ACLs

January 20, 2009

ACLs

An organization has a simple network with one gateway router to the Internet. Gigabit0/0 on router faces Internet. Gigabit1/0 on router faces internal network. Initially there are no other interfaces on this router. Internal network address is 129.161.24.0/255.255.255.224. Following ACLs and configuration exist on router (helpful to draw simple diagram):

Interface gigabit0/0

Ip access-group 105 in

Ip access-group 106 out

Interface gigabit1/0

Ip access-group 101 in

Access-list 101 permit ip 129.161.24.0 0.0.0.15 any

Access-list 105 deny ip 129.161.24.0 0.0.0.255 any

Access-list 105 deny ip 10.0.0.0 0.255.255.255.255 any

Access-list 105 deny ip 172.16.0.0 0.31.255.255 any

Access-list 105 deny ip 192.168.0.0 0.0.255.255 any

Access-list 105 permit icmp any any echo-reply

Access-list 105 permit tcp any any established

Access-list 106 deny ip 10.0.0.0 0.255.255.255.255 any

Access-list 106 deny ip 172.16.0.0 0.31.255.255 any

Access-list 106 deny ip 192.168.0.0 0.0.255.255 any

Access-list 106 permit ip any any

1. 129.161.24.29 can not ping any IP address off network. What is the problem and how do you correct it?

2. All users on internal network report they can not do any web browsing off network. What is the problem and how do you correct it?

3. Is access-list 106 applied outbound on gigabit0/0 relevant and needed? Why or why not?

4. How can you accomplish what access-list 101 intends to accomplish on gigabit1/0 without an ACL?

5. A DMZ is to be created using interface gigabit2/0, 129.161.24.32/255.255.255.240.

What additions need to be made to access-list 105 to allow for a server on 129.161.24.35 running http, smtp, and ssh servers? Does anything else need to be added to allow clients on 129.161.24.0/255.255.255.224 to access these services on 129.161.24.35? If so what?

6. You are tasked with limiting access from DMZ to internal network to allow only clients on 129.161.24.0/255.255.255.224 to make outbound connections to 129.161.24.35 via ssh, smtp, and http. What is required to do this using extended ACLs, applied on gigabit 2/0?