Student NameDavid Fontanez Date

13 Jan 2015

SEC450 Security Demands iLab2

Objectives
In this lab, the students will examine the following objectives.

Create ACL to meet the requirements of the security demands

Modify existing ACL to meet additional security requirements

Scenario
A small company is using the topology shown below. Minimal security measures have been
implemented. Assume that the 200.100.0.0/16 network represents the Internet. The Dallas and
Chicago Hosts need to be protected from specific types of malicious traffic from the Internet.
Topology

The last page of the lab assignment document contains a full page topology. Remove this
page and use it for reference to the topology and the IP addresses.

Revision Date: Jan 14

Initial Configuration
The Dallas and Chicago Routers FastEthernet and Serial interfaces used for the lab have been
correctly configured and enabled. Unused interfaces have been shutdown. The RIP routing tables are
complete for all routers and hosts. No ACLs have been applied to any of the routers. Below is the
initial running-config file in Chicago router.
version 12.3(4)T7
!
hostname Chicago
!
interface FastEthernet0/0
ip address 192.168.200.1 255.255.255.0
!
interface FastEthernet0/1
ip address 192.168.20.1 255.255.255.0
shutdown
!
interface Serial0/0
ip address 200.100.20.2 255.255.255.0
!
interface Serial0/1
ip address 192.168.30.2 255.255.255.0
shutdown
!
router rip
network 192.168.200.0
network 200.100.20.0
!
ip default-network 200.100.20.0
ip route 0.0.0.0 0.0.0.0 serial0/0
!
!
line con 0
line aux 0
line vty 0 4
password cisco
line vty 5 15
password cisco
!
end
Lab Data Collection and Submission
Enter your name and date at the top of the lab document. As you complete each task of the lab
assignment answering questions into this lab document. You will submit the completed
SEC450_W2_SecurityDemands_iLab.docx file into the weeks eCollege iLab Dropbox.

Note: RED text indicates the required answering questions

Revision Date: Jan 14

Task 1Apply the ACL to meet initial requirements

Your task as a network administrator is to configure an ACL in Chicago Router to meet the following
requirements.
1. Permit ftp and http traffic from the Chicago host to the Dallas Server.
2. Deny all other TCP traffic from the Chicago host to the Dallas Server.
3. Permit all other traffic.
#1. If you are applying an extended ACL to deny specific packets, where should you apply it?
Explain your answer.
When it comes to an extended ACL, you want to apply it as close to the source as possible. The
reason being, because you specify a source and destination address.

#2. If you are writing an ACL with multiples access-list commands, what order do you follow
to write the commands?
You first specify the router that you either want to allow or deny packets. Then you input the
commands to allow or deny with the IP address, sub-net mask, and if its either inbound or outbound
on the router.
#3. What port numbers do ftp and http servers use? Why does ftp server use two port
numbers?
FTP uses port 20 and 21. Http uses port 80. FTP is a TCP based service exclusively. There is no
UDP component to FTP. FTP is an unusual service in that it utilizes two ports, a 'data' port and a
'command' port (also known as the control port). Traditionally these are port 21 for the command port
and port 20 for the data port.
#4. In which interface and direction would you apply the ACL in Chicago router? Why?
I would input it in the inbound port S0/0 20.2 so packets can be denied or allowed before it can
reach the Chicago switch

Revision Date: Jan 14

#5. What is the intrinsic access-list command that exist in all ACL?
Deny or permit
#6. Copy below Chicago routers running-config file from page 2, and add the commands
needed to create and apply the ACL in the router.
version 12.3(4)T7
!
hostname Chicago
!
interface FastEthernet0/0
ip address 192.168.200.1 255.255.255.0
!
interface FastEthernet0/1
ip address 192.168.20.1 255.255.255.0
shutdown
!
interface Serial0/0
ip address 200.100.20.2 255.255.255.0
!
interface Serial0/1
ip address 192.168.30.2 255.255.255.0
shutdown
!
router rip
network 192.168.200.0
network 200.100.20.0
!
ip default-network 200.100.20.0
ip route 0.0.0.0 0.0.0.0 serial0/0
!
!
line con 0
line aux 0
line vty 0 4
password cisco
line vty 5 15
password cisco
!
end
!
config t
!
hostname R1
!
interface ethernet0 ip access-group 1 in
!
access-list 1 deny host (ip address)
access-list 1 permit any

Revision Date: Jan 14

Task 2Apply the ACL to meet later requirements

Two weeks later, you receive a request to modify the ACL created in Chicago router to meet these
new requirements:
1.
2.
3.
4.

Permit ftp traffic from the Chicago host to the Dallas Server.
Permit http traffic from any host in Chicago LAN to the Dallas Server.
Deny all other TCP traffic from the Chicago host to the Dallas Server.
Permit all other traffic.

#7. Write below the commands needed to modify the ACL in Chicago router.
Chicago(config)#access-list 100 permit tcp host 192.168.200.10 host 192.168.100.11 eq 80
Chicago(config)#access-list 100 permit tcp host 192.168.200.10 host 192.168.100.11 eq 21
Chicago(config)#access-list 100 deny tcp host 192.168.200.10 host 192.168.100.11
Chicago(config)#access-list 100 permit ip any any
Chicago(config)#int f0/0
Chicago(config-if)#ip access-group 100 in

P.S. Thanks Professor!!!

Save this document with all questions answered and upload it in Week 2 iLab Dropbox.

Revision Date: Jan 14

Revision Date: Jan 14