MIDDLESEX UNIVERSITY, School of Engineering and Information Sciences Laboratory 4: Named and Dynamic IP Access Control Lists - This

session aims at introducing the configuration of named and dynamic (lock-and-key) IP access control lists on Cisco routers. At the end of this session you will learn how to secure networks using named and dynamic ACLs. You are expected to work in groups.

Preliminary work: Study time-based and dynamic ACLs. What are the benefits of time-based, and dynamic ACLs?
Syntax: The syntax for standard/extended IP ACLs together with the expected prompts can be given as follows (commands between [ ] are optional): i) Standard named ACLs: Router(config)# ip access-list standard name Router(config-std-nacl)# deny| permit {source [source-wildcard] | any}[log] ii) Extended named ACLs: Router(config)# ip access-list extended name Router(config-ext-nacl)# deny | permit protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [established] [log] [time-range time-range-name] Activation for standard/extended ACLs: Router(config-if)# ip access-group access-list-name {in | out} iii) Time-based extended ACLs Syntax using either periodic or absolute: router(config)# time-range time-range-name router(config-time-range)# periodic days-of-the-week hh:mm to[days-of-theweek] hh:mm or router(config-time-range)# absolute [start time date] [end time date] The following arguments (i.e. days-of-the-week in the above syntax) can be used for the periodic command: Monday, Tuesday, Wednesday, Thursday, Friday, Saturday, Sunday; daily (Monday-Sunday), weekdays (Monday-Friday), and weekend (Saturday-Sunday). You can use time-based ACLs together with extended named ACLs. See the syntax given in (ii) above. Procedure: 1. 2. 3. 4. 5. Set-up and configure the network diagram previously given Figure 2.1. You need basic configuration to enable router communications. Test your system and confirm that routers can communicate. Attach two hosts on each ethernet network and configure the hosts appropriately. Test connectivity between all pairs of hosts using ping, traceroute, and telnet. Note your results. If any of these commands fail, check your configuration. Set a time-range (this should correspond to lab hours), configure Router1 so that Host1 cannot telnet networks other than EthernetLAN. Test your configuration. Can Host2 communicate with other networks? Change the time-range to out-of-lab-hours and test the ACL again.

Security Architecture and Engineering - CCM4350

Dynamic ACLs: Lock and Key Syntax:

Figure 4.1 Procedure: 6. 7. Configure and test the network given in Figure 4.1. The network behind RouterA is protected by a firewall (implemented on RouterA) that prevents access to EthernetLAN_A. Configure lock-and-key access to enable you and only you to access this network from any outside host. After configuring the firewall try to ping to Host_A from Host_B. This should fail because of the firewall. Telnet to RouterA from Host_B or RouterB. Log in. Try step 8 again. Notes your results.

8. 9.

10. Shorten timeouts so that you can test the system and confirm that connection does time out. Solution: You need telnet access to Router_A to authenticate, hence, first permit Telnet access from your remote network. Also, you must permit routing updates (why?). with Vista, so you must be sure to permit IGRP. Enter the following commands on (assuming that RIP is configured) Router_A(config)# access-list 101 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.1 eq telnet Router_A(config)# access-list 101 permit rip any any Router_A(config)# access-list 101 dynamic I_CAN_ENTER timeout 30 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 Router_A(config)# username myName password myPass Router_A(config)# interface serial 0/0 Router_A(config)# ip access-group 101 in Router_A(config-if)# line vty 0 4 Router_A(config-line)# login local Router_A(config-line)# autocommand access-enable host timeout 2 Activate the dynamic ACL on RouterAs s0/0 (see the syntax for activating named ACLs on an interface - given above). The option timeout 30, ensures an absolute limit on the amount of time that the temporary hole in the firewall can exist. After 30 minutes, you have to authenticate again, even if youve kept the connection busy with traffic. The timeout 2 option configures the idle timeout to 2 minutes.The autocommand configuration is used to automate the process of creating a temporary access list entry. The host keyword prevents this temporary entry from including other members of your subnet.