ACL Listas
Transcript of ACL Listas
-
7/30/2019 ACL Listas
1/13
1
RESOLUCION TRABAJO ACLs
NOTA.- Las preguntas no s si son mutuamente excluyentes, pero para
efectos de resolucin las he tratado como si fueran de menos a ms. Para la A,
solo he tomado esas consideraciones, para la B, esas, ms las anteriores, y as
sucesivamente:
PREGUNTA A (La pestaa de IOS Command Linterface Line, cuando se
hace un copy paste al Word, sale con todos los errores que uno ha tenido, as que
he optado por hacer un copy solo al comando show access-lists, solo que no
muestra la interface a la cual esta aplicada la ACL, entonces he copiado tambin
la salida del comando show ip interface)
R1#show access-lists
Extended IP access list 110
permit tcp host 160.121.33.0 host 200.106.56.13 eq domain
permit tcp host 160.121.53.67 host 200.106.56.13 eq domain
R1#show ip interface
FastEthernet0/0 is up, line protocol is up (connected)
Internet address is 160.121.32.1/19
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is 110
R4#show access-lists
Extended IP access list 111
permit tcp host 154.56.18.28 host 200.106.56.13 eq domain
-
7/30/2019 ACL Listas
2/13
2
permit tcp host 154.56.20.255 host 200.106.56.13 eq domain
R4#show ip interface
FastEthernet0/0 is up, line protocol is up (connected)
Internet address is 154.56.16.1/21
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is 111
R3#show access-lists
Extended IP access list 113
deny tcp 160.121.32.0 0.0.31.255 host 200.106.56.13 eq domain
deny tcp 154.56.16.0 0.0.7.255 host 200.106.56.13 eq domain
permit tcp any host 200.106.56.13
R3#show ip interface
FastEthernet0/0 is up, line protocol is up (connected)
Internet address is 200.106.56.2/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is 113
Inbound access list is not set
-
7/30/2019 ACL Listas
3/13
3
PREGUNTA B
Aparte de las configuraciones anteriores, en adicin van estas:
R1#show access-lists
Extended IP access list 110
permit tcp host 160.121.33.0 host 200.106.56.13 eq domain
permit tcp host 160.121.53.67 host 200.106.56.13 eq domain
Extended IP access list 120
permit tcp host 160.121.53.67 host 200.106.56.13 eq www
R1#show ip interface
FastEthernet0/0 is up, line protocol is up (connected)
Internet address is 160.121.32.1/19
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is 120 MUESTRA LA ULTIMA NO MAS (120), LA ANTERIOR (110) YA NO,
SIN EMBARGO EN EL SHOW ACCESS-LISTS SI APARECEN LAS 2
R4#show access-lists
Extended IP access list 111
permit tcp host 154.56.18.28 host 200.106.56.13 eq domain
permit tcp host 154.56.20.255 host 200.106.56.13 eq domain
Extended IP access list 121
permit tcp 154.56.16.0 0.0.7.255 host 200.106.56.13 eq www
-
7/30/2019 ACL Listas
4/13
4
R4#show ip interface
FastEthernet0/0 is up, line protocol is up (connected)
Internet address is 154.56.16.1/21
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is 121
NOTA.- Me parece que como en R3 ya existe una ACL anterior, ya no es necesario denegar el
trafico al Web Server por este router ya que el deny implcito se encargara de denegar todo lo
dems.
PREGUNTA C
Aparte de las configuraciones anteriores, en adicin van estas:
R4#show access-lists
Extended IP access list 111
permit tcp host 154.56.18.28 host 200.106.56.13 eq domain
permit tcp host 154.56.20.255 host 200.106.56.13 eq domain
Extended IP access list 121
permit tcp 154.56.16.0 0.0.7.255 host 200.106.56.13 eq www
Extended IP access list 131
permit tcp host 154.56.18.28 host 200.106.56.21 eq 20
R4#show ip interface
FastEthernet0/0 is up, line protocol is up (connected)
Internet address is 154.56.16.1/21
-
7/30/2019 ACL Listas
5/13
-
7/30/2019 ACL Listas
6/13
6
NOTA.- Aca me parece que al R2 hay que denegarle trafico FTP para obligar a que se use el
Gateway de FTP que es el R3. Entonces:
R2#show access-lists
Extended IP access list F0-OUT
permit udp 160.121.32.0 0.0.31.255 host 200.106.56.13 eq domain
permit udp 154.56.16.0 0.0.7.255 host 200.106.56.13 eq domain
Extended IP access list 132
deny tcp 160.121.32.0 0.0.31.255 host 200.106.56.21 eq 20
deny tcp 154.56.16.0 0.0.7.255 host 200.106.56.21 eq 20
R2#show ip interface
FastEthernet0/0 is up, line protocol is up (connected)
Internet address is 200.106.56.1/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is 132
PREGUNTA D
Aparte de las configuraciones anteriores, en adicin van estas:
R1#show access-lists
Extended IP access list 110
permit tcp host 160.121.33.0 host 200.106.56.13 eq domain
permit tcp host 160.121.53.67 host 200.106.56.13 eq domain
Extended IP access list 120
-
7/30/2019 ACL Listas
7/13
7
permit tcp host 160.121.53.67 host 200.106.56.13 eq www
Extended IP access list 130
permit tcp 160.121.32.0 0.0.31.255 host 200.106.56.21 eq 20
Extended IP access list 140
deny icmp 160.121.32.0 0.0.31.255 200.106.56.0 0.0.0.255
deny tcp 160.121.32.0 0.0.31.255 200.106.56.0 0.0.0.255 eq 7 He puesto 2 formas ya que
algunas bibliografas sealan que el trafico ICMP se pone despus del permit o deny. Otros dicen
que se considera como parte del TCP en puerto 7.
R1#show ip interface
FastEthernet0/0 is up, line protocol is up (connected)
Internet address is 160.121.32.1/19
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is 140
R4#show access-lists
Extended IP access list 121
permit tcp 154.56.16.0 0.0.7.255 host 200.106.56.13 eq www
Extended IP access list 131
permit tcp host 154.56.18.28 host 200.106.56.21 eq 20
Extended IP access list 141
deny tcp 154.56.16.0 0.0.7.255 host 200.106.56.0 eq 7
-
7/30/2019 ACL Listas
8/13
8
deny icmp 154.56.16.0 0.0.7.255 host 200.106.56.0 De la misma manera he puesto 2 formas
ya que algunas bibliografas sealan que el trafico ICMP se pone despus del permit o deny. Otros
dicen que se considera como parte del TCP en puerto 7.
R4#show ip interface
FastEthernet0/0 is up, line protocol is up (connected)
Internet address is 154.56.16.1/21
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is 141
R2#show access-lists
Extended IP access list F0-OUT
permit udp 160.121.32.0 0.0.31.255 host 200.106.56.13 eq domain
permit udp 154.56.16.0 0.0.7.255 host 200.106.56.13 eq domain
Extended IP access list 132
deny tcp 160.121.32.0 0.0.31.255 host 200.106.56.21 eq 20
deny tcp 154.56.16.0 0.0.7.255 host 200.106.56.21 eq 20
Extended IP access list 150
permit tcp host 200.106.56.13 160.121.32.0 0.0.31.255 eq 7
permit tcp host 200.106.56.13 154.56.16.0 0.0.7.255 eq 7
R2#show ip interface
FastEthernet0/0 is up, line protocol is up (connected)
Internet address is 200.106.56.1/24
-
7/30/2019 ACL Listas
9/13
9
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is 132
Inbound access list is 150
R3#show access-lists
Extended IP access list 113
permit tcp any host 200.106.56.13
Extended IP access list 151
permit tcp host 200.106.56.21 160.121.32.0 0.0.31.255 eq 7
permit tcp host 200.106.56.21 154.56.16.0 0.0.7.255 eq 7
R3#show ip interface
FastEthernet0/0 is up, line protocol is up (connected)
Internet address is 200.106.56.2/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is 113
Inbound access list is 151
PREGUNTA E
Aparte de las configuraciones anteriores, en adicin van estas:
-
7/30/2019 ACL Listas
10/13
10
Intente ejecutar el sgte. Comando, pero el sistema no lo acepta:
R1(config)#access-list 160 permit tcp 160.121.33.0 0.0.0.0 any eq ssh
^
% Invalid input detected at '^' marker.
Tampoco acepta el siguiente comando:
R1(config)#access-list 160 permit tcp 160.121.33.0 0.0.0.0 any eq https
^
% Invalid input detected at '^' marker.
PREGUNTA F
Aparte de las configuraciones anteriores, en adicin van estas:
R1#show access-lists
Extended IP access list 120
permit tcp host 160.121.53.67 host 200.106.56.13 eq www
Extended IP access list 130
permit tcp 160.121.32.0 0.0.31.255 host 200.106.56.21 eq 20
Extended IP access list 140
deny icmp 160.121.32.0 0.0.31.255 200.106.56.0 0.0.0.255
deny tcp 160.121.32.0 0.0.31.255 200.106.56.0 0.0.0.255 eq 7
Extended IP access list 170
permit udp 160.121.32.0 0.0.31.255 any eq 520
Extended IP access list 171
permit udp any 160.121.32.0 0.0.31.255 eq 520
R1#show ip interface
FastEthernet0/0 is up, line protocol is up (connected)
Internet address is 160.121.32.1/19
-
7/30/2019 ACL Listas
11/13
11
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is 171
Inbound access list is 170
R4#show access-lists
Extended IP access list 121
permit tcp 154.56.16.0 0.0.7.255 host 200.106.56.13 eq www
Extended IP access list 131
permit tcp host 154.56.18.28 host 200.106.56.21 eq 20
Extended IP access list 141
deny tcp 154.56.16.0 0.0.7.255 host 200.106.56.0 eq 7
deny icmp 154.56.16.0 0.0.7.255 host 200.106.56.0
Extended IP access list 180
permit udp 154.56.16.0 0.0.7.255 any eq 520
Extended IP access list 181
permit udp any 154.56.16.0 0.0.7.255 eq 520
R4#show ip interface
FastEthernet0/0 is up, line protocol is up (connected)
Internet address is 154.56.16.1/21
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500
Helper address is not set
-
7/30/2019 ACL Listas
12/13
12
Directed broadcast forwarding is disabled
Outgoing access list is 181
Inbound access list is 180
R2#show access-lists
Extended IP access list F0-OUT
permit udp 160.121.32.0 0.0.31.255 host 200.106.56.13 eq domain
permit udp 154.56.16.0 0.0.7.255 host 200.106.56.13 eq domain
Extended IP access list 132
deny tcp 160.121.32.0 0.0.31.255 host 200.106.56.21 eq 20
deny tcp 154.56.16.0 0.0.7.255 host 200.106.56.21 eq 20
Extended IP access list 150
permit tcp host 200.106.56.13 160.121.32.0 0.0.31.255 eq 7
permit tcp host 200.106.56.13 154.56.16.0 0.0.7.255 eq 7
Extended IP access list 190
permit udp 200.106.56.0 0.0.0.255 any eq 520 (3 match(es))
Extended IP access list 191
permit udp any 200.106.56.0 0.0.0.255 eq 520
R2#show ip interface
FastEthernet0/0 is up, line protocol is up (connected)
Internet address is 200.106.56.1/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is 191
-
7/30/2019 ACL Listas
13/13
13
Inbound access list is 190
R3#show access-lists
Extended IP access list 113
permit tcp any host 200.106.56.13
Extended IP access list 151
permit tcp host 200.106.56.21 160.121.32.0 0.0.31.255 eq 7
permit tcp host 200.106.56.21 154.56.16.0 0.0.7.255 eq 7
Extended IP access list 195
permit udp 200.106.56.0 0.0.0.255 any eq 520 (3 match(es))
Extended IP access list 196
permit udp any 200.106.56.0 0.0.0.255 eq 520
R3#show ip interface
FastEthernet0/0 is up, line protocol is up (connected)
Internet address is 200.106.56.2/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is 196
Inbound access list is 195