This post is solution or answer for Packet Tracer Activity Chapter 4 Network Security. Chapter 4 Packet Tracer Activity A Network Security is about ACL. To be specific, the title for the packet tracer activity is Configure IP ACLs to Mitigate Attacks. ACL in this Packet Tracer Activity is using standard and extended ACL. It doesn’t involve advanced ACL such as reflexive, dynamic or time based ACL. However, you must be very precise when dealing with ACL and Packet Tracer Activity. Mistake in using IP Address will not increase your mark although the IP address you use also applicable and correct for that particular purpose. In this post, i will show the correct configuration and step by step how to get 100% for this Packet Tracer Activity.
Take note that i will skip any task which do not give mark. Most of them is verify task such as ping. I will straight to task which require configuration or changes.
Task 2: Secure Access to Routers
Configure ACL 10 to block all remote access to the routers except from PC-C.
R1(config)#access-list 10 permit 192.168.3.3
Apply ACL 10 to ingress traffic on the VTY lines.
R1(config)#line vty 0 4
R1(config-line)#access-class 10 in
Please apply the same configurations to other router (R2 and R3).
Task 3: Create a Numbered IP ACL 100
Configure ACL 100 to block all specified traffic from the outside network.
R3(config)#access-list 100 deny ip 10.0.0.0 0.255.255.255 any
R3(config)#access-list 100 deny ip 172.16.0.0 0.15.255.255 any
R3(config)#access-list 100 deny ip 192.168.0.0 0.0.255.255 any
R3(config)#access-list 100 deny ip 127.0.0.0 0.255.255.255 any
R3(config)#access-list 100 deny ip 18.104.22.168 22.214.171.124 any
R3(config)#access-list 100 permit ip any any
As in the instructions, you are require to block 127.0.0.0/8, all private ip addresses and multicast address. If you got wrong answer for this task, try to follow the order of the ACL as stated above. Changing the order of this ACL might results in your mark will not be increased although you may find the ACL still work perfectly in the order you specified.
Apply the ACL to interface Serial 0/0/1.
R3(config-if)#ip access-group 100 in
Take note that your mark will not be increased for this action.
Remove the ACL from interface Serial 0/0/1
R3(config-if)#no ip access-group 100 in
Task 4: Create a Numbered IP ACL 110
Configure ACL 110 to permit only traffic from the inside network
R3(config)#access-list 110 permit ip 192.168.3.0 0.0.0.255 any
Apply the ACL to interface F0/1
R3(config-if)#ip access-group 110 in
Task 5: Create a Numbered IP ACL 120
Verify that PC-C can access the PC-A via HTTPS using the web browser.
Click PC-A -> Config -> HTTP. Disable HTTP and Enable HTTPS
By default for this packet tracer activity, HTTP is enabled. Disable it.
Configure ACL 120 to specifically permit and deny the specified traffic.
R1(config)#access-list 120 permit udp any host 192.168.1.3 eq 53
R1(config)#access-list 120 permit tcp any host 192.168.1.3 eq 25
R1(config)#access-list 120 permit tcp any host 192.168.1.3 eq 21
R1(config)#access-list 120 deny tcp any host 192.168.1.3 eq 443
R1(config)#access-list 120 permit tcp host 192.168.3.3 host 10.1.1.1 eq 22
As stated in the instructions, this ACL is for permit access to server PC-A for DNS, SMTP and FTP. Deny access to HTTPS service on Server PC-A and permit PC-C to access Router 1 (R1) via SSH.
Apply the ACL to interface S0/0/0
R1(config-if)#ip access-group 120 in
Task 6: Modify An Existing ACL
Make any necessary changes to ACL 120 to permit and deny the specified traffic.
R1(config)#access-list 120 permit icmp any any echo-reply
R1(config)#access-list 120 permit icmp any any unreachable
R1(config)#access-list 120 deny icmp any any
R1(config)#access-list 120 permit ip any any
Take note that using ‘any’ as source address and destination address is required for you to increase mark. Your mark might not be increased if you use network address as source or destination address.
If you want to try this packet tracer activity, download it here.
If you want the solution or answer for this chapter 4 packet tracer activity, download here
That’s all. Just be careful with Access List 100 and Access List 120. You should be fine. Thank You.