Network Security Chapter 4 Packet Tracer Activity A Answer

Network Security Packet Tracer Activity Chapter 4

This post is solution or answer for Packet Tracer Activity Chapter 4 Network Security. Chapter 4 Packet Tracer Activity A Network Security is  about ACL. To be specific, the title for the packet tracer activity is Configure IP ACLs to Mitigate Attacks. ACL in this Packet Tracer Activity is using standard and extended ACL. It doesn’t involve advanced ACL such as reflexive, dynamic or time based ACL. However, you must be very precise when dealing with ACL and Packet Tracer Activity. Mistake in using IP Address will not increase your mark although the IP address you use also applicable and correct for that particular purpose. In this post, i will show the correct configuration and step by step how to get 100% for this Packet Tracer Activity.

Network Security Packet Tracer Activity Chapter 4

Take note that i will skip any task which do not give mark. Most of them is verify task such as ping. I will straight to task which require configuration or changes.

 

Task 2: Secure Access to Routers

Configure ACL 10 to block all remote access to the routers except from PC-C.

R1(config)#access-list 10 permit 192.168.3.3

 

Apply ACL 10 to ingress traffic on the VTY lines.

R1(config)#line vty 0 4
R1(config-line)#access-class 10 in

Please apply the same configurations to other router (R2 and R3).

 

Task 3: Create a Numbered IP ACL 100

Configure ACL 100 to block all specified traffic from the outside network.

R3(config)#access-list 100 deny ip 10.0.0.0 0.255.255.255 any
R3(config)#access-list 100 deny ip 172.16.0.0 0.15.255.255 any
R3(config)#access-list 100 deny ip 192.168.0.0 0.0.255.255 any
R3(config)#access-list 100 deny ip 127.0.0.0 0.255.255.255 any
R3(config)#access-list 100 deny ip 224.0.0.0 15.255.255.255 any
R3(config)#access-list 100 permit ip any any

As in the instructions, you are require to block 127.0.0.0/8, all private ip addresses and multicast address. If you got wrong answer for this task, try to follow the order of the ACL as stated above. Changing the order of this ACL might results in your mark will not be increased although you may find the ACL still work perfectly in the order you specified.

 

Apply the ACL to interface Serial 0/0/1.

R3(config)#int s0/0/1
R3(config-if)#ip access-group 100 in

Take note that your mark will not be increased for this action.

 

Remove the ACL from interface Serial 0/0/1

R3(config-if)#no ip access-group 100 in

 

Task 4: Create a Numbered IP ACL 110

Configure ACL 110 to permit only traffic from the inside network

R3(config)#access-list 110 permit ip 192.168.3.0 0.0.0.255 any

 

Apply the ACL to interface F0/1

R3(config)#int f0/1
R3(config-if)#ip access-group 110 in

 

Task 5: Create a Numbered IP ACL 120

Verify that PC-C can access the PC-A via HTTPS using the web browser.

Click PC-A -> Config -> HTTP. Disable HTTP and Enable HTTPS

By default for this packet tracer activity, HTTP is enabled. Disable it.

 

Configure ACL 120 to specifically permit and deny the specified traffic.

R1(config)#access-list 120 permit udp any host 192.168.1.3 eq 53
R1(config)#access-list 120 permit tcp any host 192.168.1.3 eq 25
R1(config)#access-list 120 permit tcp any host 192.168.1.3 eq 21
R1(config)#access-list 120 deny tcp any host 192.168.1.3 eq 443
R1(config)#access-list 120 permit tcp host 192.168.3.3 host 10.1.1.1 eq 22

As stated in the instructions, this ACL is for permit access to server PC-A for DNS, SMTP and FTP. Deny access to HTTPS service on Server PC-A and permit PC-C to access Router 1 (R1) via SSH.
Apply the ACL to interface S0/0/0

R1(config-if)#ip access-group 120 in

 

Task 6: Modify An Existing ACL

Make any necessary changes to ACL 120 to permit and deny the specified traffic.

R1(config)#access-list 120 permit icmp any any echo-reply
R1(config)#access-list 120 permit icmp any any unreachable
R1(config)#access-list 120 deny icmp any any
R1(config)#access-list 120 permit ip any any

Take note that using ‘any’ as source address and destination address is required for you to increase mark. Your mark might not be increased if you use network address as source or destination address.

 

If you want to try this packet tracer activity, download it here.

If you want the solution or answer for this chapter 4 packet tracer activity, download here

 

That’s all. Just be careful with Access List 100 and Access List 120. You should be fine. Thank You.

 

12 thoughts on “Network Security Chapter 4 Packet Tracer Activity A Answer”

  1. Hello, thanks for your effort. I am stuck at 86 and I have no idea how do it. when I click on Check Results here are the ones that are not marked with a tick.
    R1 (ACL) 120
    R3 (ACL) 10 – 100
    Please help me and thanks again.

  2. I created a script for this Packet Tracer Lab. It solves the issue yazeed had. Simply copy and paste into the proper router after entering the console and enable passwords into the router

    Router 1
    !
    !!!CONSOLE PASSOWRD IS: ciscoconpa55
    !!! ENABLE PASSWORD IS : ciscoenpa55
    !
    en
    !
    !!TASK 2: SECURE ACCESS TO ROUTERS!!
    config t
    !
    access-list 10 permit 192.168.3.3 0.0.0.0
    !
    line vty 0 4
    !
    access-class 10 in
    !
    end
    !
    !!TASK 5: CREATE A NUMBERED IP ACL 120!!
    !! YOU NEED TO DISABLE HTTP ON PC-A AND ENABLE HTTPS ON PC-A BY GOING TO THE CONFIG SCREEN AND CLICKING THE ENABLE/DISABLE BUTTONS!!!
    !
    config t
    !
    access-list 120 permit udp any host 192.168.1.3 eq domain
    !
    access-list 120 permit tcp any host 192.168.1.3 eq smtp
    !
    access-list 120 permit tcp any host 192.168.1.3 eq ftp
    !
    access-list 120 deny tcp any host 192.168.1.3 eq 443
    !
    access-list 120 permit tcp host 192.168.3.3 host 10.1.1.1 eq 22
    !
    int s0/0/0
    !
    ip access-group 120 in
    !
    end
    !
    !!TASK 6: MODIFY AN EXISTING ACL !!
    !
    config t
    !
    access-list 120 permit icmp any any echo-reply
    !
    access-list 120 permit icmp any any unreachable
    !
    access-list 120 deny icmp any any
    !
    access-list 120 permit ip any any
    !
    end

    Router 2
    !
    !!!CONSOLE PASSOWRD IS: ciscoconpa55
    !!! ENABLE PASSWORD IS : ciscoenpa55
    !
    en
    !
    !!TASK 2: SECURE ACCESS TO ROUTERS!!
    config t
    !
    access-list 10 permit 192.168.3.3 0.0.0.0
    !
    line vty 0 4
    !
    access-class 10 in
    !
    end

    Router 3
    !
    !!!CONSOLE PASSOWRD IS: ciscoconpa55
    !!! ENABLE PASSWORD IS : ciscoenpa55
    en
    !
    !!TASK 2: SECURE ACCESS TO ROUTERS!!
    config t
    !
    access-list 10 permit 192.168.3.3 0.0.0.0
    !
    line vty 0 4
    !
    access-class 10 in
    !
    end
    !
    !!TASK 3: CREATE A NUMBERED IP ACL 100!!!
    config t
    !
    access-list 100 deny ip 10.0.0.0 0.255.255.255 any
    !
    access-list 100 deny ip 172.16.0.0 0.15.255.255 any
    !
    access-list 100 deny ip 192.168.0.0 0.0.255.255 any
    !
    access-list 100 deny ip 127.0.0.0 0.255.255.255 any
    !
    access-list 100 deny ip 224.0.0.0 15.255.255.255 any
    !
    access-list 100 permit ip any any
    !
    int s0/0/1
    !
    ip access-group 100 in
    !
    no ip access-group 100 in
    !
    end
    !
    !!TASK 4: CREATE A NUMBERED IP ACL 110!!
    !
    config t
    !
    access-list 110 permit ip 192.168.3.0 0.0.0.255 any
    !
    int fa0/1
    !
    ip access-group 110 in
    !
    end

  3. Kudos for you dude! This PT activitys suck, you end up wating your time troubleshooting how the goddam system wants to get configured first rather than actually learning the reasons behind it. Even if you read the instructions it clearly states to configure first the 127/8 pool!!!! Damit

Leave a Reply

Your email address will not be published. Required fields are marked *