This post is solution or answer for Packet Tracer Activity Chapter 4 Network Security. Chapter 4 Packet Tracer Activity A Network Security is about ACL. To be specific, the title for the packet tracer activity is Configure IP ACLs to Mitigate Attacks. ACL in this Packet Tracer Activity is using standard and extended ACL. It doesn’t involve advanced ACL such as reflexive, dynamic or time based ACL. However, you must be very precise when dealing with ACL and Packet Tracer Activity. Mistake in using IP Address will not increase your mark although the IP address you use also applicable and correct for that particular purpose. In this post, i will show the correct configuration and step by step how to get 100% for this Packet Tracer Activity.
Take note that i will skip any task which do not give mark. Most of them is verify task such as ping. I will straight to task which require configuration or changes.
Task 2: Secure Access to Routers
Configure ACL 10 to block all remote access to the routers except from PC-C.
R1(config)#access-list 10 permit 192.168.3.3
Apply ACL 10 to ingress traffic on the VTY lines.
R1(config)#line vty 0 4
R1(config-line)#access-class 10 in
Please apply the same configurations to other router (R2 and R3).
Task 3: Create a Numbered IP ACL 100
Configure ACL 100 to block all specified traffic from the outside network.
R3(config)#access-list 100 deny ip 10.0.0.0 0.255.255.255 any
R3(config)#access-list 100 deny ip 172.16.0.0 0.15.255.255 any
R3(config)#access-list 100 deny ip 192.168.0.0 0.0.255.255 any
R3(config)#access-list 100 deny ip 127.0.0.0 0.255.255.255 any
R3(config)#access-list 100 deny ip 224.0.0.0 15.255.255.255 any
R3(config)#access-list 100 permit ip any any
As in the instructions, you are require to block 127.0.0.0/8, all private ip addresses and multicast address. If you got wrong answer for this task, try to follow the order of the ACL as stated above. Changing the order of this ACL might results in your mark will not be increased although you may find the ACL still work perfectly in the order you specified.
Apply the ACL to interface Serial 0/0/1.
R3(config)#int s0/0/1
R3(config-if)#ip access-group 100 in
Take note that your mark will not be increased for this action.
Remove the ACL from interface Serial 0/0/1
R3(config-if)#no ip access-group 100 in
Task 4: Create a Numbered IP ACL 110
Configure ACL 110 to permit only traffic from the inside network
R3(config)#access-list 110 permit ip 192.168.3.0 0.0.0.255 any
Apply the ACL to interface F0/1
R3(config)#int f0/1
R3(config-if)#ip access-group 110 in
Task 5: Create a Numbered IP ACL 120
Verify that PC-C can access the PC-A via HTTPS using the web browser.
Click PC-A -> Config -> HTTP. Disable HTTP and Enable HTTPS
By default for this packet tracer activity, HTTP is enabled. Disable it.
Configure ACL 120 to specifically permit and deny the specified traffic.
R1(config)#access-list 120 permit udp any host 192.168.1.3 eq 53
R1(config)#access-list 120 permit tcp any host 192.168.1.3 eq 25
R1(config)#access-list 120 permit tcp any host 192.168.1.3 eq 21
R1(config)#access-list 120 deny tcp any host 192.168.1.3 eq 443
R1(config)#access-list 120 permit tcp host 192.168.3.3 host 10.1.1.1 eq 22
As stated in the instructions, this ACL is for permit access to server PC-A for DNS, SMTP and FTP. Deny access to HTTPS service on Server PC-A and permit PC-C to access Router 1 (R1) via SSH.
Apply the ACL to interface S0/0/0
R1(config-if)#ip access-group 120 in
Task 6: Modify An Existing ACL
Make any necessary changes to ACL 120 to permit and deny the specified traffic.
R1(config)#access-list 120 permit icmp any any echo-reply
R1(config)#access-list 120 permit icmp any any unreachable
R1(config)#access-list 120 deny icmp any any
R1(config)#access-list 120 permit ip any any
Take note that using ‘any’ as source address and destination address is required for you to increase mark. Your mark might not be increased if you use network address as source or destination address.
If you want to try this packet tracer activity, download it here.
If you want the solution or answer for this chapter 4 packet tracer activity, download here
That’s all. Just be careful with Access List 100 and Access List 120. You should be fine. Thank You.
hey man thanks alot, your blog source is very reliable. just one question, what version of packet tracer u use ?
packet tracer 5.3.3
Thanks man , the last week i used the AAA activity ,thanks…
Hello, thanks for your effort. I am stuck at 86 and I have no idea how do it. when I click on Check Results here are the ones that are not marked with a tick.
R1 (ACL) 120
R3 (ACL) 10 – 100
Please help me and thanks again.
I created a script for this Packet Tracer Lab. It solves the issue yazeed had. Simply copy and paste into the proper router after entering the console and enable passwords into the router
Router 1
!
!!!CONSOLE PASSOWRD IS: ciscoconpa55
!!! ENABLE PASSWORD IS : ciscoenpa55
!
en
!
!!TASK 2: SECURE ACCESS TO ROUTERS!!
config t
!
access-list 10 permit 192.168.3.3 0.0.0.0
!
line vty 0 4
!
access-class 10 in
!
end
!
!!TASK 5: CREATE A NUMBERED IP ACL 120!!
!! YOU NEED TO DISABLE HTTP ON PC-A AND ENABLE HTTPS ON PC-A BY GOING TO THE CONFIG SCREEN AND CLICKING THE ENABLE/DISABLE BUTTONS!!!
!
config t
!
access-list 120 permit udp any host 192.168.1.3 eq domain
!
access-list 120 permit tcp any host 192.168.1.3 eq smtp
!
access-list 120 permit tcp any host 192.168.1.3 eq ftp
!
access-list 120 deny tcp any host 192.168.1.3 eq 443
!
access-list 120 permit tcp host 192.168.3.3 host 10.1.1.1 eq 22
!
int s0/0/0
!
ip access-group 120 in
!
end
!
!!TASK 6: MODIFY AN EXISTING ACL !!
!
config t
!
access-list 120 permit icmp any any echo-reply
!
access-list 120 permit icmp any any unreachable
!
access-list 120 deny icmp any any
!
access-list 120 permit ip any any
!
end
Router 2
!
!!!CONSOLE PASSOWRD IS: ciscoconpa55
!!! ENABLE PASSWORD IS : ciscoenpa55
!
en
!
!!TASK 2: SECURE ACCESS TO ROUTERS!!
config t
!
access-list 10 permit 192.168.3.3 0.0.0.0
!
line vty 0 4
!
access-class 10 in
!
end
Router 3
!
!!!CONSOLE PASSOWRD IS: ciscoconpa55
!!! ENABLE PASSWORD IS : ciscoenpa55
en
!
!!TASK 2: SECURE ACCESS TO ROUTERS!!
config t
!
access-list 10 permit 192.168.3.3 0.0.0.0
!
line vty 0 4
!
access-class 10 in
!
end
!
!!TASK 3: CREATE A NUMBERED IP ACL 100!!!
config t
!
access-list 100 deny ip 10.0.0.0 0.255.255.255 any
!
access-list 100 deny ip 172.16.0.0 0.15.255.255 any
!
access-list 100 deny ip 192.168.0.0 0.0.255.255 any
!
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
!
access-list 100 deny ip 224.0.0.0 15.255.255.255 any
!
access-list 100 permit ip any any
!
int s0/0/1
!
ip access-group 100 in
!
no ip access-group 100 in
!
end
!
!!TASK 4: CREATE A NUMBERED IP ACL 110!!
!
config t
!
access-list 110 permit ip 192.168.3.0 0.0.0.255 any
!
int fa0/1
!
ip access-group 110 in
!
end
thank you
Thank you man, you just saved my ass
you save my ass too!
thank you so much for your great work. I am a big fan.
cheers
Sam
Thanks a lot, i stuck at 91 and now i’v gotten the remaining answers.. i’m so grateful! Well done!
Kudos for you dude! This PT activitys suck, you end up wating your time troubleshooting how the goddam system wants to get configured first rather than actually learning the reasons behind it. Even if you read the instructions it clearly states to configure first the 127/8 pool!!!! Damit
packet tracer activty download link is can not download
(Livid is what the!)
how to download?
Excellent. Congratulations .Y’are help me very well to comprehend the diffents acces-lists . Thanks