Lab 9.5.2 Troubleshooting ACL Configuration and Placement
Step 1: Connect the equipment
- Connect the Fa0/0 interface of Router 1 to the Fa0/1 interface of the switch using a straight-through cable.
- Connect each host to the Fa0/2 switch port of the switch using a straight-through cable.
- Connect serial cables from Router 1 to Router 2 according to the topology diagram.
- Connect both hosts on Router 2 to the Fa0/0 and Fa0/1 of Router 2 using crossover cables according to the above topology.
Step 2: Load the preconfiguration on ISP
- See your instructor for obtaining the preconfigurations for this lab.
- Connect Host 1 to the console port of Router 1 to perform loading the preconfigurations using a terminal emulation program.
- Transfer the configuration from Host 1 to Router 1:
1) In the terminal emulation program on H1, choose Transfer > Send Text File.
2) Locate the preconfiguration file and choose Open to start the transfer of the preconfiguration to Router 1.
Step 3: Load the preconfiguration on HQ
Copy the preconfiguration on HQ using the process detailed in Step 2.
Step 4: Configure hosts H1 and H2
- Configure the Ethernet interfaces of H1 and H2 with the IP addresses and default gateways from the addressing table.
- Test the PC configuration by pinging the default gateway from each PC.
Step 5: Configure the web server host H3
- Load the Discovery LIVE CD on Host H3. The server’s Ethernet interface is preconfigured with the IP address and default gateway shown in the addressing table. If using another web server, configure the IP address and subnet mask to match that in the table.
- Test the PC configuration by pinging the default gateway from the PC.
Step 6: Troubleshoot the HQ router and access list 101
- Begin troubleshooting with the HQ router.
Access list 101 is implemented to protect the internal corporate network zone, which houses private servers and internal clients. No other network should be able to access it. Protecting the corporate network begins by specifying which traffic can exit out of the network.
b. Examine the HQ router to find possible configuration errors. Begin by viewing the summary of access list 101. Enter the command show access-list 101.
- Verify reachability by pinging all systems and routers from
- If any errors were found, make the necessary configuration changes to HQ. Remember that access lists have to be deleted and re-entered if there is any discrepancy in the commands. E
- Issue the command show ip interface fa0/0.
- Perform the pings from Step 6c again. If the pings are not successful, continue to troubleshoot other access lists.
Step 7: Troubleshoot the HQ router and access list 102
- Continue troubleshooting with the HQ router. Access list 102 is implemented to limit the traffic into the corporate network
- Examine the HQ router to find possible configuration errors. Begin by viewing the summary of access list 102. Enter the command show access-list 102.
- Verify reachability by pinging all systems and routers from each system. If the access list is working correctly, H1 cannot ping H2, but all of the other pings should be successful.
Can H2 ping the web server? __________ no
Can H2 ping H1? __________ no
Can H1 ping the web server? __________ no
Can H1 ping H2? __________ no
d. If any errors were found, make the necessary configuration changes to HQ. Remember to delete the entire access list before making the corrections. The commands must be in logical, sequential order.
- H2 should be able to ping H1. However, H1 should not be able to ping H2 at this point. Open a web browser, such as Windows Explorer, Netscape Navigator, or Firefox and enter the address of the web server in the address location. Verify that H2 has web access to the web server.
- Issue the command show ip interface fa0/0.
Is the access list applied in the correct direction on the interface? __________ yes
Step 8: Troubleshoot the HQ router and access list 111
- Continue troubleshooting with the HQ router. Access list 111 is implemented to protect the DMZ network.
- Examine the HQ router to find possible configuration errors. Begin by viewing the summary of access list 111. Enter the command show access-list 111.
- Verify reachability by pinging all systems and routers from each system. H1 should not be able to ping H2, but all other pings should be successful if the access list is correct.
Step 9: Troubleshoot the HQ router and access list 112
- Continue troubleshooting with the HQ router. Access list 112 is implemented to protect the DMZ network.
- Examine the HQ router to find possible configuration errors. Begin by viewing the summary of access list 112. Enter the command show access-list 112.
- Verify reachability by pinging all systems and routers from each system. Only H2 should be able to successful ping all locations. If the access list is correct, H1 should not be able to ping the web server or H2.
Step 10: Troubleshoot the HQ router and access list 121
- Continue troubleshooting with the HQ router.mAccess list 121 is implemented to deter spoofing.
- Examine the HQ router to find possible configuration errors. Begin by viewing the summary of access list 121. Enter the command show access-list 121.
- Verify reachability by pinging all systems and routers from each system. If the access list is correct, only H2 should successfully ping the web server.
- d. Issue the command show interface serial0/0/0.
Is the access list applied in the correct direction on the interface? __________ no
Step 11: Reflection
There were a number of configuration errors in the preconfigurations that were provided for this lab. Use this space below to write a brief description of the errors that you found.
Jawaban : The student should briefly summarize the errors encountered with the ACLs.