The topology consists of one Cisco router model 7200 with one networking card module PA-4E and two Ubuntu machines which serves as client (L2) and server (L1).

Eve-ng virtual machine should be already started for you with both binary image for Cisco router and iso for Ubuntu already added (for more, see the path /opt/unetlab/addons/dynamips).

You have to do the following:

- add IPs for network between the server and the network equipment (use range 10.10.10.0/24)

- add IPs for network between the client and the network equipment (use range 10.20.20.0/24) First IP is allocated for router and the second one for Linux machine

- add routes to make sure the endpoints can ping each other

1. Filter ICMP traffic:

We have the following scenario: suppose on the L1 there are multiple services available on 2 different interfaces (intf_1 with the IP already configured and intf_2 which we will configure below). I want only the first one to be 'pingable' by the clients to ensure some security.

2. Filter non-DNS and non-HTTP traffic:

Remove the old ACL from interface e0/0.

On this taks, you need write a new ACL (can use the value 101) with the following requirements: - allow DNS traffic to host 8.8.8.8 (test with nslookup or host)

- all HTTP traffic to host upb.ro (test with curl or wget). For upb.ro host use IP address 141.85.220.33

- deny any other type of traffic to host 8.8.8.8 and upb.ro

Apply this to the client network and find the ip addess for upb.ro, test curl upb.ro and then try to ping upb.ro or 8.8.8.8. Do not forget to add on client the nameserver.

3. Filter based on QoS information on the IP header:

Another field that can be matched in an IP header is the QoS information. If you want to match traffic with TOS value = 2, use the following commands:

cisco_7200(config)#ip access-list extended 101
cisco_7200(config-ext-nacl)#permit ip any any tos 2
cisco_7200(config-ext-nacl)#deny ip any any

Add extended ACL 101 to inbound direction on intf e0/0.

cisco_7200(config)#int e1/1
cisco_7200(config-if)#ip access-group 101 in

Try to send an icmp-echo request to server.

See that without adding the TOS value to ping command, the packets are filtered. Let’s try again with -Q flag added (try to look over ping manual also).

Look also over the access list from privileged exec mode:

cisco_7200#sh ip access-lists 101
Extended IP access list 101
    10 permit ip any any tos max-reliability (2 matches)
    20 deny ip any any (20 matches)

4. Standard and extended access lists:

On Cisco routers, the standard ACLs are numbered from 1 to 99 and the extended ones from 100 to 199. These numbers represent an older notation (yes, there are also used in the previous exercises) and there is recommended to switch to named ones where they can be explicitly defined as standard or extended. For easier debugging, there is also recommended to use only capitalized letters.

For an ACL we can see how many times a rule was matched (for example, this can be used for collecting information about the behavior of users in a company).

Another thing to note here are the line numbers (can be seen as priority values - the lowest value has the bigger priority) which are not incremented by default by one and instead there exists a gap for inserting new lines between them. In the case from above let’s say I want to introduce before ‘deny ip any any’ a new rule for permitting the source ip address 10.20.20.3.

Both standard and extended ACLs filter traffic based on static entries from layer 3 headers (IPs, QoS etc.) and layer 4 (TCP SYN flag, TCP MPTCP option etc.). However, this type of filtering is not very reliable as this information can be bypassed by an attacker by simply modifying the packets. One such example is scapy (a python library) which can be used to forge different packets and test the capabilities of firewalls.

5. Reflexive ACLs: Used for inspecting and monitor session data. An entry in the ACL can be used to reflect the traffic and create a second ACL, called reflexive IP access list. They are used to allow traffic based on them. Note that entries in them have a timeout value and are removed after it expires (dynamic entries in ACL).

After sending some pings from client to 10.30.30.2 (gateway), new entries are created for ICMP_OUT_CLIENT.

Exercise: do the same thing for DNS traffic. Verify by using nslookup or host on client machine the creation of reflexive ACL on the router.

6. Temporary access control:

a. using time-range: Standard, extended and reflexive ACLs can be configured to activate at a specific time using time-range command in config mode. In the following example, the HTTP traffic is only allowed on weekdays between 09:00 and 17:00 (for example, in a company with 8 working hours).

Rewrite the ACL ONLY_CLIENT (from above) to include time-range PERIODIC.

Send an icmp request from client to 10.30.30.2:

b. using lock-and-key: The second method consists in creating a temporary ACL using lock-and-key feature from Cisco, which is also known as dynamic ACL. It is activated automatically only when the user is authenticated. The next example is using telnet on router CISCO_packet_filter.

This will create the credentials student:student (used for local login), add them for logging to vty 0 and add a command that is executed automatically: enable the access for the host that is authenticated (the ip of it is retained).

Next, create an inbound ACL for permitting ICMP and telnet connections.

Create also the outbound one.

Add the ACLs to interface e0/0.

In the end try to ping (will fail firstly), connect and ping again.