! 9/25/2005 Week2_Basic_ACL.txt show run Building configuration... Current configuration : 3102 bytes ! version 12.3 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Company6 ! boot-start-marker boot-end-marker ! ! username r6admin secret 5 $1$Z0uy$Cf0ep5fcIushT4gOIEKEv/ no aaa new-model ip subnet-zero ip cef ! ! no ip domain lookup ! ip audit po max-events 100 ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! interface Ethernet0/0 ip address 172.16.0.6 255.255.255.0 half-duplex ! interface Ethernet0/1 ip address 172.16.6.1 255.255.255.0 half-duplex ! router rip version 2 network 172.16.0.0 distribute-list RIPv2-OUT out Ethernet0/0 distribute-list RIPv2-IN in Ethernet0/1 ! no ip http server ip http access-class 1 ip http secure-server ip classless ip route 0.0.0.0 0.0.0.0 172.16.0.200 ! ! ! ip access-list standard RIPv2-IN remark Permit R1,R2,R3,R4,R5 LAN advertisements permit 172.16.1.0 0.0.0.255 permit 172.16.2.0 0.0.0.255 permit 172.16.3.0 0.0.0.255 permit 172.16.4.0 0.0.0.255 permit 172.16.5.0 0.0.0.255 ip access-list standard RIPv2-OUT remark Only advertise the local LAN permit 172.16.6.0 0.0.0.255 ! ip access-list extended egress-filter remark PERMIT TCP TRAFFIC TO THE ISP HTTP (S) SERVICES FROM .96 & .98 permit tcp host 172.16.6.96 172.16.255.0 0.0.0.7 eq www permit tcp host 172.16.6.98 172.16.255.0 0.0.0.7 eq 443 deny ip 172.16.6.0 0.0.0.255 172.16.255.0 0.0.0.7 log remark PERMIT EGRESS LOCAL LAN TRAFFIC permit ip 172.16.6.0 0.0.0.255 any deny ip any any log ip access-list extended ingress-filter remark DENY RFC 1918 PRIVATE ADDRESS SPACE deny ip 10.0.0.0 0.255.255.255 any log deny ip 192.168.0.0 0.0.255.255 any log remark DENY OTHER BOGON ADDRESSES deny ip 0.0.0.0 0.255.255.255 any log deny ip 127.0.0.0 0.255.255.255 any log deny ip 224.0.0.0 15.255.255.255 any log deny ip 240.0.0.0 15.255.255.255 any log remark DENY INTERNAL NETWORK deny ip 172.16.6.0 0.0.0.255 any remark PERMIT RIPv2 UPDATES permit udp 172.16.0.0 0.0.0.255 any eq rip remark PERMIT TCP RETURN TRAFFIC permit tcp any 172.16.6.0 0.0.0.255 eq www established log permit tcp any 172.16.6.0 0.0.0.255 established log remark PERMIT DNS permit udp host 209.137.160.3 eq domain 172.16.6.0 0.0.0.255 gt 1023 permit udp host 209.137.160.7 eq domain 172.16.6.0 0.0.0.255 gt 1023 logging source-interface Ethernet0/1 logging 172.16.6.97 logging 172.16.6.106 access-list 1 remark PERMIT MGMT-HTTPS ACCESS access-list 1 permit 172.16.6.14 access-list 1 permit 172.16.6.15 access-list 2 remark Permit SNMP RO access-list 2 permit 172.16.6.196 access-list 2 deny any log access-list 3 remark Permit SNMP RW access-list 3 permit 172.16.6.203 access-list 3 deny any log access-list 10 remark PERMIT MGMT-SSH ACCESS access-list 10 permit 172.16.6.106 access-list 10 permit 172.16.6.97 ! snmp-server community cisco RO 2 snmp-server community ilisoldier RW 3 ! ! ! ! ! line con 0 password cisco logging synchronous login line aux 0 password cisco logging synchronous login line vty 0 4 access-class 10 in password cisco logging synchronous login local transport input ssh ! ! ! end Company6#show ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is 172.16.0.200 to network 0.0.0.0 R 200.0.4.0/24 [120/1] via 172.16.0.200, 00:00:12, Ethernet0/0 R 200.0.5.0/24 [120/1] via 172.16.0.200, 00:00:12, Ethernet0/0 R 200.0.6.0/24 [120/1] via 172.16.0.200, 00:00:12, Ethernet0/0 R 200.0.1.0/24 [120/1] via 172.16.0.200, 00:00:12, Ethernet0/0 R 200.0.2.0/24 [120/1] via 172.16.0.200, 00:00:12, Ethernet0/0 172.16.0.0/16 is variably subnetted, 6 subnets, 2 masks R 172.16.255.0/29 [120/1] via 172.16.0.200, 00:00:12, Ethernet0/0 R 172.16.5.0/24 [120/1] via 172.16.0.5, 00:00:18, Ethernet0/0 C 172.16.6.0/24 is directly connected, Ethernet0/1 C 172.16.0.0/24 is directly connected, Ethernet0/0 R 172.16.2.0/24 [120/1] via 172.16.0.2, 00:00:15, Ethernet0/0 R 172.16.3.0/24 [120/1] via 172.16.0.3, 00:00:09, Ethernet0/0 R 200.0.3.0/24 [120/1] via 172.16.0.200, 00:00:14, Ethernet0/0 S* 0.0.0.0/0 [1/0] via 172.16.0.200 Company6#show access-list Standard IP access list 1 10 permit 172.16.6.14 20 permit 172.16.6.15 Standard IP access list 2 10 permit 172.16.6.196 20 deny any log Standard IP access list 3 10 permit 172.16.6.203 20 deny any log Standard IP access list 10 10 permit 172.16.6.106 20 permit 172.16.6.97 Standard IP access list RIPv2-IN 10 permit 172.16.1.0, wildcard bits 0.0.0.255 20 permit 172.16.2.0, wildcard bits 0.0.0.255 30 permit 172.16.3.0, wildcard bits 0.0.0.255 40 permit 172.16.4.0, wildcard bits 0.0.0.255 50 permit 172.16.5.0, wildcard bits 0.0.0.255 Standard IP access list RIPv2-OUT 10 permit 172.16.6.0, wildcard bits 0.0.0.255 (108 matches) Extended IP access list egress-filter 10 permit tcp host 172.16.6.96 172.16.255.0 0.0.0.7 eq www 20 permit tcp host 172.16.6.98 172.16.255.0 0.0.0.7 eq 443 30 deny ip 172.16.6.0 0.0.0.255 172.16.255.0 0.0.0.7 log 40 permit ip 172.16.6.0 0.0.0.255 any 50 deny ip any any log Extended IP access list ingress-filter 10 deny ip 10.0.0.0 0.255.255.255 any log 20 deny ip 192.168.0.0 0.0.255.255 any log 30 deny ip 0.0.0.0 0.255.255.255 any log 40 deny ip 127.0.0.0 0.255.255.255 any log 50 deny ip 224.0.0.0 15.255.255.255 any log 60 deny ip 240.0.0.0 15.255.255.255 any log 70 deny ip 172.16.6.0 0.0.0.255 any 80 permit udp 172.16.0.0 0.0.0.255 any eq rip 90 permit tcp any 172.16.6.0 0.0.0.255 eq www established log 100 permit tcp any 172.16.6.0 0.0.0.255 established log 110 permit udp host 209.137.160.3 eq domain 172.16.6.0 0.0.0.255 gt 1023 120 permit udp host 209.137.160.7 eq domain 172.16.6.0 0.0.0.255 gt 1023 Company6#