I have R1, R2, and R3, and I want to use Time Based ACLs to effectively help create a security policy that I can apply to R2. I consider R2's fa0/0 the inside network and R2's s0/0 the outside network. I want to allow R1 to open a connection on TCP port 80 to R3, but only during working hours. Working hours are considered Monday through Friday from 9 AM to 5 PM.
To accomplish this, I will create a time range for working hours on R2 and reference this time range with a permit statement within an ACL. Further more, I will add another router, R4 to serve as basic NTP time source for R2.
I'll start with configuring the ntp master on R4.
R4#show clock13:59:16.415 UTC Mon Sep 12 2011R4#configure terminalEnter configuration commands, one per line. End with CNTL/Z.R4(config)#ntp master 1 Now I'll associate R2 to R4.
R2(config)#ntp server 10.1.24.4 R2(config)#endR2#show ntp associations
address ref clock st when poll reach delay offset disp*~10.1.24.4 .LOCL. 1 39 64 377 46.4 -0.09 0.2 * master (synced), # master (unsynced), + selected, - candidate, ~ configuredR2#Now that I have a basic NTP set up, I'll create a time range called WORK_HOURS on R2.
R2(config)#time-range WORK_HOURS R2(config-time-range)#periodic weekdays 09:00 to 17:00 R2(config-time-range)#exitR2(config)#Now I'll create an ACL allowing access from the inside to the outside on TCP 80 and reference the time-range
R2(config)#ip access-list extended HTTP R2(config-ext-nacl)#permit tcp any host 10.1.23.3 eq 80 time-range WORK_HOURSR2(config-ext-nacl)#I'll verify that the clock is currently within working hours.
R2#sh clock15:21:40.945 CDT Mon Sep 12 2011Now when I show the access-list, I see (active) next to the entry.
R2#show access-listExtended IP access list HTTP 10 permit tcp any host 10.1.23.3 eq www time-range WORK_HOURS (active)For testing purposes, I'll change the time on R4, the NTP master, wait a bit for it to sync, and see how that affects the ACL entry.
R4#clock set 17:08:00 12 sep 2011On R2, I'll verify that the clock has updated.
R2#show clock17:11:21.961 CDT Mon Sep 12 2011R2#show access-listExtended IP access list HTTP 10 permit tcp any host 10.1.23.3 eq www time-range WORK_HOURS (inactive)Now the entry shows as inactive.
While the entry is inactive, I'll apply the ACL to the inside interface and expect the behavior to not allow access when I attempt to connect from R1 to R3 on TCP port 80.
R2(config)#int fa0/0R2(config-if)#access-list HTTP inR2(config-if)#ip access-group HTTP inOn R1
R1#copy http://jason:cisco@10.1.23.3/c2600-adventerprisek9-mz.124-10c.bin null:%Error opening http://*****:*****@10.1.23.3/c2600-adventerprisek9-mz.124-10c.bin (I/O error)R1#Now I'll set the NTP source within the time-range parameters and wait for the time to sync.
R4#clock set 16:00:00 12 sep 2011On R2, I'll look at the ACL and see that it is currently active.
R2#sh access-listExtended IP access list HTTP 10 permit tcp any host 10.1.23.3 eq www time-range WORK_HOURS (active)Another attempt to copy the file shows success now.
R1#copy http://jason:cisco@10.1.23.3/c2600-adventerprisek9-mz.124-10c.bin null:Loading http://*****:*****@10.1.23.3/c2600-adventerprisek9-mz.124-10c.bin !!!!!!!!!Part 1
Part 2
Part 3
Part 4
Part 5
Part 6
Part 7
Part 8
Part 9
Part 10
Great Article
ReplyDeleteNetwork Security Final Year Project Ideas
Project Centers in Chennai
JavaScript Training in Chennai
JavaScript Training in Chennai