I have R1, R2, and R3, and I want to use Time Based ACLs to effectively help create a security policy that I can apply to R2. I consider R2's fa0/0 the inside network and R2's s0/0 the outside network. I want to allow R1 to open a connection on TCP port 80 to R3, but only during working hours. Working hours are considered Monday through Friday from 9 AM to 5 PM.
To accomplish this, I will create a time range for working hours on R2 and reference this time range with a permit statement within an ACL. Further more, I will add another router, R4 to serve as basic NTP time source for R2.
I'll start with configuring the ntp master on R4.
R4#show clock
13:59:16.415 UTC Mon Sep 12 2011
R4#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R4(config)#ntp master 1
Now I'll associate R2 to R4.
R2(config)#ntp server 10.1.24.4
R2(config)#end
R2#show ntp associations
address ref clock st when poll reach delay offset disp
*~10.1.24.4 .LOCL. 1 39 64 377 46.4 -0.09 0.2
* master (synced), # master (unsynced), + selected, - candidate, ~ configured
R2#
Now that I have a basic NTP set up, I'll create a time range called WORK_HOURS on R2.
R2(config)#time-range WORK_HOURS
R2(config-time-range)#periodic weekdays 09:00 to 17:00
R2(config-time-range)#exit
R2(config)#
Now I'll create an ACL allowing access from the inside to the outside on TCP 80 and reference the time-range
R2(config)#ip access-list extended HTTP
R2(config-ext-nacl)#permit tcp any host 10.1.23.3 eq 80 time-range WORK_HOURS
R2(config-ext-nacl)#
I'll verify that the clock is currently within working hours.
R2#sh clock
15:21:40.945 CDT Mon Sep 12 2011
Now when I show the access-list, I see (active) next to the entry.
R2#show access-list
Extended IP access list HTTP
10 permit tcp any host 10.1.23.3 eq www time-range WORK_HOURS (active)
For testing purposes, I'll change the time on R4, the NTP master, wait a bit for it to sync, and see how that affects the ACL entry.
R4#clock set 17:08:00 12 sep 2011
On R2, I'll verify that the clock has updated.
R2#show clock
17:11:21.961 CDT Mon Sep 12 2011
R2#show access-list
Extended IP access list HTTP
10 permit tcp any host 10.1.23.3 eq www time-range WORK_HOURS (inactive)
Now the entry shows as inactive.
While the entry is inactive, I'll apply the ACL to the inside interface and expect the behavior to not allow access when I attempt to connect from R1 to R3 on TCP port 80.
R2(config)#int fa0/0
R2(config-if)#access-list HTTP in
R2(config-if)#ip access-group HTTP in
On R1
R1#copy http://jason:cisco@10.1.23.3/c2600-adventerprisek9-mz.124-10c.bin null:
%Error opening http://*****:*****@10.1.23.3/c2600-adventerprisek9-mz.124-10c.bin (I/O error)
R1#
Now I'll set the NTP source within the time-range parameters and wait for the time to sync.
R4#clock set 16:00:00 12 sep 2011
On R2, I'll look at the ACL and see that it is currently active.
R2#sh access-list
Extended IP access list HTTP
10 permit tcp any host 10.1.23.3 eq www time-range WORK_HOURS (active)
Another attempt to copy the file shows success now.
R1#copy http://jason:cisco@10.1.23.3/c2600-adventerprisek9-mz.124-10c.bin null:
Loading http://*****:*****@10.1.23.3/c2600-adventerprisek9-mz.124-10c.bin !!!!!!!!!
Part 1
Part 2
Part 3
Part 4
Part 5
Part 6
Part 7
Part 8
Part 9
Part 10
Great Article
ReplyDeleteNetwork Security Final Year Project Ideas
Project Centers in Chennai
JavaScript Training in Chennai
JavaScript Training in Chennai