Vous êtes sur la page 1sur 13

RESOLUCION TRABAJO ACLs NOTA.

Las preguntas no s si son mutuamente excluyentes, pero para efectos de resolucin las he tratado como si fueran de menos a ms. Para la A, solo he tomado esas consideraciones, para la B, esas, ms las anteriores, y as sucesivamente:

PREGUNTA A

(La pestaa de IOS Command Linterface Line, cuando se

hace un copy paste al Word, sale con todos los errores que uno ha tenido, as que he optado por hacer un copy solo al comando show access-lists, solo que no muestra la interface a la cual esta aplicada la ACL, entonces he copiado tambin la salida del comando show ip interface)
R1#show access-lists Extended IP access list 110 permit tcp host 160.121.33.0 host 200.106.56.13 eq domain permit tcp host 160.121.53.67 host 200.106.56.13 eq domain R1#show ip interface FastEthernet0/0 is up, line protocol is up (connected) Internet address is 160.121.32.1/19 Broadcast address is 255.255.255.255 Address determined by setup command MTU is 1500 Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is not set Inbound access list is 110 R4#show access-lists Extended IP access list 111 permit tcp host 154.56.18.28 host 200.106.56.13 eq domain

permit tcp host 154.56.20.255 host 200.106.56.13 eq domain R4#show ip interface FastEthernet0/0 is up, line protocol is up (connected) Internet address is 154.56.16.1/21 Broadcast address is 255.255.255.255 Address determined by setup command MTU is 1500 Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is not set Inbound access list is 111 R3#show access-lists Extended IP access list 113 deny tcp 160.121.32.0 0.0.31.255 host 200.106.56.13 eq domain deny tcp 154.56.16.0 0.0.7.255 host 200.106.56.13 eq domain permit tcp any host 200.106.56.13 R3#show ip interface FastEthernet0/0 is up, line protocol is up (connected) Internet address is 200.106.56.2/24 Broadcast address is 255.255.255.255 Address determined by setup command MTU is 1500 Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is 113 Inbound access list is not set

PREGUNTA B
Aparte de las configuraciones anteriores, en adicin van estas:
R1#show access-lists Extended IP access list 110 permit tcp host 160.121.33.0 host 200.106.56.13 eq domain permit tcp host 160.121.53.67 host 200.106.56.13 eq domain Extended IP access list 120 permit tcp host 160.121.53.67 host 200.106.56.13 eq www R1#show ip interface FastEthernet0/0 is up, line protocol is up (connected) Internet address is 160.121.32.1/19 Broadcast address is 255.255.255.255 Address determined by setup command MTU is 1500 Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is not set Inbound access list is 120 MUESTRA LA ULTIMA NO MAS (120), LA ANTERIOR (110) YA NO, SIN EMBARGO EN EL SHOW ACCESS-LISTS SI APARECEN LAS 2 R4#show access-lists Extended IP access list 111 permit tcp host 154.56.18.28 host 200.106.56.13 eq domain permit tcp host 154.56.20.255 host 200.106.56.13 eq domain Extended IP access list 121 permit tcp 154.56.16.0 0.0.7.255 host 200.106.56.13 eq www

R4#show ip interface FastEthernet0/0 is up, line protocol is up (connected) Internet address is 154.56.16.1/21 Broadcast address is 255.255.255.255 Address determined by setup command MTU is 1500 Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is not set Inbound access list is 121 NOTA.- Me parece que como en R3 ya existe una ACL anterior, ya no es necesario denegar el trafico al Web Server por este router ya que el deny implcito se encargara de denegar todo lo dems.

PREGUNTA C
Aparte de las configuraciones anteriores, en adicin van estas:
R4#show access-lists Extended IP access list 111 permit tcp host 154.56.18.28 host 200.106.56.13 eq domain permit tcp host 154.56.20.255 host 200.106.56.13 eq domain Extended IP access list 121 permit tcp 154.56.16.0 0.0.7.255 host 200.106.56.13 eq www Extended IP access list 131 permit tcp host 154.56.18.28 host 200.106.56.21 eq 20 R4#show ip interface FastEthernet0/0 is up, line protocol is up (connected) Internet address is 154.56.16.1/21

Broadcast address is 255.255.255.255 Address determined by setup command MTU is 1500 Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is not set Inbound access list is 131 R1#show access-lists Extended IP access list 110 permit tcp host 160.121.33.0 host 200.106.56.13 eq domain permit tcp host 160.121.53.67 host 200.106.56.13 eq domain Extended IP access list 120 permit tcp host 160.121.53.67 host 200.106.56.13 eq www Extended IP access list 130 permit tcp 160.121.32.0 0.0.31.255 host 200.106.56.21 eq 20 R1#show ip interface FastEthernet0/0 is up, line protocol is up (connected) Internet address is 160.121.32.1/19 Broadcast address is 255.255.255.255 Address determined by setup command MTU is 1500 Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is not set Inbound access list is 130

NOTA.- Aca me parece que al R2 hay que denegarle trafico FTP para obligar a que se use el Gateway de FTP que es el R3. Entonces: R2#show access-lists Extended IP access list F0-OUT permit udp 160.121.32.0 0.0.31.255 host 200.106.56.13 eq domain permit udp 154.56.16.0 0.0.7.255 host 200.106.56.13 eq domain Extended IP access list 132 deny tcp 160.121.32.0 0.0.31.255 host 200.106.56.21 eq 20 deny tcp 154.56.16.0 0.0.7.255 host 200.106.56.21 eq 20 R2#show ip interface FastEthernet0/0 is up, line protocol is up (connected) Internet address is 200.106.56.1/24 Broadcast address is 255.255.255.255 Address determined by setup command MTU is 1500 Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is 132

PREGUNTA D
Aparte de las configuraciones anteriores, en adicin van estas:
R1#show access-lists Extended IP access list 110 permit tcp host 160.121.33.0 host 200.106.56.13 eq domain permit tcp host 160.121.53.67 host 200.106.56.13 eq domain Extended IP access list 120

permit tcp host 160.121.53.67 host 200.106.56.13 eq www Extended IP access list 130 permit tcp 160.121.32.0 0.0.31.255 host 200.106.56.21 eq 20 Extended IP access list 140 deny icmp 160.121.32.0 0.0.31.255 200.106.56.0 0.0.0.255 deny tcp 160.121.32.0 0.0.31.255 200.106.56.0 0.0.0.255 eq 7 He puesto 2 formas ya que algunas bibliografas sealan que el trafico ICMP se pone despus del permit o deny. Otros dicen que se considera como parte del TCP en puerto 7. R1#show ip interface FastEthernet0/0 is up, line protocol is up (connected) Internet address is 160.121.32.1/19 Broadcast address is 255.255.255.255 Address determined by setup command MTU is 1500 Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is not set Inbound access list is 140 R4#show access-lists Extended IP access list 121 permit tcp 154.56.16.0 0.0.7.255 host 200.106.56.13 eq www Extended IP access list 131 permit tcp host 154.56.18.28 host 200.106.56.21 eq 20 Extended IP access list 141 deny tcp 154.56.16.0 0.0.7.255 host 200.106.56.0 eq 7

deny icmp 154.56.16.0 0.0.7.255 host 200.106.56.0 De la misma manera he puesto 2 formas ya que algunas bibliografas sealan que el trafico ICMP se pone despus del permit o deny. Otros dicen que se considera como parte del TCP en puerto 7. R4#show ip interface FastEthernet0/0 is up, line protocol is up (connected) Internet address is 154.56.16.1/21 Broadcast address is 255.255.255.255 Address determined by setup command MTU is 1500 Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is not set Inbound access list is 141 R2#show access-lists Extended IP access list F0-OUT permit udp 160.121.32.0 0.0.31.255 host 200.106.56.13 eq domain permit udp 154.56.16.0 0.0.7.255 host 200.106.56.13 eq domain Extended IP access list 132 deny tcp 160.121.32.0 0.0.31.255 host 200.106.56.21 eq 20 deny tcp 154.56.16.0 0.0.7.255 host 200.106.56.21 eq 20 Extended IP access list 150 permit tcp host 200.106.56.13 160.121.32.0 0.0.31.255 eq 7 permit tcp host 200.106.56.13 154.56.16.0 0.0.7.255 eq 7 R2#show ip interface FastEthernet0/0 is up, line protocol is up (connected) Internet address is 200.106.56.1/24

Broadcast address is 255.255.255.255 Address determined by setup command MTU is 1500 Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is 132 Inbound access list is 150 R3#show access-lists Extended IP access list 113 permit tcp any host 200.106.56.13 Extended IP access list 151 permit tcp host 200.106.56.21 160.121.32.0 0.0.31.255 eq 7 permit tcp host 200.106.56.21 154.56.16.0 0.0.7.255 eq 7 R3#show ip interface FastEthernet0/0 is up, line protocol is up (connected) Internet address is 200.106.56.2/24 Broadcast address is 255.255.255.255 Address determined by setup command MTU is 1500 Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is 113 Inbound access list is 151

PREGUNTA E
Aparte de las configuraciones anteriores, en adicin van estas:

Intente ejecutar el sgte. Comando, pero el sistema no lo acepta:


R1(config)#access-list 160 permit tcp 160.121.33.0 0.0.0.0 any eq ssh ^ % Invalid input detected at '^' marker.

Tampoco acepta el siguiente comando:


R1(config)#access-list 160 permit tcp 160.121.33.0 0.0.0.0 any eq https ^ % Invalid input detected at '^' marker.

PREGUNTA F
Aparte de las configuraciones anteriores, en adicin van estas:
R1#show access-lists Extended IP access list 120 permit tcp host 160.121.53.67 host 200.106.56.13 eq www Extended IP access list 130 permit tcp 160.121.32.0 0.0.31.255 host 200.106.56.21 eq 20 Extended IP access list 140 deny icmp 160.121.32.0 0.0.31.255 200.106.56.0 0.0.0.255 deny tcp 160.121.32.0 0.0.31.255 200.106.56.0 0.0.0.255 eq 7 Extended IP access list 170 permit udp 160.121.32.0 0.0.31.255 any eq 520 Extended IP access list 171 permit udp any 160.121.32.0 0.0.31.255 eq 520 R1#show ip interface FastEthernet0/0 is up, line protocol is up (connected) Internet address is 160.121.32.1/19

10

Broadcast address is 255.255.255.255 Address determined by setup command MTU is 1500 Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is 171 Inbound access list is 170 R4#show access-lists Extended IP access list 121 permit tcp 154.56.16.0 0.0.7.255 host 200.106.56.13 eq www Extended IP access list 131 permit tcp host 154.56.18.28 host 200.106.56.21 eq 20 Extended IP access list 141 deny tcp 154.56.16.0 0.0.7.255 host 200.106.56.0 eq 7 deny icmp 154.56.16.0 0.0.7.255 host 200.106.56.0 Extended IP access list 180 permit udp 154.56.16.0 0.0.7.255 any eq 520 Extended IP access list 181 permit udp any 154.56.16.0 0.0.7.255 eq 520 R4#show ip interface FastEthernet0/0 is up, line protocol is up (connected) Internet address is 154.56.16.1/21 Broadcast address is 255.255.255.255 Address determined by setup command MTU is 1500 Helper address is not set

11

Directed broadcast forwarding is disabled Outgoing access list is 181 Inbound access list is 180 R2#show access-lists Extended IP access list F0-OUT permit udp 160.121.32.0 0.0.31.255 host 200.106.56.13 eq domain permit udp 154.56.16.0 0.0.7.255 host 200.106.56.13 eq domain Extended IP access list 132 deny tcp 160.121.32.0 0.0.31.255 host 200.106.56.21 eq 20 deny tcp 154.56.16.0 0.0.7.255 host 200.106.56.21 eq 20 Extended IP access list 150 permit tcp host 200.106.56.13 160.121.32.0 0.0.31.255 eq 7 permit tcp host 200.106.56.13 154.56.16.0 0.0.7.255 eq 7 Extended IP access list 190 permit udp 200.106.56.0 0.0.0.255 any eq 520 (3 match(es)) Extended IP access list 191 permit udp any 200.106.56.0 0.0.0.255 eq 520 R2#show ip interface FastEthernet0/0 is up, line protocol is up (connected) Internet address is 200.106.56.1/24 Broadcast address is 255.255.255.255 Address determined by setup command MTU is 1500 Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is 191

12

Inbound access list is 190 R3#show access-lists Extended IP access list 113 permit tcp any host 200.106.56.13 Extended IP access list 151 permit tcp host 200.106.56.21 160.121.32.0 0.0.31.255 eq 7 permit tcp host 200.106.56.21 154.56.16.0 0.0.7.255 eq 7 Extended IP access list 195 permit udp 200.106.56.0 0.0.0.255 any eq 520 (3 match(es)) Extended IP access list 196 permit udp any 200.106.56.0 0.0.0.255 eq 520 R3#show ip interface FastEthernet0/0 is up, line protocol is up (connected) Internet address is 200.106.56.2/24 Broadcast address is 255.255.255.255 Address determined by setup command MTU is 1500 Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is 196 Inbound access list is 195

13