ip access-list extended lan-web
permit tcp 192.168.15.0 0.0.0.255 any eq www time-range web-test
!
interface ethernet 0
ip access-group lan-web in
The show time-range Command
Theshow time-rangecommand can be used to display the current status of the time ranges and list the periodic and absolute attributes.
Rtr1#show time-range
time-range entry: WeekdayEves (inactive)
absolute start 08:00 01 December 2004 end 08:00 03 January 2005 periodic weekdays 17:00 to 22:00
time-range entry: weekdayeves (active) used in: IP ACL entry
time-range entry: worktime (active)
absolute start 08:00 01 December 2004 end 08:00 03 January 2005 periodic weekdays 8:00 to 18:00
used in: IP ACL entry Rtr1#conf t
The output shows two defined time rangesWeekdayEvesandworktime, but it also shows another undefined time range,weekdayeves. The output shows it was used in an ACL, indicating someone tried to useWeekdayEvesand forgot that the names are case sensitive. The result in this case will be that since no times are defined, the ACL state-ment will be active all of the time.
Chapter Review
Many simple device configuration techniques can add to the security of the network. To a great extent, these often fall into the category of commonsense practices, such as using administrative access passwords on all device access points.
As Cisco moves more and more devices to IOS-based command structures, access lists re-main a need-to-know technology. While not a complete security solution, access lists are an integral part of any security program.
Standard access lists filter based on source address alone, creating a simple, yet pow-erful, tool for blocking all traffic or access to a host, subnet, or network. Standard ACLs can be used for traffic filtering, limiting access to Telnet sessions, limiting access to Web browsers trying to access a Cisco router or switch, filtering routing updates, and focusing commands likedebug ip packetto conserve router resources.
Extended access lists can be used to filter on protocol, source address, destination ad-dress, source and destination port identifiers for TCP and UDP traffic, and various pow-erful options. The TCP Established option can be used to limit TCP traffic only to what originated within the network.
Named access lists are a variation on the numbered ACLS supporting for standard and extended versions. Named ACLs are easier to create than numbered lists, and allow limited editing and deletion of specific statements that can’t be done with numbered lists. They can be descriptive of their purpose and, therefore, easier for follow-up sup-port to work with. Some IOS features and all IOS versions prior to 11.2 don’t supsup-port named ACLs, requiring some thought in mixed environments. Some newer features like reflexive ACLs only work with named lists, so it’s probably safe to say they’re going to be a bigger, rather than smaller, part of the future.
Questions
1.Which of the following interface types is least likely to be on a firewall appliance?
A.Fast Ethernet B.Serial C.Ethernet D.Token Ring
2.Which of the following would not be considered a basic security step in a router configuration?
A.Setting access privilege levels
B.Setting an MOTD banner to welcome the user to the device C.Encrypting passwords in the configuration files
D.Setting all passwords
3.Which of the following isnottrue about numbered access lists?
A.An ACL is made up of one or more permit or deny statements.
B.If an ACL doesn’t have at least one permit statement, it will deny everything.
C.All ACL statements with the same number are part of the same ACL.
D.New statements are always added to the top of the list statements.
E.ACL statements must be entered sequentially to be processed properly.
F.An ACL can be added to (appended), but not edited. Any attempt to edit an item will delete the entire ACL.
4.Which one of the following will deny access to a class C network?
A.Rtr1(config)#access-list 15 deny 192.168.1.0 255.255.255.0 B.Rtr1(config)#access-list 15 deny 192.168.1.0 0.0.0.255
PARTI
C.Rtr1(config-acl)#access-list 15 deny 192.168.1.0 255.255.255.0 D.Rtr1(config-acl)#access-list 15 deny 192.168.1.0 0.0.0.255 5.What is the ACL line to deny the subnet 192.168.1.16 subnet mask
255.255.255.240?
A.access-list 15 deny 192.168.1.16 0.0.0.255 B.access-list 15 deny 192.168.1.0 0.0.0.16 C.access-list 15 deny 192.168.1.16 0.0.0.15 D.access-list 15 deny 192.168.1.16 0.0.0.31
6.With the Log option for ACLs, a message appears when the first match occurs, and then at what interval as long as matches continue?
A.One minute B.Five minutes C.Ten minutes D.Thirty minutes
7.When limiting access to Telnet sessions, which command would work?
A.access-group 15 in B.access-group 15 out C.access-class 15 in D.access-class 15 out
E.access-session 15 in
8.Which two commands could be used to secure the web browser access to a device?
A.ip http server B.no ip http server C.ip http access-class 90 D.ip http access-group 90
9.Which of the following protocols uses the established option?
A.UDP B.ICMP C.TCP D.IGRP
10.Numbered extended ACLs are created in which mode?
A.Privilege mode
B.Global Configuration mode
C.Local Configuration mode D.Access Configuration mode
11.Which statement isnottrue about named access lists?
A.Named access lists aren’t compatible with older IOS releases (pre-11.2).
B.A standard access list and an extended access list can’t have the same name.
C.Names must begin with an alphanumeric character and are case sensitive.
D.All processes that use access lists can use a named ACLs 12.Which statement will create a named extended ACL?
A.Rtr1(config)#ip extended access-list tcp-control B.Rtr1(config)#ip access-list named extended tcp-control C.Rtr1(config)#ip access-list extended tcp-control
D.Rtr1(config-ext-nacl)#ip access-list extended tcp-control
13.The time-based ACL statements are relative to which one of the following?
A.The computer clock B.The world clock C.The router clock
D.The day, month, and year
14.Which command will define a periodic time range?
A.Router(config-time-range)#periodic tuesday thursday 17:00 to 22:00 B.Router(config-time)#periodic tuesday thursday 17:00 to 22:00 C.Router(config-time-range)#periodic tuesday, thursday 17:00 to 22:00 D.Router(config-time)#periodic tuesday, thursday 17:00 to 22:00 15.Which statement is true about defining a time range?
A.A time range can have either periodic or absolute times.
B.A time range can have one periodic and multiple absolute times.
C.A time range can have multiple periodic and one absolute time.
D.A time range can have one periodic and one absolute time.
16.Which one of the following is true about the Established option in a TCP access list?
A.Outbound traffic is limited to established customers.
B.Outbound traffic is limited to sessions originating outside the network.
C.Inbound traffic is limited to sessions originating outside the network.
D.Inbound traffic is limited to sessions originating inside the network.
PARTI
17.In the following ACL, what is the impact of the third statement?
access-list 101 deny tcp 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255 access-list 101 deny tcp 192.168.3.0 0.0.0.255 any eq ftp
access-list 101 permit tcp 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255 eq www access-list 101 deny tcp any 192.168.1.0 0.0.0.255 any eq telnet
access-list 101 permit ip any any
A.It allows network 192.168.3.0 to access 192.168.1.0 for web access.
B.It allows network 192.168.1.0 to access 192.168.2.0 for web access.
C.It allows network 192.168.3.0 to access any network for web access.
D.The line does nothing at all.
Answers
1. B. Serial. Firewall device, such as the PIX box, use LAN interfaces 2. B. Setting a MOTD banner to welcome the user to the device 3. D. New statements are always added to the top of the list statements
(They’re actually appended to the bottom of the list.) 4. B. Rtr1(config)#access-list 15 deny 192.168.1.0 0.0.0.255 5. C. access-list 15 deny 192.168.1.16 0.0.0.15
6. B. Five minutes 7. C. access-class 15 in
8. B. no ip http server; c. ip http access-class 90 9. C. TCP
10. B. Global Configuration mode
11. D. All processes that use access lists can use a named ACL.
12. C. Rtr1(config)#ip access-list extended tcp-control
13. C. The router clock. If the router clock is wrong, the statements will be implemented wrong.
14. A. Router(config-time-range)#periodic tuesday thursday 17:00 to 22:00 15. C. A time range can have multiple periodic and one absolute time 16. D. Inbound traffic is limited to sessions originating inside the network.
17. D. The line does nothing at all. All TCP traffic from 192.168.3.0 to 192.168.1.0 was denied in the first statement