Question
A network associate is adding security to the configuration of the
Corp1 router. The user on host A should be able to use a web browser to
access financial information from the Finance Web Server.Other types of access from host A to the finance web server should be blocked. All access from hosts in the Core or local LAN to the Finance Web Server should be blocked. All hosts in the core and on the local LAN should be able to access the Public web server.
The task is to create and apply a numberd access-list with no more
than three statements that will allow ONLY host A web access to the
Finance Web Server. No other hosts will have web access to the Finance
Web Server. All other traffic is permitted.
Access to the router CLI can be gained by clicking on the appropriate host.
Access to the router CLI can be gained by clicking on the appropriate host.
All passwords have been temporarily set to “cisco”.
The Core connection uses an IP address of 198.18.196.65
The computers in the Hosts LAN have been assigned addresses of 192.168.33.1 – 192.168.33.254
Host A 192.168.33.1
Host B 192.168.33.2
Host C 192.168.33.3
Host D 192.168.33.4
The servers in the Server LAN have been assigned addresses of 172.22.242.17 – 172.22.242.30
The Finance Web Server is assigned an IP address of 172.22.242.23
The Core connection uses an IP address of 198.18.196.65
The computers in the Hosts LAN have been assigned addresses of 192.168.33.1 – 192.168.33.254
Host A 192.168.33.1
Host B 192.168.33.2
Host C 192.168.33.3
Host D 192.168.33.4
The servers in the Server LAN have been assigned addresses of 172.22.242.17 – 172.22.242.30
The Finance Web Server is assigned an IP address of 172.22.242.23
The Public Web Server is assigned an IP address of 172.22.242.17
Untuk simulasi di packet tracer bisa di lihat di Sini atau di SiniPenyelesaian :
Seperti yang dikatakan.. bahawa akan di pasang security di Router Corp1, bahwa Host A dapat mengakses Finance Web Server hanya protokol HTTP yang di izinkan (use web browser) selain HTTP dilarang (Other types be blocked) . Sedangkan Host-Host lain baik itu di LAN ataupun di core juga tidak diizinkan untuk mengakses Finance web Server. Kemudian Semua host di local LAN dan core dapat mengakses public Web Server.
Ok... untuk menjawabnya kita kumpulin dulu data-datanya (Nanti anda kan di kasih papan ma spidol, bisa di catat di sana), yaitu :
Host A --> IP --> 192.168.33.1
Finance Web Server --> IP --> 172.22.242.23
Public Web Server --> IP --> 172.22.242.17
Nah.. dikatakan bahwa akses list nya tidak lebih dari 3 statement.
1. Host A dapat mengakses Finance Web Server mengunakan protokol HTTP.
access-list 100 permit tcp host 192.168.33.1 host 172.22.242.23 eq 80
2. Selain HTTP dilarang untuk mengakes finance web Server & LAN dan core juga dilarang
access-list 100 deny ip any host 172.22.242.23
3. Semua host di LAN dan di core dapat mengakses Public Web Server*
access-list 100 permit ip any any
* Sebenarnya saya lebih setuju dengan jawaban access-list 100 permit ip any host 172.22.242.17 (tapi menurut laporan yg 100% katanya yang di atas! jadi anda ikuti aja yang di atas).
Okay.. data dah terkumpul tinggal di kerjain.. anda klik computer console untuk konfigurasi (anda tidak bisa klik routernya)
Corp1>enable
Password: cisco
Corp1#show running-config
Kita akan memasang akses list di network Sw-1 yaitu di Fa0/1, alasan'nya jelas.. kalau kita pasang di Fa0/0 maka core tidak akan kena, kalo kita pasang di Se1/0 LAN yang tidak kena. jadi jelas kita pasang di Fa0/1 (out) agar Core dan LAN dapat terkena security yang akan kita konfigurasi.OK! NEXT>> pasang data-data kita tadi ^_^
Corp1#configure terminal
Corp1(config)#access-list 100 permit tcp host 192.168.33.1 host 172.22.242.23 eq 80
Corp1(config)#access-list 100 deny ip any host 172.22.242.23
Corp1(config)#access-list 100 permit ip any any
Yup.. dah selesai.. jangan lupa kita pasang di interfacenya..
Corp1(config)#interface fa0/1
Corp1(config-if)#ip access-group 100 out
Corp1(config-if)#end
Corp1#copy running-config startup-config ---> WAJIB ini ^_^Udah.. selesai.. seperti itulah soal konfigurasi ACL yang saya dapati tanggal 10 maret kemarin, ok!! untuk memastikanya anda bisa klik host A, dan buka browsernya.. kemudaian masukkan alamat finance
http://172.22.242.23 (maka akan keluar notifikasi sukses), kemudian coba host B masukkan di browsernya http://172.22.242.23 (harusnya ada notifikasi tidak sukses). Coba juga koneksi ke public web.
Sekalian info.. Mungkin ada modifikasi dari soal CCNA, seperti host bisa saja (A/B/C/D) harap DIPERHATIKAN.**
**Adapun beberapa Modifikasi lain dari soalnya bisa di lihat di bawah ini, tinggal di cocokkan saja mana yang sesuai dengan soal anda nanti.
Host C should be able to use a web browser to access financial information from the Finance Web Server.
Corp1(config)#access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
No other hosts from the LAN nor the Core should be able to use a web browser to access this server.all
Corp1(config)#access-list 100 deny tcp any host 172.22.242.23 eq 80
Other traffic should be allowed.
Corp1(config)#access-list 100 permit ip any any
Nah... seperti itulah kira-kira soal ACL yang ada di ujian CCNA, insya Allah masih valid.. nanti kita lihat yang ujian sabtu nanti gimana kabarnya ^_^ (sekali lagi harus teliti dan hati-hati ya...)
Good Luck..
Next.. VTP..