flyingscorpio/efrei
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Finish TP1 ACL

Browse source
This commit is contained in:
flyingscorpio@clevo 2023-01-17 08:57:15 +01:00
parent 507ec11569
commit c1aea916e1
2 changed files with 166 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

BIN
architectures-infrastructures-entreprise/tp1/img/no-http.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 15 KiB

166
architectures-infrastructures-entreprise/tp1/main.tex
View file

@ -259,12 +259,178 @@
Reply from 192.168.2.100: bytes=32 time<1ms TTL=126
Reply from 192.168.2.100: bytes=32 time=1ms TTL=126
Ping statistics for 192.168.2.100:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 14ms, Average = 3ms
C:\>ping 192.168.2.100
Pinging 192.168.2.100 with 32 bytes of data:
Reply from 192.168.2.100: bytes=32 time<1ms TTL=126
Reply from 192.168.2.100: bytes=32 time=14ms TTL=126
Reply from 192.168.2.100: bytes=32 time<1ms TTL=126
Reply from 192.168.2.100: bytes=32 time=1ms TTL=126
Ping statistics for 192.168.2.100:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 14ms, Average = 3ms
\end{lstlisting}
\item Configurez des ACL nnumérotées étendues sur R1 et R2 afin de respecter les stratégies réseau suivantes~:
\begin{enumerate}
\item Les hôtes de 172.16.2.0/24 ne peuvent pas communiquer avec PC1.
\begin{lstlisting}[gobble=20]
R1(config)#ip access-list extended 1
R1(config-ext-nacl)#deny icmp 172.16.2.0 0.0.0.255 host 172.16.1.1
R1(config-ext-nacl)#deny tcp 172.16.2.0 0.0.0.255 host 172.16.1.1
R1(config-ext-nacl)#deny udp 172.16.2.0 0.0.0.255 host 172.16.1.1
R1(config-ext-nacl)#permit tcp any any
R1(config-ext-nacl)#permit icmp any any
R1(config-ext-nacl)#permit udp any any
R1(config-std-nacl)#int g0/0
R1(config-if)#ip access-group 1 out
\end{lstlisting}
\item Les hôtes de 172.16.1.0/24 ne peuvent pas accéder au service DNS de SRV1.
\begin{lstlisting}[gobble=20]
R2(config)#ip access-list extended 1
R2(config-std-nacl)#deny tcp 172.16.1.0 0.0.0.255 host 192.168.1.100 eq 53
R2(config-std-nacl)#deny udp 172.16.1.0 0.0.0.255 host 192.168.1.100 eq 53
R2(config-std-nacl)#permit icmp any any
R2(config-std-nacl)#permit tcp any any
R2(config-std-nacl)#permit udp any any
R2(config-std-nacl)#int g0/0
R2(config-if)#ip access-group 1 out
\end{lstlisting}
\item Les hôtes de 172.16.2.0/24 ne peuvent pas accéder aux services HTTP ou HTTPS sur SRV2.
\begin{lstlisting}[gobble=20]
R2(config)#ip access-list extended 2
R2(config-std-nacl)#deny tcp 172.16.2.0 0.0.0.255 host 192.168.2.100 eq 80
R2(config-std-nacl)#deny tcp 172.16.2.0 0.0.0.255 host 192.168.2.100 eq 443
R2(config-std-nacl)#permit icmp any any
R2(config-std-nacl)#permit tcp any any
R2(config-std-nacl)#permit udp any any
R2(config-std-nacl)#int g0/1
R2(config-if)#ip access-group 2 out
\end{lstlisting}
\end{enumerate}
\item Testez votre configuration.
\begin{enumerate}
\item Les hôtes de 172.16.2.0/24 ne peuvent pas communiquer avec PC1.
\begin{lstlisting}[gobble=20]
C:\>ping 172.16.1.2
Pinging 172.16.1.2 with 32 bytes of data:
Reply from 172.16.1.2: bytes=32 time<1ms TTL=127
Reply from 172.16.1.2: bytes=32 time<1ms TTL=127
Reply from 172.16.1.2: bytes=32 time<1ms TTL=127
Reply from 172.16.1.2: bytes=32 time<1ms TTL=127
Ping statistics for 172.16.1.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
C:\>ping 172.16.1.1
Pinging 172.16.1.1 with 32 bytes of data:
Reply from 172.16.2.254: Destination host unreachable.
Reply from 172.16.2.254: Destination host unreachable.
Reply from 172.16.2.254: Destination host unreachable.
Reply from 172.16.2.254: Destination host unreachable.
Ping statistics for 172.16.1.1:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
\end{lstlisting}
\item Les hôtes de 172.16.1.0/24 ne peuvent pas accéder au service DNS de SRV1.
\begin{lstlisting}[gobble=20]
C:\>ping 192.168.1.100
Pinging 192.168.1.100 with 32 bytes of data:
Reply from 192.168.1.100: bytes=32 time<1ms TTL=126
Reply from 192.168.1.100: bytes=32 time=1ms TTL=126
Reply from 192.168.1.100: bytes=32 time<1ms TTL=126
Reply from 192.168.1.100: bytes=32 time<1ms TTL=126
Ping statistics for 192.168.1.100:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 1ms, Average = 0ms
C:\>ping efrei.com
Ping request could not find host efrei.com. Please check the name and try again.
\end{lstlisting}
\item Les hôtes de 172.16.2.0/24 ne peuvent pas accéder aux services HTTP ou HTTPS sur SRV2.
\begin{lstlisting}[gobble=20]
C:\>ping 192.168.2.100
Pinging 192.168.2.100 with 32 bytes of data:
Reply from 192.168.2.100: bytes=32 time<1ms TTL=126
Reply from 192.168.2.100: bytes=32 time<1ms TTL=126
Reply from 192.168.2.100: bytes=32 time<1ms TTL=126
Reply from 192.168.2.100: bytes=32 time<1ms TTL=126
Ping statistics for 192.168.2.100:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
\end{lstlisting}
\includegraphics[width=\linewidth]{./img/no-http.png}
\end{enumerate}
\item Analyser le résultat de la commande \texttt{show access-lists}.
\begin{lstlisting}[gobble=12]
R1#show access-lists
Extended IP access list 1
10 deny icmp 172.16.2.0 0.0.0.255 host 172.16.1.1 (3 match(es))
20 deny tcp 172.16.2.0 0.0.0.255 host 172.16.1.1
30 deny udp 172.16.2.0 0.0.0.255 host 172.16.1.1
40 permit tcp any any
50 permit icmp any any (2 match(es))
60 permit udp any any
R2#show access-lists
Extended IP access list 1
10 deny tcp 172.16.1.0 0.0.0.255 host 192.168.1.100 eq domain
20 deny udp 172.16.1.0 0.0.0.255 host 192.168.1.100 eq domain (1 match(es))
30 permit icmp any any
40 permit tcp any any
50 permit udp any any
Extended IP access list 2
10 deny tcp 172.16.2.0 0.0.0.255 host 192.168.2.100 eq www
20 deny tcp 172.16.2.0 0.0.0.255 host 192.168.2.100 eq 443
30 permit icmp any any
40 permit tcp any any
50 permit udp any any
\end{lstlisting}
Les règles ont bien été rajoutées, et on peut voir des matches correspondants aux tentatives de ping.
\end{enumerate}
\end{document}