CCNA R/S Training "Access-List Standart"

Assalamualaikum...

1.latar Belakang



 Pada beberapa jenis perangkat keras komputer proprietary (khususnya router dan switch ), daftar kontrol akses mengacu aturan yang diterapkan untuk nomor port atau alamat IP yang tersedia pada tuan rumah atau lainnya layer 3 , masing-masing dengan daftar host dan / atau jaringan diizinkan untuk menggunakan layanan ini. Meskipun tambahan mungkin untuk mengkonfigurasi daftar kontrol akses berdasarkan nama domain jaringan, ini umumnya merupakan ide yang dipertanyakan karena individu TCP, UDP, dan ICMP header tidak mengandung nama domain. Akibatnya, perangkat menegakkan daftar kontrol akses harus secara terpisah menyelesaikan nama ke alamat numerik. Ini menyajikan serangan permukaan tambahan untuk seorang penyerang yang mencari kompromi keamanan sistem yang daftar kontrol akses melindungi. Kedua individu server serta router dapat memiliki ACL jaringan. Daftar kontrol akses secara umum dapat dikonfigurasi untuk mengontrol baik inbound dan outbound lalu lintas, dan dalam konteks ini mereka mirip dengan firewall . Seperti firewall, ACL bisa tunduk pada peraturan keamanan dan standar seperti PCI DSS . 

Pada Praktek kali ini saya akan menjelaskan cara block dua arah antara 2 jaringan yanb berbeda

2.Pengertian

 Daftar kontrol akses (ACL), sehubungan dengan komputer sistem file , adalah daftar izin yang melekat pada suatu objek . ACL menentukan mana pengguna atau proses sistem diberikan akses ke objek, serta operasi apa yang diperbolehkan pada objek tertentu. Setiap entri dalam ACL khas menentukan subjek dan operasi. Misalnya, jika file objek memiliki ACL yang berisi (Alice: membaca, menulis, Bob: membaca), ini akan memberikan izin untuk membaca dan menulis file dan Bob hanya membacanya Alice.

3.Maksud dan Tujuan

Praktek konfigurasi ACL standart dengan memblok salah satu jaringan agar tidak dapat akses ke jaringan satunya ,yang bisa diimplementasikan ketika ada suatu kebutuhan yang mengharuskan sebuah device tidak dapat akes ke device atau service pada device lain



4.Alat yang dipersiapkan

• Cisco Packet Tracer
• laptop

5.Tahap Pelaksanaan

Sekarang kita mulai Konfigurasi Router0 ,kita akan konfigurasi:

• Pemberian alamat ip 
• Routing Ospf
• Access list pada router1 kemudian router 0
• Write Configuration

-----------------------------------------------------------------------------------------------------------------------------


Router0

Router>en

Router#conf t

Router(config)#int fa0/0

Router(config-if)#ip add 192.168.1.254 255.255.255.0

Router(config-if)#no sh

Router(config-if)#int fa0/1

Router(config-if)#ip add 12.12.12.1 255.255.255.0

Router(config-if)#no sh

Router(config-if)#int lo1

Router(config-if)#ip add 172.16.1.1 255.255.255.0

Router(config-if)#no sh

Router(config-if)#int lo2
Router(config-if)#ip add 172.16.2.2 255.255.255.0

Router(config-if)#no sh

Router(config-if)#ex

Router(config)#router ospf 10

Router(config-router)#net 192.168.1.0 0.0.0.255 area 0

Router(config-router)#net 172.16.1.1 0.0.0.255 area 0

Router(config-router)#net 172.16.2.2 0.0.0.255 area 0

Router(config-router)#net 12.12.12.0 0.0.0.255 area 0

Router(config-router)#ex

Router(config)#ex

Router#wr

Building configuration...

[OK]

Router#

----------------------------------------------------------------------------------------------------------------------

Router1

Router>en

Router#conf t

Router(config)#int fa0/0

Router(config-if)#ip add 192.168.2.254 255.255.255.0

Router(config-if)#no sh

Router(config-if)#int fa0/1

Router(config-if)#ip add 12.12.12.2 255.255.255.0

Router(config-if)#no sh

Router(config-if)#int lo3

Router(config-if)#ip add 172.16.3.3 255.255.255.0

Router(config-if)#no sh

Router(config-if)#int lo4
Router(config-if)#ip add 172.16.4.4 255.255.255.0

Router(config-if)#no sh

Router(config-if)#ex

Router(config)#router ospf 10

Router(config-router)#net 192.168.2.0 0.0.0.255 area 0

Router(config-router)#net 172.16.3.3 0.0.0.255 area 0

Router(config-router)#net 172.16.4.4 0.0.0.255 area 0

Router(config-router)#net 12.12.12.0 0.0.0.255 area 0

Router(config-router)#ex

--------------------------------------------------------------------------------------------------------------------------

Sebelum ke konfigurasi Access list dengan ping kita cek dulu apak sudah pasti terkonfigurasi OSPF dengan pengujian ping dan #sh ip route

-------------------------------------------------------------------------------------------------------------------------
Router0

Router#sh ip route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route

Gateway of last resort is not set

12.0.0.0/24 is subnetted, 1 subnets

C 12.12.12.0 is directly connected, FastEthernet0/1

172.16.0.0/16 is variably subnetted, 4 subnets, 2 masks

C 172.16.1.0/24 is directly connected, Loopback1

C 172.16.2.0/24 is directly connected, Loopback2

O 172.16.3.3/32 [110/2] via 12.12.12.2, 00:05:40, FastEthernet0/1

O 172.16.4.4/32 [110/2] via 12.12.12.2, 00:05:40, FastEthernet0/1

C 192.168.1.0/24 is directly connected, FastEthernet0/0

O 192.168.2.0/24 [110/2] via 12.12.12.2, 00:05:40, FastEthernet0/1

---------------------------------------------------------------------------------------------------------------------------
Router1

Router#sh ip route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route

Gateway of last resort is not set

12.0.0.0/24 is subnetted, 1 subnets

C 12.12.12.0 is directly connected, FastEthernet0/1

172.16.0.0/16 is variably subnetted, 4 subnets, 2 masks

O 172.16.1.1/32 [110/2] via 12.12.12.1, 00:09:03, FastEthernet0/1

O 172.16.2.2/32 [110/2] via 12.12.12.1, 00:09:03, FastEthernet0/1

C 172.16.3.0/24 is directly connected, Loopback3

C 172.16.4.0/24 is directly connected, Loopback4

O 192.168.1.0/24 [110/2] via 12.12.12.1, 00:09:03, FastEthernet0/1

C 192.168.2.0/24 is directly connected, FastEthernet0/0

------------------------------------------------------------------------------------------------------------------------------

Kemudian jika sudah pasti terkonfigurasi OSPF,lalu kita konfigurasi Access list Pada Router1

------------------------------------------------------------------------------------------------------------------------------

Router1

Router(config)#access-list 1 deny 192.168.1.1 0.0.0.0

Router(config)#access-list 1 deny 172.16.1.0 0.0.0.255

Router(config)#access-list 1 permit any

Router(config)#int fa0/0

Router(config-if)#ip access-group 1 out

Router(config-if)#ex

Router(config)#ex

Router#sh access-lists

Standard IP access list 1

10 deny host 192.168.1.1 (6 match(es))

20 deny 172.16.1.0 0.0.0.255

30 permit any

Router#

Router#wr

Building configuration...

[OK]

Router#

-------------------------------------------------------------------------------------------------------------------------

Kemudian kita kasih alamat ip PC0 dan PC1

lalu kita coba ping

Sekarang kita ubah alamat ip dari PC0 apakah bisa ping ke PC1

rule acl Router1 baris 1 berhasil
-------------------------------------------------------------------------------------------------------------------------------

Router0

Router#ping

Protocol [ip]:[enter]

Target IP address: 192.168.2.1

Repeat count [5]: [enter]

Datagram size [100]: [enter]

Timeout in seconds [2]: [enter]

Extended commands [n]: y

Source address or interface: loopback1

Type of service [0]: [enter]

Set DF bit in IP header? [no]: [enter]

Validate reply data? [no]: [enter]

Data pattern [0xABCD]: [enter]

Loose, Strict, Record, Timestamp, Verbose[none]: [enter]

Sweep range of sizes [n]: [enter]

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:

Packet sent with a source address of 172.16.1.1

UUUUU

Success rate is 0 percent (0/5)

Router#

-----------------------------------------------------------------------------------------------------------------------------

rule acl Router1 baris 2 berhasil

Router#ping

Protocol [ip]: [enter]

Target IP address: 192.168.2.1

Repeat count [5]: [enter]

Datagram size [100]: [enter]

Timeout in seconds [2]: [enter]

Extended commands [n]: y

Source address or interface: loopback2

Type of service [0]: [enter]

Set DF bit in IP header? [no]: [enter]

Validate reply data? [no]: [enter]

Data pattern [0xABCD]: [enter]

Loose, Strict, Record, Timestamp, Verbose[none]: [enter]

Sweep range of sizes [n]: [enter]

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:

Packet sent with a source address of 172.16.2.2

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/1 ms

Router#

-----------------------------------------------------------------------------------------------------------------------------

Test diatas dapat dilakukan dengan mengirim email dan ini hasilnya

rule acl Router1 baris 3 berhasil

Sekarang kebalikannya kita kasih konfigurasi ACL di Router0 tetapi harus menghapus konfigurasi ACL di Router1 dengan perintah

#no access-list <nomor ACL>

#no ip access-group <nomor ACL>

Menghapus konfigurasi ACL di Router1

--------------------------------------------------------------------------------------------------------------------------------

Router1

Router>en

Router#conf t

Router(config)#no access-list 1

Router(config)#int fa0/0

Router(config-if)#no ip access-group 1 out

Router(config-if)#

 --------------------------------------------------------------------------------------------
Jangan lupa untuk mengubah alamat ip PC0 menjadi 192.168.1.1 ya!!!

Kemudian kita Kasih konfigurasi ACL di Router0

------------------------------------------------------------------------------------------------------------------------------

Router0

Router>en

Router#conf t

Router(config)#access-list 1 deny 192.168.2.1 0.0.0.0

Router(config)#access-list 1 deny 172.16.3.0 0.0.0.255

Router(config)#access-list 1 permit any

Router(config)#ex

Router#

---------------------------------------------------------------------------------------------------------------------------------

kemudian kita cek apakah sudah terdaftar di ACL

-------------------------------------------------------------------------------------------------------------------------------

Router#sh access-lists

Standard IP access list 1

10 deny host 192.168.2.1

20 deny 172.16.3.0 0.0.0.255

30 permit any

---------------------------------------------------------------------------------------------------------------------------------

Kemudian kita apply Acl yang telah kita konfigurasi tadi ke int fa0/0 dari Router0

--------------------------------------------------------------------------------------------------------------------------------

Router#conf t

Router(config)#int fa0/0

Router(config-if)#ip access-group 1 out

Router(config-if)#

--------------------------------------------------------------------------------------------------------------------------------

Kemudian kita lakukan percobaan

gambar percobaan 1

coba ping ke pc0

 kemudian kita test dengan mengubah alamat ip PC1

 ternyata bisa

rule acl Router0 baris 1 berhasil

-------------------------------------------------------------------------------------------------------------------------------

Router1

Router>en

Router#ping

Protocol [ip]: [enter]

Target IP address: 192.168.1.1

Repeat count [5]: [enter]

Datagram size [100]: [enter]

Timeout in seconds [2]: [enter]

Extended commands [n]: y

Source address or interface: loopback3

Type of service [0]: [enter]

Set DF bit in IP header? [no]: [enter]

Validate reply data? [no]: [enter]

Data pattern [0xABCD]: [enter]

Loose, Strict, Record, Timestamp, Verbose[none]: [enter]

Sweep range of sizes [n]: [enter]

Type escape sequence to abort.

Sending 5, 100-byte ICMP ERouter0

Router>en

Router#conf t

Router(config)#int fa0/0

Router(config-if)#ip add 192chos to 192.168.1.1, timeout is 2 seconds:

Packet sent with a source address of 172.16.3.3

UUUUU

Success rate is 0 percent (0/5)

Router#

rule acl Router0 baris 2 berhasil

----------------------------------------------------------------------------------------------------------------------------

Router#ping

Protocol [ip]: [enter]

Target IP address: 192.168.1.1

Repeat count [5]: [enter]

Datagram size [100]: [enter]

Timeout in seconds [2]: [enter]

Extended commands [n]: y

Source address or interface: loopback4

Type of service [0]: [enter]

Set DF bit in IP header? [no]: [enter]

Validate reply data? [no]: [enter]

Data pattern [0xABCD]: [enter]

Loose, Strict, Record, Timestamp, Verbose[none]: [enter]

Sweep range of sizes [n]: [enter]

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:

Packet sent with a source address of 172.16.4.4

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/1 ms

Router#

---------------------------------------------------------------------------------------------------------------------------

rule acl Router0 baris 3 berhasil

Konfigurasi sudah selesai :)

Apakah ada pertanyaan???

6.Hasil dan Kesimpulan

Konfigurasi Diatas hanya menggunakan


7.Referensi

Nixtrain