Threaded Case Study
   

ACL IMPLEMENTATION

All Internet connectivity will be supplied through the DSL connected with the router being the single point of contact for all departments and personnel within the company. This connection will be highly controlled and capacity upgraded as usage dictates. The Internet connection will utilize double firewall implementation with a public network (Ethernet backbone) established for services that will be exposed to the Internet such as master E-mail, Domain Name Services (DNS) and a World Wide Web server. All connectivity that is initiated from the router will be protected via Access Control Lists (ACLs) on the routers that make up the double firewall architecture. Any connectivity initiated from the router to the Internet will be permitted to communicate freely. E-mail and DNS services will communicate freely in both directions since these applications poses no security threat. A Web server will be located on the public backbone and partitioned to allow anyone to install a Web home page on the Internet. Individual Web servers that need total exposure to the Internet will not be permitted.  All other access is denied.

Commands applied to the Pantera router
Router>enable
Router#config t
Give global access to the www server with:
Router(config)#Access-list 101 permit tcp any 192.20.5.1 0.0.0.0 eq www
Give global access to the DNS server
Router(config)#Access-list 101 permit udp any 205.12.10.1 0.0.0.0 eq domain
Give global access to the E-mail
Router(config)#Access-list 101 permit tcp any 192.20.5.1 0.0.0.0 eq smtp
Deny all unauthorized access
Router(config)#Access-list 101 deny ip any any
Apply to interface e0 with
Router(config)#interface e0
Router(config-if)#ip access-group 101 in

This ACL is applied to E0 outbound, which is the router port that connects to the administration network. The first three access-list statements allow E-Mail, DNS, and WWW access, respectively, then the fourth and fifth permit any traffic from the administrative network or from network equipment on the other department or personnel. The implicit deny any statement then blocks any traffic on the administrative network. Then the list is applied to interface E0 outbound.