CYB 220 Module Four Activity Worksheet

Directions: Complete the guided tutorial activity using the Module Four Activity Student File available in
the learning environment. Follow the steps outlined below in Packet Tracer. You will be asked to provide
screenshots or answers to the questions as instructed. Complete this template by replacing the
bracketed text with the relevant information.

Part I: FTP Server

FTP Access Configuration

Step 1: In the Services Tab of the FTP_Server_Public, ensure the FTP services are on. Notice that this
service has a default admin account. (The username and password are both cisco). You will use this
account for any testing.

Question 1: What are the permissions for the default FTP user cisco?

RWDNL

Step 2: From Server1_Admin, access the Command Prompt (from the Desktop tab). Use the FTP
<IP Address> command, and log in with the default Cisco FTP account credentials:
 Packet Tracer PC Command Line 1.0
C:\>FTP 10.1.10.5
Trying to connect...10.1.10.5
Connected to 10.1.10.5
220- Welcome to PT Ftp server
Username:

Use the dir command (for directory) for a list of all the files hosted on the FTP server.

Question 2: What is file number 8 in the FTP directory?

c2600-ipbasek9-mz.124-8.bin 13169700

Part II: Host-Based Firewall

Type the command ftp>quit before starting Part II.

Configure the Firewall on the FTP_Server_Public

Step 1: From the Desktop Tab, open the IPv4 Firewall application:

Step 2: Add a firewall rule according to the following settings:

1. Service: “On”
2. Interface: FastEthernet0
3. Action: “Deny”
4. Protocol: “ICMP”
5. Remote IP: 192.168.1.101
6. Remote Wildcard Mask: 0.0.0.0
7. Click “Add.”
Screenshot 1: Add a screenshot of the proper firewall rule in place.
Test the Firewall Rule
Step 1: From Server1_Admin (192.168.1.101), use FTP in the command prompt to attempt to
connect to the FTP server (10.1.10.5).

Question 3: This connection is prevented if your firewall configuration is correct. What is the error
message you receive when this connection is unable to be made?

%Error opening ftp://10.1.10.5/ (Timed out)

Modify the Firewall Rules

Step 1: From PC1_End_Users (in the End User network), ping the FTP server (10.1.10.5). You should
receive a “Request timed out” message. Why? The Firewall Service is configured in a default-deny
stance. By activating the Firewall Service and applying at least one Inbound Rule, all other traffic is
denied unless allowed by exception using another rule.

Step 2: To allow specific traffic, you will need to add another rule to the FTP Server host-based
firewall. Imagine you would like only the hosts in the End_User network to access the FTP services on
the FTP Server. You have the options following this paragraph available to be applied. Feel free to test
each out in Packet Tracer before answering Question 4.
 Option One:
Action Protocol Remote Remote Remote Local
IP Wildcard Port Port

Allow IP 192.168.2.101 0.0.0.0 any 21

Option Two:
Action Protocol Remote Remote Remote Local
IP Wildcard Port Port

Allow IP 192.168.0.0 0.0.255.255 any 21

Option Three:
Action Protocol Remote Remote Remote Local
IP Wildcard Port Port

Allow IP 192.168.2.96 0.0.0.15 any 21

Option Four:
Action Protocol Remote Remote Remote Local
IP Wildcard Port Port

Allow IP 192.168.2.0 0.0.0.255 any 21

Question 4: Which option is the best to allow only the hosts in the End_User network to access the
FTP services on the FTP Server? Why did you recommend this rule?

To restrict access to FTP server services to hosts on the end user's network, I would go with Option
Three. This option reduces the attack surface by allowing access to a narrow range of IP addresses
(192.168.2.96-192.168.2.111) using the supplied remote IP and wildcard mask (0.0.0.15).

Before moving on to Part III, be sure you have configured your selected rule on the FTP server before
moving forward to the next question.

Part III: Standard Access List

Create the Standard Access List Control List

Standard access control lists (ACLs) can be configured in two ways:
1. Numbered access list using the command #access-list <#1-99>
2. Named access list using the command IP access-list standard <#1-99 or name>

Once created, both will function identically; however, named access lists provide the advantage of being
editable. With a numbered list, you must first delete the entire ACL, then recreate it with any edits you
require. In this tutorial, you will use the named ACL to allow us to explore the results of making changes.
Step 1: Go to the CLI tab in the Office Router:

Step 2: Create the Standard Access List:

Office_Router>enable
Office_Router#configure terminal
Office_Router(config)#ip access-list standard officeFTP
Office_Router(config-std-nacl)#deny any
Office_Router(config-std-nacl)#exit
Office_Router(config)#exit
Office_Router#
%SYS-5-CONFIG_I: Configured from console by console

Office_Router#show access-lists
 Screenshot 2: Add a screenshot of your configured access list.

Apply the Standard Access Control List Named Office to the Gigabit Ethernet 6/0 Interface
Routers/firewall appliances filter traffic with access control lists (ACLs) assigned to a specific interface.
The processing and filtering of traffic is affected by whether the ACL is designated as inbound or
outbound. In this tutorial, the standard ACL, officeFTP, will be applied to the g6/0 interface as an
outbound ACL. Before forwarding traffic out of the g6/0 interface, the router checks the source IP
address against the ACL. If the packet source is from a “deny” address, the packets are discarded. If they
are from a “permit” address, they are forwarded.

Step 1: Go to the CLI tab in the Office Router:

 Step 2: Apply the standard access control list to a specific interface.

Office_Router#configure terminal
Office_Router(config)#interface g6/0
Office_Router(config-if)#ip access-group officeFTP out
Office_Router( config-if)#exit
Office_Router(config)#exit
%SYS-5-CONFIG_I: Configured from console by console

Step 3: From PC1_End_Users, use the command C:\>ftp 10.1.10.5 to access the FTP Server.

Question 5: Explain the interaction between the FTP’s host-based firewall and the router’s access
list.

Right now, the router's access list is configured to refuse all traffic; consequently, any attempt to
connect to the FTP server using the address 10.1.10.5 would fail, as the router would prevent traffic
from reaching the server. Before any traffic reaches the FTP server, the router's access list filters
according to the source IP address. The FTP server's host-based firewall is another layer of defense,
letting traffic through only on selected ports. It is therefore essential that the settings on both levels are
oriented in the right direction for successful FTP communication.

Modify the Standard ACL on Gig6/0:

Step 1: Go to the CLI tab in the Office Router:

Step 2: Add a new rule to the standard ACL.

Office_Router_>enable
Office_Router#configure terminal
Office_Router(config)#ip access-list standard officeFTP
Office_Router(config-std-nacl)#permit 192.168.2.0 0.0.0.255
Office_Router(config-std-nacl)#exit
Office_Router(config)#exit
%SYS-5-CONFIG_I: Configured from console by console

Step 3: From PC1_End_Users, use the command C:\>ftp 10.1.10.5 to access the FTP Server.
 Question 6: Explain why the connection times out despite adding the “permit” statement for the
End_User network to the ACL.

The outbound application of the ACL officeFTP is on interface g6/0. This limits the amount of data that
can leave the router via this port.

Edit the Standard ACL on Gig6/0

Step 1: Go to the CLI tab in the Office Router:

Step 2: Edit the standard ACL.

Office_Router>enable
Office_Router#configure terminal
Office_Router(config)#ip access-list standard office
Office_Router(config-std-nacl)#no 10
Office_Router(config-std-nacl)#exit
Office_Router(config)#exit
%SYS-5-CONFIG_I: Configured from consle by console
Office_Router#show access-lists
 Screenshot 3: Add a screenshot of your configured access list.

FTP Server Access

Step 1: Use the command C:\>ftp 10.1.10.5 to access the FTP server from:
 PC1_End_Users
 Kiosk1_Remote_Access

Question 7: Explain the effects of editing the office FTP ACL. Why are the two hosts above permitted
or denied access to the FTP server?

This only confirms that rule 1, "deny all," has been ruled out by rule 10. Under the current regulations,
PC1 will be allowed to connect, while the kiosk will not.

Part IV: Extended Access Control List

Extended Access Control List (ACL) was implemented to filter specific protocols without the need to call
out specific hosts/network addresses.

Show Kiosk1_Remote_Access Initially Has Access to PC1_Admin File Server:

Step 1: Use the Desktop Menu to access the Web Browser:

Step 2: Navigate to File server on PC1_Admin (192.168.1.101).

Screenshot 4: Add a screenshot of your results attempting to access the file server.
Configure Remote_Router Extended ACL for SMTP/POP3 Traffic to Email Server
Step 1: In the Remote_Router CLI tab, add:

Remote_Router>enable
Remote_Router#configure terminal
Remote_Router(config)#ip access-list extended email
Remote_Router(config-ext-nacl)#permit tcp 192.168.3.2 0.0.0.0
host 10.1.10.6 eq smtp
Remote_Router(config-ext-nacl)#permit tcp 192.168.3.2 0.0.0.0
host 10.1.10.6 eq pop3
Remote_Router(config-ext-nacl)#exit
Remote_Router(config)interface g0/0/1
Remote_Router(config-if)#ip access-group email in
Remote_Router(config)#exit
%SYS-5-CONFIG_I: Configured from console by console

Step 2: Compose email from Kiosk1 to PC1_End_User (office1@central-branch-pt.pka).

Step 3: Confirm PC1_End_User’s inbox contains the received email from Kiosk1.

Screenshot 5: Add a screenshot of PC1_End_User’s inbox containing the received email.

 Unable to view the actual mail for some reason, but there’s a Receive Mail Success message
showing at the bottom left of the screen.

Step 4: Verify That the ACL Has Prevented Access to the File Server
a.Use the Desktop Menu to access the Web Browser:
 b. Navigate to the file server on PC1_Admin (192.168.1.101).

Screenshot 6: Add a screenshot of the file server.

Question 8: How would you configure the Extended ACL for scalability? In other words, how could
you set up the extended ACL to avoid having to modify the ACL every time you add a new host?

Instead of specifying individual IP addresses for each host, apply ACL rules to an entire subnet. This
way, any new host within that subnet will automatically be covered without modifying the ACL.
Also, many modern routers and firewalls support object groups, which allows you to group multiple
IPs or subnets under a single ACL rule. When adding a new host, simply update the object group
rather than modifying multiple ACL entries.

By structuring the ACL either way, you minimize administrative overhead, maintain flexibility, and
ensure new hosts comply with security policies without requiring constant ACL updates.