In this lab, I am going to build a small network environment, which include a simple webserver(pc1), Router1 , router2, and client(PC2).

Step1, draw a topology and assign network address .The topology and addresses are show in the picture bellow.ACL_WebServer

 

Step2,configure the server.

Use the virtual machine(virtual box) in my laptop as a webserver, choose the “bridged to host network adaptor” as show in the picture.

 

Then turn on the virtual machine, open server manager, add new role, choose Web service(IIS).choose default settings, Click next until finish.

After the installation, browse to “C:\inetpub\wwwroot” , create a new html file called index.html.Use notepad to edit it. I added <div>
<p style=”text-align:center; font-size:20px; color:#333;padding:20px 10px”> Hello every one, this is the test page of the frankfu.com</p>
</div> between the <body></body> tag.
WWWRecord

Make sure NDS server also installed, and create a zone called the name you like, I pick frankfu.com. right click the blank area on the right hand side panel, choose”New Host(A or AAAA)” ,type”www” in the “Name” area, “192.168.1.11” in the “IP address” area, then click “add host”.
DNS server

Step 3,Assign the IP address to the router interface and PCs.

On Pc2, assign ip address:192.168.3.2; subnet mask: 255.255.255.0; default gateway:192.168.3.1; NDS server: 192.168.1.11.

In router 1

r1#conf t

r1(config)#int g0/0

r1(config-if)#ip add 192.168.1.1 255.255.255.0

r1(config-if)#no shutdown

r1(config-if)#

%LINK-5-CHANGED: Interface GigabitEthernet0/0, changed state to up

r1(config-if)#int g0/1

r1(config-if)#ip add 192.168.2.1 255.255.255.252

r1(config-if)#no shutdown

%LINK-5-CHANGED: Interface GigabitEthernet0/1, changed state to up

r1(config)#ip route 192.168.3.0 255.255.255.0 192.168.2.2

r1(config)#do show ip route

%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to up

Codes: L – local, C – connected, S – static, R – RIP, M – mobile, B – BGP

D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area

N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2

E1 – OSPF external type 1, E2 – OSPF external type 2, E – EGP

i – IS-IS, L1 – IS-IS level-1, L2 – IS-IS level-2, ia – IS-IS inter area

* – candidate default, U – per-user static route, o – ODR

P – periodic downloaded static route

Gateway of last resort is not set

192.168.2.0/24 is variably subnetted, 2 subnets, 2 masks

C 192.168.2.0/30 is directly connected, GigabitEthernet0/1

L 192.168.2.1/32 is directly connected, GigabitEthernet0/1

S 192.168.3.0/24 [1/0] via 192.168.2.2

r1(config)#ip name-server 192.168.1.11

In router 2

r2(config-if)#ip add 192.168.2.2 255.255.255.252

r2(config-if)#no shutdown

r2(config-if)#

%LINK-5-CHANGED: Interface GigabitEthernet0/1, changed state to up

r2(config-if)#

%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to up

r2(config-if)#int g0/0

r2(config-if)#ip add 192.168.3.2 255.255.255.0

r2(config-if)#no shut

r2(config-if)#exit

r2(config)#ip route 192.168.1.0 255.255.255.0 192.168.2.1

r2(config)#do show ip route

Codes: L – local, C – connected, S – static, R – RIP, M – mobile, B – BGP

D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area

N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2

E1 – OSPF external type 1, E2 – OSPF external type 2, E – EGP

i – IS-IS, L1 – IS-IS level-1, L2 – IS-IS level-2, ia – IS-IS inter area

* – candidate default, U – per-user static route, o – ODR

P – periodic downloaded static route

Gateway of last resort is not set

S 192.168.1.0/24 [1/0] via 192.168.2.1

192.168.2.0/24 is variably subnetted, 2 subnets, 2 masks

C 192.168.2.0/30 is directly connected, GigabitEthernet0/1

L 192.168.2.2/32 is directly connected, GigabitEthernet0/1

r2(config)#ip name

r2(config)#ip name-server 192.168.1.11

 


Test the link and web server functionality.

Try to ping r1  G0/0, G0/1;r2 G0/1, G0/0 pc2 from Pc1. then ping r2 G0/0, G0/1, r1 G0/1, G0/0; pc1 from pc2. if can not ping the pc2 or server in pc1, try to turn off the firewall and retry.

Open a browser in Pc2, and type your domain name(frankfu.com in my lab) to test the functionality of Web Server. Then try www.frankfu.com. If everything works, go to next step.testpage

If not function, do the following trouble shooting:

  • check the proxy server setting of PC1.
  • use show command to check the configuration of R1 and R2.

Step 4, Edit and Apply the ACL

  1. Edit the ACL.
    • We will create a ACL to deny the http service for Pc2, which is using TCP protocol and port:80 to transfer data. We don’t want the ACL to affect other clients, so create it on the router most closed to the Pc2, which is R2.
    • On router 2.
    • r2(config)#access-list 101 deny tcp 192.168.3.0 0.0.0.255 any eq 80r2(config)#do show ip access-listr2(config)#access-list 101 permit icmp 192.168.3.0 0.0.0.255 anyr2(config)#do show ip access-listExtended IP access list 10110 deny tcp 192.168.3.0 0.0.0.255 any eq www

      20 permit icmp 192.168.3.0 0.0.0.255 any

      r2(config)#

  2. Apply the ACL.
    • r2(config)#int g0/0r2(config-if)#ip access-group 101 in
  3. Test connectivity: Open a browser in pc2 and try to open site frankfu.com again, it should not be open, because http traffic been blocked. Open a CMD terminal, you can ping the server 192.168.1.11, because ICMP is permited.