Task 1: Create a single extended NACL named HR_ACL on Router

Router# configure terminal
Router(config)# ip access-list extended HR_ACL

This access list will be applied to Router to filter traffic from HR department.

Task 2: Block HR (192.168.10.0/24) from accessing IT (192.168.20.0/24).

Router(config-ext-nacl)# deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

This rule blocks all traffic from HR (192.168.10.0/24) to IT (192.168.20.0/24). deny ip blocks all protocols (TCP, UDP, ICMP, etc.).

0.0.0.255 Wildcard mask for /24 subnet.

Task 3: Allow HR to access the Web Server (192.168.30.100) only on HTTP (port 80) and HTTPS (port 443).

To block traffic to a specific host or endpoint, we need to use host wildcard mask (0.0.0.0) or keyword "host " with the IP address of the Web server as the destination address.

Router(config-ext-nacl)# permit tcp 192.168.10.0 0.0.0.255 host 192.168.30.100 eq 80
Router(config-ext-nacl)# permit tcp 192.168.10.0 0.0.0.255 host 192.168.30.100 eq 443

The permit tcp command allows only TCP traffic as HTTP and HTTPS use TCP.

eq 80 and eq 443 allow only port 80 (HTTP) and port 443 (HTTPS).

host 192.168.30.100 targets only the Web Server.

Task 4: Block all other traffic from HR to the Web Server.

Router(config-ext-nacl)# deny ip 192.168.10.0 0.0.0.255 host 192.168.30.100

This rule ensures that HR can only access HTTP/HTTPS but no other services (e.g., FTP, SSH, etc.).

Task 5: Allow HR department to access the internet.

Block SSH (port 22) and Telnet (port 23) traffic from the Finance Network to the Public Server.

Router(config-ext-nacl)# permit ip 192.168.10.0 0.0.0.255 any

This rule allows HR to access any destination (internet, external resources, etc.).

Important: This rule must be after blocking HR-to-IT traffic and Web Server traffic so that it does not override previous deny rules. If we configure this rule first then all traffic form HR department will be allowed.

Task 6: Apply the Access List inbound on HR Interface of Router.

We must apply the HR_ACL to G0/0 (HR network) inbound to filter HR traffic as it enters the router.

Router(config-ext-nacl)# exit

Router(config)# interface G0/0

Router(config-if)# ip access-group HR_ACL in

Router(config-if)# exit

Verification:

Verify by pinging IT_PC from HR_PC, the ping should fail.

C:\> ping 192.168.20.20

Pinging 192.168.20.20 with 32 bytes of data:

Reply from 192.168.10.1: Destination host unreachable.
Reply from 192.168.10.1: Destination host unreachable.
Reply from 192.168.10.1: Destination host unreachable.
Reply from 192.168.10.1: Destination host unreachable.

Now telnet to Web Server form HR_PC on HTTP.

C:\> telnet 192.168.30.100 80

Trying 192.168.30.100 ...Open

(Open) means it is accessible.

Now telnet to Web Server form HR_PC without HTTP or HTTPs.

C:\> telnet 192.168.30.100

Trying 192.168.30.100 ...
% Connection timed out; remote host not responding.

This error means that HR_PC isn't able to reach Web Server via telnet.

Now ping the ISP to verify access to the internet.

C:\> ping 203.0.112.1
Pinging 203.0.112.1 with 32 bytes of data:
Request timed out.
Reply from 203.0.112.1: bytes=32 time=26ms TTL=115
Reply from 203.0.112.1: bytes=32 time=24ms TTL=115
Reply from 203.0.112.1: bytes=32 time=25ms TTL=115

This means that HR_PC can access the internet.

Now exit configuration mode and save the configuration.

Router(config)#end
Router#write memory