Configure Cisco IOS Firewall to use stateful packet inspection for IPv6. Configure Cisco IOS Firewall to use packet filtering for IPv6.

Transcription

1 Lab 7-3 Configuring Cisco IOS Firewall In this activity, you will configure various types of ACLs, to achieve the desired filtering objectives. After completing this activity, you will be able to meet these objectives: Configure Cisco IOS Firewall to use stateful packet inspection for IPv6. Configure Cisco IOS Firewall to use packet filtering for IPv6. Page 1

2 Required Resources The table lists the resources and equipment that are required to complete this activity. Required Resource Device Name R1 PC1 R2 PC2 Device Role in the Laboratory Wan access router for PC1; used as a default gateway for IPv4 and IPv6 traffic. End user with applications that require both IPv4 and IPv6 support by the Windows operating system and the network. WAN access router for PC2; used as a default Gateway for IPv4 and IPv6 Traffic. End user with applications that require both IPv4 and IPv6 support by the Widows operating system and the network. Note: Each PC has a NIC, named LAB, is connected to the lab network and is used in the lab activity for IPv4 and IPv6 connectivity. Command List The table describes the commands that are used in this activity. Cisco IOS Software Commands Command ipv6 access-list name ipv6 inspect audit-trail ipv6 inspect inspection-name {in out} ipv6 inspect name inspection-name [protocol] ipv6 traffic-filter show ipv6 inspect {name inspection-name config interface session [detail] all} Description Configures an IPv6 address on an interface Turns on CBAC audit trail messages Applies a set of inspection rules to an interface Defines a set of IPv6 inspection rules Enables IPv6 traffic filtering on an interface Displays CBAC configuration and session information Microsoft Windows PC Commands Page 2

3 Command Description ping IPv6-address Sends pings from Windows Job Aids These job aids are available to help you complete the lab activity: The instructor will provide you with your pod number and other pod-access information. Pod-Access Information Parameter Login password on router R1 and R2 Enable Password on router R1 and R2 Username on PC1 Password on PC1 Username on PC2 Password on PC2 Value cisco cisco Administrator <blank> Administrator <blank> Note: Router R1 and R2 is preconfigured to allow access without any credentials. Any Telnet session or console access will automatically give you access to privileged mode. The table illustrates the IPv4 and IPv6 scheme that is used in this lab exercise. Pod Addressing Device Interface IPv4 Address and Mask IPv6 Address and Mask R1 FastEthernet 0/0 10.1P.1.1/ :db9:1P1:1::1/64 R1 Serial1/ P.3.1/ :db9:1P3:1::1/64 R1 Loopback 1 Unassigned 2001:db9:1P1:100::1/64 R1 Loopback 2 Unassigned 2001:db9:1P1:200::1/64 R2 FastEthernet 0/0 10.1P.2.1/ :db9:1P2:1::1/64 R2 Serial1/ P.3.2/ :db9:1P3:1::2/64 R2 Loopback 1 Unassigned 2001:db9:1P2:100::1/64 R2 Loopback 2 Unassigned 2001:db9:1P2:200::1/64 Page 3

4 PC1 LAB 10.1P.1.2/ :db9:1P1:1::f/64 PC2 LAB 10.1P.2.2/ :db9:1P2:1::f/64 Task 1: Configure Cisco IOS Stateful Packet Inspection. The Cisco IOS Firewall provides stateful packet inspection of TCP, UDP, ICMPv6, and FTP sessions. With this feature, Cisco IOS Firewall is aware of communication paths and can watch traffic streams end to end, so it can identify which stage a connection is in. In this task, you will configure Cisco IOS Stateful Packet Inspection on R1 and R2. Step 1: On R1 and R2, revert to basic IPv6 configuration by removing IPSec tunnel configured in the previous lab. R1(config)#no interface tunnel 700 R2(config)#no interface tunnel 700 Step 2: Confirm that you can reach PC1 from PC2 by sending pings to their IPv6 addresses. PC1: C:\>ping 2001:db9:1P2:1::f Pinging 2001:db9:1P2:1::f from 2001:db9:1P1:1::f with 32 bytes of data: Reply from 2001:db9:1P2:1::f: time=21ms Reply from 2001:db9:1P2:1::f: time=28ms Reply from 2001:db9:1P2:1::f: time=9ms Reply from 2001:db9:1P2:1::f: time=20ms Ping statistics for 2001:db9:1P2:1::f: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 9ms, Maximum = 28ms, Average = 19ms PC2: C:\>ping 2001:db9:1P1:1::f Pinging 2001:db9:1P1:1::f from 2001:db9:1P2:1::f with 32 bytes of data: Reply from 2001:db9:1P1:1::f: time=18ms Reply from 2001:db9:1P1:1::f: time=24ms Reply from 2001:db9:1P1:1::f: time=15ms Reply from 2001:db9:1P1:1::f: time=29ms Page 4

5 Ping statistics for 2001:db9:1P1:1::f: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 15ms, Maximum = 29ms, Average = 21ms IP6FD v3.0 Lab Guide Step 3: On R1 and R2, configure a packet inspection named MYINSPECT with following parameters: The inspection should include TCP, UDP, and ICMP. Inspect TCP, turn on audit-trail and change the session timeout to 10 minutes. Inspect UDP, turn on audit-trail and change the session timeout to 10 seconds Inspect ICMP with default parameters R1(config)#ipv6 inspect name MYINSPECT tcp audit-trail on timeout 600 R1(config)#ipv6 inspect name MYINSPECT udp audit-trail on timeout 10 R1(config)#ipv6 inspect name MYINSPECT icmp R2(config)#ipv6 inspect name MYINSPECT tcp audit-trail on timeout 600 R2(config)#ipv6 inspect name MYINSPECT udp audit-trail on timeout 10 R2(config)#ipv6 inspect name MYINSPECT icmp Step 4: On R1 and R2, configure an ACL named WANin3 to include the following entries. Create the fist ACL entry, allows IPv6 traffic from any source to loopback1 of local router. (This entry will allow remote PC to test their connected router by accessing to loopback 1 of your router.) Create the second ACL entry, denies all other IPv6 traffics. R1(config)#ipv6 access-list WANin3 R1(config-ipv6-acl)#permit ipv6 any host 2001:db9:1P1:100::1 R1(config-ipv6-acl)#deny ipv6 any any R2(config)#ipv6 access-list WANin3 R2(config-ipv6-acl)#permit ipv6 any host 2001:db9:1P2:100::1 R2(config-ipv6-acl)#deny ipv6 any any Step 5: On R1 and R2, apply packet inspection on the Serial1/0.1 interface of local router for outbound packets towards Remote Router. Packets leaving local router will be subject to packet inspection Page 5

6 R1(config)#interface Serial1/0.1 R1(config-subif)#ipv6 inspect MYINSPECT out R2(config)#interface Serial1/0.1 R2(config-subif)#ipv6 inspect MYINSPECT out Step 6: On R1 and R2, apply the configured ACL on the Serial1/0.1 interface. Packets that come in from Remote Site to loopback1 of Local Router will be permitted for testing purpose. Packets that come in from Remote Site to local FastEthernet0/0 subnet will be blocked unless they belong to a session that is established from local PC.. R1(config)#interface Serial1/0.1 R1(config-subif)#ipv6 traffic-filter WANin3 in R2(config)#interface Serial1/0.1 R2(config-subif)#ipv6 traffic-filter WANin3 in Activity Verification You have completed this task when you attain these results: On R1 and R2, verify the inspection configuration: R1#show ipv6 inspect config Session audit trail is disabled Session alert is enabled Routing Header inspection is disabled One-minute (sampling period) thresholds are [ : ] connections max-incomplete sessions thresholds are [ : ] max-incomplete tcp connections per host is Block-time 0 miutes. tcp synwait-time is 30 sec tcp finwait-time is 5 sec tcp idle-time is 3600 sec udp idle-time is 30 sec icmp idle-time is 10 sec Session has table size is 1021 Inspection Rule Configuration Inspection name MYINSPECT Page 6

7 tcp alert is on audit-trail is on timeout 600 udp alert is on audit-trail is on time 10 icmp alert is on sudit-trail is off timeout 10 IP6FD v3.0 Lab Guide R2#show ipv6 inspect config Session audit trail is disabled Session alert is enabled Routing Header inspection is disabled One-minute (sampling period) thresholds are [ : ] connections max-incomplete sessions thresholds are [ : ] max-incomplete tcp connections per host is Block-time 0 miutes. tcp synwait-time is 30 sec tcp finwait-time is 5 sec tcp idle-time is 3600 sec udp idle-time is 30 sec icmp idle-time is 10 sec Session has table size is 1021 Inspection Rule Configuration Inspection name MYINSPECT tcp alert is on audit-trail is on timeout 600 udp alert is on audit-trail is on time 10 icmp alert is on sudit-trail is off timeout 10 On PC1 and PC2, generate two types of traffic as following. Both connections should succeed. Generate ICMP ping packets to loopback1 of remote router continuously. Telnet to loopback 1 of remote route. PC1: C:\>ping -t 2001:db9:1P2:100::1 PC1: C:\>telnet 2001:db9:1P2:100::1 PC2: C:\>ping t 2001:db9:1P1:100::1 PC2: C:\>telnet 2001:db9:1P1:100::1 On R1 and R2, reviews the established IPv6 inspect session for sessions. A half-open session should be inspected when remote site is doing the ICMP testing continuously. R1#show ipv6 inspect sessions Page 7

8 Established Sessions Session 67AD8060 (2001:DB9:1P1:1::F:1035)=>(2001:DB9:1P2:100::1:23) tcp SIS_OPEN Session 67AD7D10 (2001:DB9:1P1:1::F:0)=>(2001:DB9:1P2:100::1:0) tcp SIS_OPEN Half-open Sessions Session 67AD7EB8 (2001:DB9:1P2:1::F:0)=>(2001:DB9:1P1:100:1:0) icmp SIS_OPENING R2#show ipv6 inspect sessions Established Sessions Session 67ACB12C (2001:DB9:1P2:1::F:1025)=>(2001:DB9:1P1:100::1:23) tcp SIS_OPEN Session 67ACB2D4 (2001:DB9:1P2:1::F:0)=>(2001:DB9:1P1:100:1:0) icmp SIS_OPEN Half-open Sessions Session 67ACB47C (2001:DB9:1P1:1::F:0)=>(2001:DB9:1P2:100:1:0) icmp SIS_OPENING On PC1 and PC2, disconnect both ICMP and Telnet sessions. On R1 and R2, observe the logging message from logging buffer. R1#show logging R2#show logging Tell your instructor that you have completed this lab. Page 8