Lab Configure and Test Advanced Protocol Handling on the Cisco PIX Security Appliance

Transcription

1 Lab Configure and Test Advanced Protocol Handling on the Cisco PIX Security Appliance Objective Scenario Estimated Time: 20 minutes Number of Team Members: Two teams with four students per team In this lab exercise, students will complete the following tasks: Display the fixup protocol configurations Change the fixup protocol configurations Test the outbound File Transfer Protocol (FTP) fixup protocol Test the inbound FTP fixup protocol Set the fixup protocols to the default settings Some applications embed addressing information into the application data stream and negotiate randomly picked Transport Control Protocol (TCP) or User Datagram Protocol (UDP) port numbers or IP addresses. In these cases application aware inspection, fixup, must be performed. This is to ensure that only proper and expected traffic will be allowed through the filter inspection, in a secure manner. The fixup function on a PIX Security Appliance allows a network administrator to configure specific ports used by various applications. In this lab, students will configure fixup for FTP. 1-7 Fundamentals of Network Security v Lab Copyright 2003, Cisco Systems, Inc.

2 Topology This figure illustrates the lab network environment. Preparation Begin with the standard lab topology and verify the standard configuration on the pod PIX Security Appliances. Access the PIX Security Appliance console port using the terminal emulator on the student PC. If desired, save the PIX Security Appliance configuration to a text file for later analysis. Tools and resources In order to complete the lab, the standard lab topology is required: Two pod PIX Security Appliances Two student PCs One SuperServer Backbone switch and one backbone router Two console cables HyperTerminal Additional materials Further information about the objectives covered in this lab can be found at, Additional information on configuring firewalls can be found in, Cisco Secure PIX Firewall by David Chapman and Andy Fox (ISBN ). Command list In this lab exercise, the following commands will be used. Refer to this list if assistance or help is needed during the lab exercise. 2-7 Fundamentals of Network Security v Lab Copyright 2003, Cisco Systems, Inc.

3 Command clear fixup fixup protocol no fixup protocol show fixup protocol Description Resets fixup protocol command statements to their default values. Modifies PIX Security Appliance protocol fixups to add, delete, or change services and feature defaults. Configuration mode. Delete the PIX Security Appliance protocol fixups services. Displays the port values for the individual protocol specified. Step 1 List the Fixup Protocols Complete the following step and enter the command as directed to see the current configurations of the PIX Security Appliance: a. List the fixup protocols that are running on the PIX Security Appliance: PixP(config)# show fixup protocol 1. Complete the table with the ports assigned to the fixup protocols: ftp http h323 h225 h323 ras ils rsh rtsp smtp sqlnet sip skinny 3-7 Fundamentals of Network Security v Lab Copyright 2003, Cisco Systems, Inc.

4 Step 2 Disable the Fixup Protocols Complete the following steps and enter the commands as directed to change some of the current configurations of the PIX Security Appliance: a. Disable the following fixup protocols: PixP(config)# no fixup protocol http 80 PixP(config)# no fixup protocol smtp 25 PixP(config)# no fixup protocol h323 h PixP(config)# no fixup protocol sqlnet 1521 b. Define a range of ports for SQL*Net connections: PixP(config)# fixup protocol sqlnet c. Verify the fixup protocol settings using the show fixup protocol command: PixP(config)# show fixup protocol fixup protocol ftp 21 fixup protocol h323 ras fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol skinny 2000 no fixup protocol http 80 no fixup protocol smtp 25 no fixup protocol h323 h fixup protocol sqlnet Step 3 Test the Outbound FTP Fixup Protocol Complete the following steps and enter the commands as directed to test the outbound FTP fixup protocol: a. Enable console logging on the PIX Security Appliance: PixP(config)# logging console debug PixP(config)# logging on b. FTP to the backbone server from the student PC using the Windows FTP client: C:\> ftp User ( :(none)): anonymous Password: user@ c. Do a directory listing at the FTP prompt: ftp> dir 2. What logging messages were generated on the PIX Security Appliance console? 4-7 Fundamentals of Network Security v Lab Copyright 2003, Cisco Systems, Inc.

5 d. Quit the FTP session: ftp> quit e. Turn off the FTP fixup protocol on the PIX Security Appliance: PixP(config)# no fixup protocol ftp f. Again, FTP to the backbone server from the student PC using the Windows FTP client: C:\> ftp User ( :(none)): anonymous Password: 3. Was logging into the server successful? Why or why not? g. Do a directory listing at the FTP prompt: ftp> dir 4. Was the file listing displayed? Why or why not? h. Quit the FTP session: ftp> quit i. If the FTP client has stopped, press Ctrl + C to break back to the C:\ prompt or close the command prompt window. j. FTP to the backbone server from the student PC using the web browser. To do this, enter the following in the URL field: ftp:// Was the connection successful? Why or why not? 6. Was the file listing available? Why or why not? k. Close the web browser. 5-7 Fundamentals of Network Security v Lab Copyright 2003, Cisco Systems, Inc.

6 Step 4 Test the Inbound FTP Fixup Protocol Complete the following steps and enter the commands as directed to test the inbound FTP fixup protocol: a. Re-enable the FTP fixup protocol on the PIX Security Appliance: PixP(config)# fixup protocol ftp 21 b. FTP to a peer pod bastion host from the student PC using the web browser. To do this, enter the following in the URL field: ftp:// q.11 (where Q = peer pod) The instructor assigns the peer pod number. 7. What logging messages were generated on the PIX Security Appliance console? c. Close the web browser. d. Turn off the FTP fixup protocol on the PIX Security Appliance: PixP(config)# no fixup protocol ftp e. FTP to a peer pod bastion host from the student PC using the web browser. To do this, enter the following in the URL field: ftp:// q.11 (where Q = peer pod) The instructor assigns the peer pod number. 8. Was the connection to the peer pod inside FTP server successful? Why or why not? 9. Was the file listing available? Why or why not? Step 5 Set All Fixups to the Factory Default Complete the following steps and enter the commands as directed to set all fixups to the factory default: a. Set all fixup protocols to the factory defaults: PixP(config)# clear fixup b. Verify the fixup protocol settings: PixP(config)# show fixup protocol fixup protocol ftp 21 fixup protocol http Fundamentals of Network Security v Lab Copyright 2003, Cisco Systems, Inc.

7 fixup protocol h323 h fixup protocol h323 ras fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 fixup protocol skinny Fundamentals of Network Security v Lab Copyright 2003, Cisco Systems, Inc.