Lab 3.8.3 Configure Cisco IOS Firewall CBAC on a Cisco Router



Similar documents
Lab Configure Cisco IOS Firewall CBAC

Configure Cisco IOS Firewall to use stateful packet inspection for IPv6. Configure Cisco IOS Firewall to use packet filtering for IPv6.

Lab Configure IOS Firewall IDS

Lab Configure and Test Advanced Protocol Handling on the Cisco PIX Security Appliance

Securizarea Calculatoarelor și a Rețelelor 13. Implementarea tehnologiei firewall CBAC pentru protejarea rețelei

Network Security 1. Module 8 Configure Filtering on a Router

Classic IOS Firewall using CBACs Cisco and/or its affiliates. All rights reserved. 1

Firewall Stateful Inspection of ICMP

The Cisco IOS Firewall feature set is supported on the following platforms: Cisco 2600 series Cisco 3600 series

Central America Workshop - Guatemala City Guatemala 30 January - 1 February 07. IPv6 Security

Lab Exercise Configure the PIX Firewall and a Cisco Router

Table of Contents. Cisco Using the Cisco IOS Firewall to Allow Java Applets From Known Sites while Denying Others

Lab Developing ACLs to Implement Firewall Rule Sets

Virtual Fragmentation Reassembly

Lab 4.4.8a Configure a Cisco GRE over IPSec Tunnel using SDM

FIREWALLS & CBAC. philip.heimer@hh.se

Lab Configuring the PIX Firewall as a DHCP Server

CCNA Access List Sim

Securing Networks with PIX and ASA

RSA Security Analytics

Chapter 4: Lab A: Configuring CBAC and Zone-Based Firewalls

Lab 7: Firewalls Stateful Firewalls and Edge Router Filtering

Lab 5.5 Configuring Logging

Lab QoS Classification and Policing Using CAR

Lab Characterizing Network Applications

Firewall Support for SIP

Internetwork Expert s CCNA Security Bootcamp. IOS Firewall Feature Set. Firewall Design Overview

Cisco Configuring Commonly Used IP ACLs

IOS Zone Based Firewall Step-by-Step Basic Configuration

Lab Configure a PIX Firewall VPN

Lab Diagramming Intranet Traffic Flows

Firewall Technologies. Access Lists Firewalls

ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD SEGURIDAD EN REDES. NIVEL I. VERSION 2.0

Lab 6.1 Configuring a Cisco IOS Firewall Using SDM

Firewall Authentication Proxy for FTP and Telnet Sessions

Lab Diagramming External Traffic Flows

How To Lower Data Rate On A Network On A 2Ghz Network On An Ipnet 2 (Net 2) On A Pnet 2 On A Router On A Gbnet 2.5 (Net 1) On An Uniden Network On

Cisco Firewall Technology

Lab Analyzing Network Traffic

Troubleshooting the Firewall Services Module

LAB II: Securing The Data Path and Routing Infrastructure

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

Table of Contents. Configuring IP Access Lists

PT Activity: Configure Cisco Routers for Syslog, NTP, and SSH Operations

Firewall Stateful Inspection of ICMP

Lab Configure Intrusion Prevention on the PIX Security Appliance

Lab a Configure Remote Access Using Cisco Easy VPN

Lab Configuring Access Policies and DMZ Settings

Connect the Host to attach to Fast Ethernet switch port Fa0/2. Configure the host as shown in the topology diagram above.

School of Information Science (IS 2935 Introduction to Computer Security, 2003)

Lab Configure Syslog on AP

Adding an Extended Access List

TABLE OF CONTENTS NETWORK SECURITY 1...1

Lab Load Balancing Across Multiple Paths

Introduction of Intrusion Detection Systems

Configuring Static and Dynamic NAT Simultaneously

Configuring Denial of Service Protection

Lab Configure Basic AP Security through IOS CLI

Lab 8: Confi guring QoS

CSCE 465 Computer & Network Security

CCIE R&S Lab Workbook Volume I Version 5.0

Smart Tips. Enabling WAN Load Balancing. Key Features. Network Diagram. Overview. Featured Products. WAN Failover. Enabling WAN Load Balancing Page 1

Output Interpreter. SHOW RUNNING-CONFIG SECURITY Analysis SHOW RUNNING-CONFIG - FW Analysis. Back to top

Security and Access Control Lists (ACLs)

Lab: Basic Router Configuration

Cisco ASA and NetFlow Using ASA NetFlow with LiveAction Flow Software

Troubleshooting the Firewall Services Module

Skills Assessment Student Training Exam

Configuring NetFlow Secure Event Logging (NSEL)

1 Basic Configuration of Cisco 2600 Router. Basic Configuration Cisco 2600 Router

This Technical Support Note shows the different options available in the Firewall menu of the ADTRAN OS Web GUI.

How To Block On A Network With A Group Control On A Router On A Linux Box On A Pc Or Ip Access Group On A Pnet 2 On A 2G Router On An Ip Access-Group On A Ip Ip-Control On A Net

Note: This case study utilizes Packet Tracer. Please see the Chapter 5 Packet Tracer file located in Supplemental Materials.

Procedure: You can find the problem sheet on Drive D: of the lab PCs. Part 1: Router & Switch

Integrated Cisco Products

Lab 2.5.2a Configure SSH

Table of Contents. Cisco Blocking Peer to Peer File Sharing Programs with the PIX Firewall

ASA 8.3 and Later: Enable FTP/TFTP Services Configuration Example

Lab Objectives & Turn In

Network Security 2. Module 2 Configure Network Intrusion Detection and Prevention

TROUBLESHOOTING FIREWALLS

Cisco ASA, PIX, and FWSM Firewall Handbook

LAB Configuring NAT. Objective. Background/Preparation

Firewall Design Principles

Chapter 11 Network Address Translation

Firewalls (IPTABLES)

Objectives. Router as a Computer. Router components and their functions. Router components and their functions

Lab Advanced Telnet Operations

Configuring the Content Routing Software

Objectives. Background. Required Resources. CCNA Security

PIX/ASA 7.x and above: Mail (SMTP) Server Access on the DMZ Configuration Example

Lab assignment #1 Firewall operation and Access Control Lists

Lab Configure Remote Access Using Cisco Easy VPN

Lab Review of Basic Router Configuration with RIP. Objective. Background / Preparation. General Configuration Tips

PIX/ASA 7.x with Syslog Configuration Example

Configuring a Backup Path Test Using Network Monitoring

P and FTP Proxy caching Using a Cisco Cache Engine 550 an

Chapter 2 Lab 2-2, Configuring EtherChannel Instructor Version

A Model Design of Network Security for Private and Public Data Transmission

Transcription:

Lab 3.8.3 Configure Cisco IOS Firewall CBAC on a Cisco Router Objective Scenario Topology Estimated Time: 35 minutes Number of Team Members: Two teams with four students per team In this lab exercise, students will complete the following tasks: Configure logging and audit trails. Define and apply inspection rules access control lists (ACLs). Test and verify Context-based Access Control (CBAC). The task in this exercise is to configure CBAC on a Cisco router. Student groups will work individually to perform the following steps in this lab exercise: Step 1 Configure logging and audit trails Step 2 Define and apply inspection rules for ACLs Step 3 Test and verify CBAC This figure illustrates the network environment students will create: 1-6 Fundamentals of Network Security v 1.0 - Lab 3.8.3 Copyright 2003, Cisco Systems, Inc.

Preparation Begin with the standard lab topology and verify the standard router configuration on pod routers. Test the connectivity between the pod routers. Access the perimeter router console port using the terminal emulator on the student PC. If desired, save the router configuration to a text file for later analysis. Refer back to the Student Lab Orientation if more help is needed. Tools and resources In order to complete this lab, the following resources are required: Two pod routers Two inside hosts One SuperServer Additional materials One switch and one backbone router Further information about the objectives covered in this lab can be found at the following websites: Command list http://www.cisco.com/en/us/products/sw/iosswrel/ps1831/products_configuration_guide_ch apter09186a00800d981a.html http://www.cisco.com/en/us/products/sw/secursw/ps1018/products_tech_note09186a00800 94112.shtml http://www.cisco.com/warp/public/110/32.html These commands will be used throughout the lab. Students should be familiar with these commands. Command access-list ip accessgroup ip inspect audit-trail ip inspect name logging show accesslists show ip inspect write memory Description Command used to configure an ACL. Command used to assign an ACL to an interface. Command used to configure a CBAC audit trail. Command used to define a CBAC rule. Command used to enable logging. Command used to display configured access lists. Command used to verify CBAC operation. Command used to save the running configuration to the 2-6 Fundamentals of Network Security v 1.0 - Lab 3.8.3 Copyright 2003, Cisco Systems, Inc.

Command Description startup configuration. Step 1 Configure Logging and Audit Trails To configure logging and audit trails, complete the following steps: a. Enable logging to the console and the Syslog server. RouterP(config)# logging on RouterP(config)# logging 10.0.P.12 (where P = pod number) b. Enable the audit trail. Router(config)# ip inspect audit-trail c. Save the configuration and return to global configuration mode. RouterP(config)# end RouterP# write memory 1. What command shows detailed logging information? 2. What command will erase the entries in the logging buffer? Step 2 Define and Apply Inspection Rules ACLs a. Define a CBAC rule to inspect all TCP and FTP traffic. RouterP(config)# ip inspect name FWRULE tcp timeout 300 RouterP(config)# ip inspect name FWRULE ftp timeout 300 b. Define the ACLs to allow outbound Internet Control Message Protocol (ICMP) traffic and CBAC traffic. Block all other inside initiated traffic. RouterP(config)# access-list 101 permit icmp any any RouterP(config)# access-list 101 permit ip 10.0.P.0 0.0.0.255 any RouterP(config)# access-list 101 deny ip any any (where P = pod number) c. Define ACLs to allow inbound ICMP traffic and CBAC traffic such as FTP and WWW to the inside web or FTP server. Block all other outside initiated traffic. RouterP(config)# access-list 102 permit eigrp any any RouterP(config)# access-list 102 permit icmp any any (where P = pod number) d. Apply the inspection rule and the ACL to the inside interface. RouterP(config)# interface fa 0/0 3-6 Fundamentals of Network Security v 1.0 - Lab 3.8.3 Copyright 2003, Cisco Systems, Inc.

RouterP(config-if)# ip inspect FWRULE in RouterP(config-if)# ip access-group 101 in e. Apply the ACL to the outside interface. RouterP(config-if)# interface fa 0/1 RouterP(config-if)# ip access-group 102 in f. Save the configuration and return to global configuration mode. RouterP(config-if)# end RouterP# write memory Step 3 Test and Verify CBAC a. Complete the following steps to test and verify CBAC: i. Check the ACLs. RouterP# show access-lists 3. In the output for the show access-lists command, how many matches for Enhanced Interior Gateway Routing Protocol (EIGRP) packets are in access list 102? ii. From the MS command prompt, ping the SuperServer. C:\>ping 172.26.26.50 Pinging 172.26.26.50 with 32 bytes of data: iii. Use the web browser to connect to the SuperServer. Enter http://172.26.26.50 in the URL field. iv. Connect to the SuperServer by using an anonymous FTP: C:\> ftp 172.26.26.50... User (10.0.P.12:(none)): anonymous... Password: user@ (where Q = peer pod number) v. Use the following show commands to verify CBAC configuration: RouterP# show ip inspect name FWRULE Inspection name FWRULE 4-6 Fundamentals of Network Security v 1.0 - Lab 3.8.3 Copyright 2003, Cisco Systems, Inc.

RouterP# show ip inspect config Session audit trail is enabled Session alert is enabled one-minute (sampling period) thresholds are [400:500] connections max-incomplete sessions thresholds are [400:500] max-incomplete tcp connections per host is 50. Block-time 0 minute. tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec tcp idle-time is 3600 sec -- udp idle-time is 30 sec dns-timeout is 5 sec Inspection Rule Configuration Inspection name FWRULE RouterP# show ip inspect interfaces Interface Configuration Interface FastEthernet0/0 Inbound inspection rule is FWRULE Outgoing inspection rule is not set Inbound access list is 101 Outgoing access list is not set vi. Use the following show commands to verify CBAC operation: RouterP# show ip inspect sessions Half-open Sessions Session 82A6A284 (10.0.P.12:1314)=>(172.26.26.50:80) tcp Session 82A69FB4 (10.0.P.12:1312)=>(172.26.26.50:21) ftp RouterP# show ip inspect sessions detail Half-open Sessions Session 82A6A284 (10.0.P.12:1314)=>(172.26.26.50:80) tcp Created 00:00:09, Last heard 00:00:09 Bytes sent (initiator:responder) [0:0] acl created 1 Inbound access-list 102 applied to interface FastEthernet0/1 Session 82A69FB4 (10.0.P.12:1312)=>(172.26.26.50:21) ftp Created 00:00:23, Last heard 00:00:18 Bytes sent (initiator:responder) [0:0] acl created 1 5-6 Fundamentals of Network Security v 1.0 - Lab 3.8.3 Copyright 2003, Cisco Systems, Inc.

Inbound access-list 102 applied to interface FastEthernet0/1 RouterP# show ip inspect all Session audit trail is enabled Session alert is enabled one-minute (sampling period) thresholds are [400:500] connections max-incomplete sessions thresholds are [400:500] max-incomplete tcp connections per host is 50. Block-time 0 minute. tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec tcp idle-time is 3600 sec -- udp idle-time is 30 sec dns-timeout is 5 sec Inspection Rule Configuration Inspection name FWRULE Interface Configuration Interface FastEthernet0/0 Inbound inspection rule is FWRULE Outgoing inspection rule is not set Inbound access list is 101 Outgoing access list is not set Half-open Sessions Session 82A6A284 (10.0.P.12:1314)=>(172.26.26.50:80) tcp vii. Use the show access-list command to display the Context-based Access List. Notice the access lists differs from that of Step 3a. CBAC has analyzed the traffic and created FTP and WWW permit statements. CBAC has created the permit statements because the traffic is permitted in the configured access lists (101 and 102). The statements will be removed after the ip inspect timeout value have expired. RouterP#show access-list Extended IP access list 101 permit icmp any any permit ip 10.0.P.0 0.0.0.255 any (354 matches) deny ip any any Extended IP access list 102 permit tcp host 172.26.26.50 eq ftp host 10.0.P.12 eq 1315 permit tcp host 172.26.26.50 eq www host 10.0.P.12 eq 1320 permit eigrp any any (57 matches) permit icmp any any 6-6 Fundamentals of Network Security v 1.0 - Lab 3.8.3 Copyright 2003, Cisco Systems, Inc.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information