Lab 5.5.3 Developing ACLs to Implement Firewall Rule Sets



Similar documents
Lab Diagramming External Traffic Flows

Lab Diagramming Intranet Traffic Flows

Lab Diagramming Traffic Flows to and from Remote Sites

Lab Organizing CCENT Objectives by OSI Layer

Lab Creating a Logical Network Diagram

Device Interface IP Address Subnet Mask Default Gateway

Lab Advanced Telnet Operations

Skills Assessment Student Training Exam

Lab Analyzing Network Traffic

Lab Configure and Test Advanced Protocol Handling on the Cisco PIX Security Appliance

Cisco Networking Professional-6Months Project Based Training

Connect the Host to attach to Fast Ethernet switch port Fa0/2. Configure the host as shown in the topology diagram above.

Note: This case study utilizes Packet Tracer. Please see the Chapter 5 Packet Tracer file located in Supplemental Materials.

Lab Characterizing Network Applications

Lab Configuring Access Policies and DMZ Settings

Lab Configure Cisco IOS Firewall CBAC on a Cisco Router

CURSO DE PREPARACION PARA LA CERTIFICACION CCNA (Cisco Certified Network Associate)

Cisco Configuring Commonly Used IP ACLs

LAB Configuring NAT. Objective. Background/Preparation

Lab Configure Cisco IOS Firewall CBAC

ISOM3380 Advanced Network Management. Spring Course Description

Welcome to Todd Lammle s CCNA Bootcamp

CCNA Access List Sim

50 Cragwood Rd, Suite 350 South Plainfield, NJ Victoria Commons, 613 Hope Rd Building #5, Eatontown, NJ 07724

Interconnecting Cisco Networking Devices: Accelerated (CCNAX) 2.0(80 Hs) 1-Interconnecting Cisco Networking Devices Part 1 (40 Hs)

1 Data information is sent onto the network cable using which of the following? A Communication protocol B Data packet

Troubleshooting and Maintaining Cisco IP Networks Volume 1

Cisco Certified Network Associate Exam. Operation of IP Data Networks. LAN Switching Technologies. IP addressing (IPv4 / IPv6)

Introduction. What is a Remote Console? What is the Server Service? A Remote Control Enabled (RCE) Console

Lab: Basic Router Configuration

PT Activity: Configure Cisco Routers for Syslog, NTP, and SSH Operations

Lab Load Balancing Across Multiple Paths

PT Activity 8.1.2: Network Discovery and Documentation Topology Diagram

Lab Review of Basic Router Configuration with RIP. Objective. Background / Preparation. General Configuration Tips

Lab Configure IOS Firewall IDS

Lab 4.4.8a Configure a Cisco GRE over IPSec Tunnel using SDM

Figure 41-1 IP Filter Rules

School of Information Technology and Engineering (SITE) CEG 4395: Computer Network Management. Lab 4: Remote Monitoring (RMON) Operations

Network Simulator Lab Study Plan

Interconnecting Cisco Networking Devices, Part 1 (ICND1) v3.0

How To Learn Cisco Cisco Ios And Cisco Vlan

Lab 3.5.1: Basic VLAN Configuration (Instructor Version)

"Charting the Course...

CompTIA Exam N CompTIA Network+ certification Version: 5.1 [ Total Questions: 1146 ]

INTERCONNECTING CISCO NETWORK DEVICES PART 1 V2.0 (ICND 1)

Interconnecting Cisco Network Devices 1 Course, Class Outline

CCT vs. CCENT Skill Set Comparison

Lab Configuring the PIX Firewall as a DHCP Server

Remote PC Guide for Standalone PC Implementation

1 Basic Configuration of Cisco 2600 Router. Basic Configuration Cisco 2600 Router

Network Security Pod Version 2.0

Objectives. Background. Required Resources. CCNA Security

Multi-Homing Dual WAN Firewall Router

Basic Network Configuration

Cisco Certified Network Associate - Design

Lab 7-1 Configuring Switches for IP Telephony Support

Firewall VPN Router. Quick Installation Guide M73-APO09-380

3.1 Connecting to a Router and Basic Configuration

CCNA LAN Switching and Wireless (Exploration 3)

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Lab Configuring Access Policies and DMZ Settings

Zarząd (7 osób) F inanse (13 osób) M arketing (7 osób) S przedaż (16 osób) K adry (15 osób)

Lab - Using IOS CLI with Switch MAC Address Tables

Router Lab Reference Guide

Introduction about cisco company and its products (network devices) Tell about cisco offered courses and its salary benefits (ccna ccnp ccie )

How To Configure A Vyatta As A Ds Internet Connection Router/Gateway With A Web Server On A Dspv.Net (Dspv) On A Network With A D

PIX/ASA 7.x with Syslog Configuration Example

CISCO IOS NETWORK SECURITY (IINS)

Lab Exercise Configure the PIX Firewall and a Cisco Router

IT-AD08: ADD ON DIPLOMA IN COMPUTER NETWORK DESIGN AND INSTALLATION

CCNA. Course Fee: 8500 INR (Lab Access, Software s, Books, Tool Kits & Tax Included) Course Duration: 5 Days

Sample Configuration Using the ip nat outside source static

Chapter 8 Lab B: Configuring a Remote Access VPN Server and Client

Lab Configure Basic AP Security through IOS CLI

Cisco Discovery 3: Introducing Routing and Switching in the Enterprise hours teaching time

SSVP SIP School VoIP Professional Certification

Table of Contents. Cisco Using the Cisco IOS Firewall to Allow Java Applets From Known Sites while Denying Others

: Interconnecting Cisco Networking Devices Part 1 v2.0 (ICND1)

Configuring Network Address Translation (NAT)

Virtual Server and DDNS. Virtual Server and DDNS. For BIPAC 741/743GE

APPLICATION FOR BOARD APPROVAL. Of Locally Developed Course. Cisco CCNA Certification 11/12

Specialized Programme on Internetworking Design and LAN WAN Administration

(Discovery 2) Credit value: 10 Guided learning hours: 80. Aim and purpose. Unit introduction. Learning outcomes

Enhance student s learning with an aid of simulation software to understand Computer Networking Undergraduate courses.

1 crossover cable. the PCs. network

Using a Sierra Wireless AirLink Raven X or Raven-E with a Cisco Router Application Note

Cisco Secure PIX Firewall with Two Routers Configuration Example

Effect of Windows XP Firewall on Network Simulation and Testing

Configuring the Cisco Secure PIX Firewall with a Single Intern

Cisco Certified Security Professional (CCSP)

PIX/ASA 7.x and above : Mail (SMTP) Server Access on Inside Network Configuration Example

Chapter 1 Personal Computer Hardware hours

Lab Configuring PAT with SDM and Static NAT using Cisco IOS Commands

Packet Tracer 3 Lab VLSM 2 Solution

CTS2134 Introduction to Networking. Module Network Security

CUSTOMIZED ASSESSMENT BLUEPRINT COMPUTER SYSTEMS NETWORKING PA. Test Code: 8148 Version: 01

Cisco 12 CCNA Certification

Securing Networks with PIX and ASA

F-SECURE MESSAGING SECURITY GATEWAY

Transcription:

Lab 5.5.3 Developing ACLs to Implement Firewall Rule Sets All contents are Copyright 1992 2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 1 of 8

Device Interface IP Address SFC-ASW VLAN 1 10.1.1.253/24 SR1 Edge2 BR4 Fa0/1 S0/1/0 S0/1/0 S0/1/1 S0/1/1 Fa0/0 Fa0/1 10.1.1.254/24 10.1.0.1/30 10.1.0.2/30 10.3.0.1/30 10.3.0.2/30 172.17.0.1/16 10.3.1.254/24 FC-ASW-2 VLAN 1 172.17.1.25/16 FC-ASW-1 VLAN 1 10.3.1.253/24 PC1 10.1.1.1/24 PC2 10.3.1.1/24 Production Server 172.17.1.1/16 Objectives Interpret a security policy to define firewall rules. Create ACL statements to implement firewall rules. Configure and test ACLs. 640-802 CCNA Exam Objectives This lab contains skills that relate to the following CCNA exam objectives: Describe the purpose and types of ACLs. Configure and apply ACLs based on network filtering requirements, including CLI/SDM. Configure and apply ACLs to limit Telnet and SSH access to the router using SDM/CLI. Verify and monitor ACLs in a network environment. Troubleshoot ACL issues. Expected Results and Success Criteria Before starting this lab, read through the tasks that you are expected to perform. What do you expect the result of performing these tasks will be? What are the inherent risks of not using an ACL to secure network traffic? All contents are Copyright 1992 2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 2 of 8

What are several methods to limit the flow of traffic in to and out of LANs or WANs? Background / Preparation The FilmCompany provides services to branch offices such as the one located at the stadium. This office has some minor security and performance concerns. These concerns will require the network designer to incorporate several ACLs to secure the network. The ACLs need to be implemented as a simple and effective tool to control traffic. Given a security policy for the FilmCompany, create a firewall rule set and implement Named Extended ACLs to enforce the rule set. The security policy for the FilmCompany has a section that relates to access from remote sites. Here is the text from the security policy: Security Policy Users accessing the network from remote locations, including remote branch offices, require the following access to the on-site network resources: 1. Remote users must be able to access the Production Server in order to view their schedules over the web and to enter new orders. 2. Remote users must be able to FTP files to and from the Production Server. 3. Remote users can use the Production Server to send and retrieve email using IMAP and SMTP protocols. 4. Remote users must not be able to access any other services available on the Production Server. 5. No traffic is permitted from individual workstations at the main office to remote worker workstations. Any files that need to be transferred between the two sites must be stored on the Production Server and retrieved via FTP. 6. No traffic is permitted from workstations at the remote site to workstations at the main site. 7. No Telnet traffic is permitted from the remote site workstations to any devices, except their local switch. Step 1: Cable and connect the network as shown in the topology diagram NOTE: If the PCs used in this lab are also connected to your Academy LAN or to the Internet, ensure that you record the cable connections and TCP/IP settings so that these can be restored at the conclusion of the lab. a. Connect and configure the devices in accordance with the given topology and configuration. Routing will have to be configured across the serial links to establish data communications. NOTE: Your instructor may substitute for Production Server an equivalent server for this lab. b. Configure Telnet access on each router. c. Ping between Host1, Host2, and Production Server to confirm network connectivity. Troubleshoot and establish connectivity if the pings or Telnet fail. Step 2: Perform basic router configurations a. Configure the network devices according to the following guidelines: Configure the hostnames on each device. Configure an EXEC mode password of class. All contents are Copyright 1992 2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 3 of 8

Configure a password of cisco for console connections. Configure a password of cisco for vty connections. Configure IP addresses on all devices. Enable EIGRP on all routers and configure each to advertise all of the connected networks. Verify full IP connectivity using the ping command. b. Confirm Application Layer connectivity by telneting to all routers. Step 3: Create firewall rule set and access list statements Using the security policy information for the FilmCompany remote access, create the firewall rules that must be implemented to enforce the policy. After the firewall rule is documented, create the access list statement that will implement the firewall rule. There may be more than one statement necessary to implement a rule. An example of one of the firewall rules is shown: Security Policy 1: Remote users must be able to access the Production Server to view their schedules over the web and to enter new orders. Permit users on the 10.1.1.0/24 access to the Production Server (172.17.1.1) on TCP port 80. permit tcp 10.1.1.0 0.0.0.255 host 172.17.1.1 eq 80 Inbound on router SR1 Fa0/1 (remember that extended ACLs should be placed close as possible to the source of the traffic) For each of the following security policies: a. Create a firewall rule. b. Create an access list statement. c. Determine the access list placement to implement the firewall rule. Security Policy 2: Remote users must be able to FTP files to and from the Production Server. All contents are Copyright 1992 2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 4 of 8

Security Policy 3: Remote users can use the Production Server to send and retrieve email using IMAP and SMTP protocols. Security Policy 4: Remote users must not be able to access any other services available on the Production Server. Security Policy 5: No traffic is permitted from individual workstations at the main office to remote worker workstations. Any files that need to be transferred between the two sites must be stored on the Production Server and retrieved via FTP. Security Policy 6: No traffic is permitted from workstations at the remote site to workstations at the main site. All contents are Copyright 1992 2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 5 of 8

Security Policy 7: No Telnet traffic is permitted from the remote site workstations to any devices, except their local switch. Step 4: Create Extended ACLs a. Review the access list placement information that you created to implement each of the FilmCompany security policies. List all of the different access list placements that you noted above. Based on the placement information, how many access lists do you have to create? On Router SR1 On Router Edge2 On Router BR4 b. Based on the access list statements you developed in Task 3, create each access list that is needed to implement the security policies. When creating access lists, remember the following principles: Only one access list can be applied per protocol, per direction on each interface. Access list statements are processed in order. Once an access list is created and applied on an interface, all traffic that does not match any access list statement will be dropped. c. Use a text file to create the access lists, or write them here. Evaluate each access list statement to ensure that it will filter traffic as intended. All contents are Copyright 1992 2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 6 of 8

Why is the order of access list statements so important? Step 5: Configure and test access lists a. Configure the access lists on the appropriate routers and apply them to the correct interfaces. Name the access lists with representative names, like RemoteOffice or FilterRemote. Access list names: b. Test the access lists and their placement by performing the following tests: 1) 2) 3) 4) 5) Using Host1, open a browser and attempt to view a web page located on the Production server using the http://172.17.1.1 address. Using Host1, open a browser and attempt to connect to the Production server using ftp://172.17.1.1. Using Host1, attempt to Telnet to any address on any of the routers or switches. Using Host1, attempt to ping Host2. Using Host2, attempt to ping Host1. Did your ACLs perform as you expected? If not, correct and retest the ACLs and their placement within the network. Step 6: Document the router configurations Copy and save the running-configuration outputs from all routers into a word processing document to view their configurations. All contents are Copyright 1992 2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 7 of 8

Step 7: Reflection The design strategies for the FilmCompany LAN pose many challenges for the designer. What were a few of the more difficult challenges of creating an ACL you encountered? Consider and discuss the identified strategies. Do all of the strategies designed or hardware identified accomplish the task the same way? Would one ACL work better than another? Would the chosen ACL design allow for future growth and the addition of more hosts on the LAN segment? All contents are Copyright 1992 2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 8 of 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information