Lab Configure Cisco IOS Firewall CBAC on a Cisco Router

Transcription

1 Lab Configure Cisco IOS Firewall CBAC on a Cisco Router Objective Scenario Topology Estimated Time: 35 minutes Number of Team Members: Two teams with four students per team In this lab, students will complete the following tasks: Configure logging and audit trails. Define and apply inspection rules access control lists (ACLs). Test and verify Context-based Access Control (CBAC). The task in this exercise is to configure CBAC on a Cisco router. Student groups will work individually to perform the following steps in this lab exercise: Step 1 Configure logging and audit trails Step 2 Define and apply inspection rules for ACLs Step 3 Test and verify CBAC This figure illustrates the network environment students will create: 1-6 Fundamentals of Network Security v Lab Copyright 2003, Cisco Systems, Inc.

2 Preparation Begin with the standard lab topology and verify the standard router configuration on pod routers. Test the connectivity between the pod routers. Access the perimeter router console port using the terminal emulator on the student PC. If desired, save the router configuration to a text file for later analysis. Refer back to the Student Lab Orientation if more help is needed. Tools and resources In order to complete this lab, the following resources are required: Two pod routers Two inside hosts One SuperServer Additional materials One switch and one backbone router Further information about the objectives covered in this lab can be found at the following websites: Command list apter09186a00800d981a.html shtml These commands will be used throughout the lab. Students should be familiar with these commands. Command access-list ip access-group ip inspect audittrail ip inspect name logging show access-lists show ip inspect write memory Description Command used to configure an ACL. Command used to assign an ACL to an interface. Command used to configure a CBAC audit trail. Command used to define a CBAC rule. Command used to enable logging. Command used to display configured access lists. Command used to verify CBAC operation. Command used to save the running configuration to the startup configuration. 2-6 Fundamentals of Network Security v Lab Copyright 2003, Cisco Systems, Inc.

3 Step 1 Configure Logging and Audit Trails To configure logging and audit trails, complete the following steps: a. Enable logging to the console and the Syslog server. RouterP(config)# logging on RouterP(config)# logging 10.0.P.12 (where P = pod number) b. Enable the audit trail. Router(config)# ip inspect audit-trail c. Save the configuration and return to global configuration mode. RouterP(config)# end RouterP# write memory 1. What command shows detailed logging information? 2. What command will erase the entries in the logging buffer? Step 2 Define and Apply Inspection Rules ACLs a. Define a CBAC rule to inspect all TCP and FTP traffic. RouterP(config)# ip inspect name FWRULE tcp timeout 300 RouterP(config)# ip inspect name FWRULE ftp timeout 300 b. Define the ACLs to allow outbound Internet Control Message Protocol (ICMP) traffic and CBAC traffic. Block all other inside initiated traffic. RouterP(config)# access-list 101 permit icmp any any RouterP(config)# access-list 101 permit ip 10.0.P any RouterP(config)# access-list 101 deny ip any any (where P = pod number) c. Define ACLs to allow inbound ICMP traffic and CBAC traffic such as FTP and WWW to the inside web or FTP server. Block all other outside initiated traffic. RouterP(config)# access-list 102 permit eigrp any any RouterP(config)# access-list 102 permit icmp any any (where P = pod number) d. Apply the inspection rule and the ACL to the inside interface. RouterP(config)# interface fa 0/0 RouterP(config-if)# ip inspect FWRULE in RouterP(config-if)# ip access-group 101 in e. Apply the ACL to the outside interface. RouterP(config-if)# interface fa 0/1 3-6 Fundamentals of Network Security v Lab Copyright 2003, Cisco Systems, Inc.

4 RouterP(config-if)# ip access-group 102 in f. Save the configuration and return to global configuration mode. RouterP(config-if)# end RouterP# write memory Step 3 Test and Verify CBAC a. Complete the following steps to test and verify CBAC: i. Check the ACLs. RouterP# show access-lists 3. In the output for the show access-lists command, how many matches for Enhanced Interior Gateway Routing Protocol (EIGRP) packets are in access list 102? ii. From the MS command prompt, ping the SuperServer. C:\>ping Pinging with 32 bytes of data: iii. Use the web browser to connect to the SuperServer. Enter in the URL field. iv. Connect to the SuperServer by using an anonymous FTP: C:\> ftp User (10.0.P.12:(none)): anonymous... Password: user@ (where Q = peer pod number) v. Use the following show commands to verify CBAC configuration: RouterP# show ip inspect name FWRULE Inspection name FWRULE 4-6 Fundamentals of Network Security v Lab Copyright 2003, Cisco Systems, Inc.

5 RouterP# show ip inspect config Session audit trail is enabled Session alert is enabled one-minute (sampling period) thresholds are [400:500] connections max-incomplete sessions thresholds are [400:500] max-incomplete tcp connections per host is 50. Block-time 0 minute. tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec tcp idle-time is 3600 sec -- udp idle-time is 30 sec dns-timeout is 5 sec Inspection Rule Configuration Inspection name FWRULE RouterP# show ip inspect interfaces Interface Configuration Interface FastEthernet0/0 Inbound inspection rule is FWRULE Outgoing inspection rule is not set Inbound access list is 101 Outgoing access list is not set vi. Use the following show commands to verify CBAC operation: RouterP# show ip inspect sessions Half-open Sessions Session 82A6A284 (10.0.P.12:1314)=>( :80) tcp Session 82A69FB4 (10.0.P.12:1312)=>( :21) ftp RouterP# show ip inspect sessions detail Half-open Sessions Session 82A6A284 (10.0.P.12:1314)=>( :80) tcp Created 00:00:09, Last heard 00:00:09 Bytes sent (initiator:responder) [0:0] acl created 1 Inbound access-list 102 applied to interface FastEthernet0/1 Session 82A69FB4 (10.0.P.12:1312)=>( :21) ftp Created 00:00:23, Last heard 00:00:18 Bytes sent (initiator:responder) [0:0] acl created Fundamentals of Network Security v Lab Copyright 2003, Cisco Systems, Inc.

6 Inbound access-list 102 applied to interface FastEthernet0/1 RouterP# show ip inspect all Session audit trail is enabled Session alert is enabled one-minute (sampling period) thresholds are [400:500] connections max-incomplete sessions thresholds are [400:500] max-incomplete tcp connections per host is 50. Block-time 0 minute. tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec tcp idle-time is 3600 sec -- udp idle-time is 30 sec dns-timeout is 5 sec Inspection Rule Configuration Inspection name FWRULE Interface Configuration Interface FastEthernet0/0 Inbound inspection rule is FWRULE Outgoing inspection rule is not set Inbound access list is 101 Outgoing access list is not set Half-open Sessions Session 82A6A284 (10.0.P.12:1314)=>( :80) tcp vii. Use the show access-list command to display the Context-based Access List. Notice the access lists differs from that of Step 3a. CBAC has analyzed the traffic and created FTP and WWW permit statements. CBAC has created the permit statements because the traffic is permitted in the configured access lists (101 and 102). The statements will be removed after the ip inspect timeout value has expired. RouterP#show access-list Extended IP access list 101 permit icmp any any permit ip 10.0.P any (354 matches) deny ip any any Extended IP access list 102 permit tcp host eq ftp host 10.0.P.12 eq 1315 permit tcp host eq www host 10.0.P.12 eq 1320 permit eigrp any any (57 matches) permit icmp any any 6-6 Fundamentals of Network Security v Lab Copyright 2003, Cisco Systems, Inc.