Lab 10.8.2.2 Context Based Access Control (Advanced configuration)

Objectives:

  • Demonstrate the use of Context Based Access Control.

Equipment Requirements:

  • Two Routers
  • One Switch with two VLANS set or two switches or two hubs
  • Two workstations

Preliminary:

Before programming the routers, make sure that the IOS version on router-b supports context based access control (firewall). Load a new IOS version if necessary. Construct the above network, using IGRP as your routing protocol. Use the network address 172.32.3.0/24 on the serial link between the two routers. The router ip configurations are as follows:

Router A Router B
E0=172.32.4.1 E0=172.32.2.1
S0=172.32.3.1 S1=172.32.3.2
SM=255.255.255.0 SM=255.255.255.0

When construction of the network is complete, verify that routers can communicate and are sharing their routing tables. Also verify that the workstations can communicate together correctly. For verification use the show ip route command, show interfaces command, show running-configuration command, ping, telnet, and any other relevant command(s).

Scenario

For this Lab we will be using Router-B as the border router where we will configure the context based access control (firewall). We want to prevent the users outside of subnetwork 172.32.2.0 from accessing subnetwork 172.32.2.0. However, the users inside the subnetwork need to have access out and be able to receive information back. We want to permit TCP, UDP, and ICMP traffic out. By default, only IGRP, and certain ICMP messages should be allowed back into the 172.32.2.0 network. The firewall should modify the incoming access list to permit FTP, and HTTP return traffic back in to the 172.32.2.0 network.

From the "Router-B" console:

Step 1

Enter the EXEC mode.

Step 2

Enter the configuration mode by entering configure terminal command at the router prompt.

Step 3

Determine if the access list should be applied to an internal interface or an external interface. For our example we will be applying it to the external interface of S1.

Step 4

Setup the outgoing access list to permit CBAC traffic to leave the network through the firewall:

Enter access-list 104 permit tcp 172.32.2.0 0.0.0.255 any
Enter access-list 104 permit udp 172.32.2.0 0.0.0.255 any
Enter access-list 104 permit icmp 172.32.2.0 0.0.0.255 any
Enter access-list 104 deny ip any any


Question - Describe what this access list does.

Step 5

Setup the incoming access list to deny CBAC return traffic from entering the network. Start with an access list entry denying any net traffic from a source address matching an address on the protected network, next add access list entries to permit certain ICMP return messages. These ICMP statements are added to allow administratively prohibited, echo, echo reply, packet too big, traceroute, time exceeded, and unreachable messages to return. Also traffic with a source address of 255.255.255.255 should be denied from the protected network.


Enter access-list 114 deny ip 255.255.255.255 0.0.0.0 any
Enter access-list 114 deny ip 172.32.2.0 0.0.0.255 any
Enter access-list 114 permit igrp any any

Question - Why did we permit igrp?

Question - What if we were running EIGRP, how would this line on the access list change?

Enter access-list 114 permit icmp any 172.32.2.0 0.0.0.255 administratively-prohibited
Enter access-list 114 permit icmp any 172.32.2.0 0.0.0.255 echo
Enter access-list 114 permit icmp any 172.32.2.0 0.0.0.255 echo-reply
Enter access-list 114 permit icmp any 172.32.2.0 0.0.0.255 packet-too-big
Enter access-list 114 permit icmp any 172.32.2.0 0.0.0.255 time-exceeded
Enter access-list 114 permit icmp any 172.32.2.0 0.0.0.255 traceroute
Enter access-list 114 permit icmp any 172.32.2.0 0.0.0.255 unreachable

Question - Why were all of these ICMP statements added to the access list?

Enter access-list 114 deny ip any any

Step 6

Apply the access lists to correct interface:

Enter interface serial 1
Enter ip access-group 104 out
Enter ip access-group 114 in
Enter exit

Question - What would happen if these access lists were applied in reverse? (114 out, and 104 in)


Step 7 

Configure global timeouts and thresholds only if the default timeout values are not long enough, or not short enough. The default times will be appropriate for our network.

Question - Name one instance where we might want to alter the default timout values.

Step 8

Define the inspection rule for application layer protocols

Enter ip inspect name borderfw ftp
Enter ip inspect name borderfw http java-list 44

Question - What is the name of our inspection list?

Question - What access list number will java look at in order to determine if the packet should be permitted?

Step 9 

Define inspection rule for generic tcp and udp inspection

Enter ip inspect name borderfw udp timeout 15
Enter ip inspect name borderfw tcp timeout 30

Step 10

Since we defined a java applets will be inspected according to access list 44, now create the standard java access list to permit trusted websites, or deny statements to deny websites that are not trusted.

Enter access-list 44 permit 172.32.3.1
Enter access-list 44 permit 172.32.4.0 0.0.0.255
Enter access-list 44 deny any

Step 11

Apply the inspection rule to an interface

Enter interface serial 1
Enter ip inspect borderfw out
Enter exit


Question - What would happen if we applied our CBAC inspection on the incoming information instead of the outgoing information?

Step 12

Configure logging and audit trail

Enter service timestamps log datetime
Enter ip inspect audit-trail (if you want it to run by default)

Step 13 

Other configuration information, to help secure our network from intrusion.

Enter enable secret ccnp

Question - Why would we want to enable the secret password on our firewall?

Enter no cdp run
Enter interface serial 1
Enter ntp disable
Enter no ip directed-broadcast
Enter no ip proxy-arp
Enter exit
Enter no ip source-route
Enter no service tcp-small-servers
Enter no service udp-small-servers

Question - Why are we disabling all of these services on our firewall?

Enter CTRL-Z
Enter copy run start

Step 14 

Verifying CBAC

Enter show ip inspect name borderfw

Question - What information does the router reply with?

Enter show ip inspect interfaces

Question - Which interfaces does the router give information on after this command is executed?

Enter show ip inspect all

Question - What information does this command give you?

Step 15 

Debugging CBAC

Enter ip inspect audit-trail (if not previously turned on)

Question- What other commands could we use for debugging CBAC?


Step 16

Testing the CBAC.

From Router-A global configuration

Enter ip http server (to give us a place to surf to on our network for http traffic)
Enter
exit

Question - If we had not remembered that Cisco routers had a Web interface, what else could we have used in order to get http traffic?

From a workstation on subnet 172.32.2.0

Ping Router-A

Question - Were you successful?

Telnet to Router-A (172.32.4.1)

Question - Were you successful?

Question - How did Router-B respond at the console terminal?

Open Internet Explorer or Netscape Navigator and surf to Router-A (172.32.4.1)

Question - Were you successful?

Question - How did Router-B respond at the console terminal?

From a workstation on subnet 172.32.4.0

Ping Router-B

Question - Were you successful?

Try to telnet to Router-B

Question - Were you successful?

Question - Is our Context Based Access Control (firewall) working the way it should be? Why or why not?