Lab 10.8.2.1 Context Based Access Control (Basic Configuration)

Objectives:

  • Demonstrate the use of Context Based Access Control. 

Equipment Requirements:

  • Two routers
  • One switch with two VLANs set or two switches or two hubs
  • Two workstations

Preliminary:

Before programming the routers, make sure that the IOS version on router-b supports context based access control (firewall). Load a new IOS version if necessary. Construct the above network, using IGRP as your routing protocol. Use the network address 172.32.3.0/24 on the serial link between the two routers. The router ip configurations are as follows:

Router-A
E0=172.32.4.1
S0=172.32.3.1
SM=255.255.255.0
Router-B
E0=172.32.2.1
S1=172.32.3.2
SM=255.255.255.0

When construction of the network is complete, verify that routers can communicate and are sharing their routing tables. Also verify that the workstations can communicate together correctly. For verification use the
show ip route command, show interfaces command, show running-configuration command, ping, telnet, and any other relevant command(s).

Scenario: For this Lab we will be using Router-B as the border router where we will configure the context based access control (firewall). We want to prevent the users outside of subnetwork 172.32.2.0 from accessing subnetwork 172.32.2.0. However, the users inside the subnetwork need to have http access out and be able to receive http responses.

From the "Router-B" console:

Step 1 

Enter the EXEC mode.

Step 2 

Enter the configuration mode by entering configure terminal command at the router prompt.

Step 3

Determine if the access list should be applied to an internal interface or an external interface.

For our example we will be applying it to the external interface of S1.

Step 4

Setup the outgoing access list to permit CBAC traffic to leave the network through the firewall:

Enter access-list 104 permit igrp any any
Enter
access-list 104 permit tcp 172.32.2.0 0.0.0.255 any eq www
Enter
access-list 104 deny ip any any

Question - Describe what this access list does.
Answer:

Step 5

Setup the incoming access list to deny CBAC return traffic from entering the network.

Start with an access list entry denying any net traffic from a source address matching an address on the protected network, next add access list entries to permit certain ICMP return messages. Also traffic with a source address of 255.255.255.255 should be denied from the protected network.

Enter
access-list 114 permit igrp any any
Enter
access-list 114 deny ip any any
Question - Why did we permit igrp?
Answer: 

Question - What if we were running EIGRP, how would this line on the access list change?
Answer:


Step 6

Apply the access lists to correct interface:

Enter interface serial 1
Enter
ip access-group 104 out
Enter
ip access-group 114 in
Enter
exit

Question - What would happen if these access lists were applied in reverse? (114 out, and 104 in)
Answer:


Step 7 

Define the inspection rule for application layer protocols

Enter ip inspect name borderfw http
Question - What is the name of our inspection list?
Answer:

Step 8

Apply the inspection rule to an interface

Enter interface serial 1
Enter
ip inspect borderfw out
Enter
exit
Question - What would happen if we applied our CBAC inspection on the incoming information instead of the outgoing information?
Answer:

Step 9

Verifying CBAC

Enter show ip inspect name borderfw
Question - What information does the router reply with? 
Answer:

Enter show ip inspect interfaces
Question - Which interfaces does the router give information on after this command is executed? 
Answer:


Enter show ip inspect all
Question - What information does this command give you?
Answer:

Step 10

Debugging CBAC

Enter ip inspect audit-trail (if not previously turned on)
Question- What other commands could we use for debugging CBAC?
Answer:

Step 11

Testing the CBAC.

From Router-A global configuration
Enter ip http server (to give us a place to surf to on our network for http traffic)
Enter
exit
Question - If we had not remembered that Cisco routers had a Web interface, what else could we have used in order to get http traffic?
Answer

From a workstation on subnet 172.32.2.0
Ping Router-A
Question - Were you successful?
Answer:

Telnet to Router-A (172.32.4.1)
Question - Were you successful?
Answer:

Open Internet Explorer or Netscape Navigator and surf to Router-A (172.32.4.1)
Question - Were you successful?
Answer:

Question - How did Router-B respond at the console terminal?
Answer:

From a workstation on subnet 172.32.4.0
Ping Router-B
Question - Were you successful?
Answer:

Try to telnet to Router-B Question - Were you successful?
Answer:

Question - Is our Context Based Access Control (firewall) working the way it should be? Why or why not?
Answer: