Lab
10.8.2.2 Context Based Access Control (Advanced configuration)
Objectives:
Demonstrate the use of
Context Based Access Control.
Equipment Requirements:
Two Routers
One Switch with two VLANS set or two
switches or two hubs
Two workstations
Preliminary:
Before programming the routers, make
sure that the IOS version on router-b supports context based access
control (firewall). Load a new IOS version if necessary. Construct the
above network, using IGRP as your routing protocol. Use the network
address 172.32.3.0/24 on the serial link between the two routers. The
router ip configurations are as follows:
Router A
Router B
E0=172.32.4.1
E0=172.32.2.1
S0=172.32.3.1
S1=172.32.3.2
SM=255.255.255.0
SM=255.255.255.0
When construction of the network is
complete, verify that routers can communicate and are sharing their
routing tables. Also verify that the workstations can communicate
together correctly. For verification use the show ip route command,
show interfaces command, show running-configuration command, ping,
telnet, and any other relevant command(s).
Scenario
For this Lab we will be using Router-B
as the border router where we will configure the context based access
control (firewall). We want to prevent the users outside of subnetwork
172.32.2.0 from accessing subnetwork 172.32.2.0. However, the users
inside the subnetwork need to have access out and be able to receive
information back. We want to permit TCP, UDP, and ICMP traffic out. By
default, only IGRP, and certain ICMP messages should be allowed back
into the 172.32.2.0 network. The firewall should modify the incoming
access list to permit FTP, and HTTP return traffic back in to the
172.32.2.0 network.
From the "Router-B"
console:
Step 1
Enter the EXEC mode.
Step 2
Enter the configuration mode
by entering configure terminal command at the router prompt.
Step 3
Determine if the access list should
be applied to an internal interface or an external interface. For
our example we will be applying it to the external interface of S1.
Step 4
Setup the outgoing access list to
permit CBAC traffic to leave the network through the firewall:
Enter access-list 104 permit tcp
172.32.2.0 0.0.0.255 any Enter access-list 104 permit udp 172.32.2.0 0.0.0.255 any Enter access-list 104 permit icmp 172.32.2.0 0.0.0.255 any Enter access-list 104 deny ip any any
Question - Describe what this access list does.
Step 5
Setup the incoming access list to
deny CBAC return traffic from entering the network. Start with an
access list entry denying any net traffic from a source address
matching an address on the protected network, next add access list
entries to permit certain ICMP return messages. These ICMP
statements are added to allow administratively prohibited, echo,
echo reply, packet too big, traceroute, time exceeded, and
unreachable messages to return. Also traffic with a source address
of 255.255.255.255 should be denied from the protected network.
Enter access-list 114 deny
ip 255.255.255.255 0.0.0.0 any Enter access-list 114 deny ip 172.32.2.0 0.0.0.255 any Enter access-list 114 permit igrp any any
Question - Why did we permit igrp?
Question - What if we were running
EIGRP, how would this line on the access list change?
Enter access-list 114 permit
icmp any 172.32.2.0 0.0.0.255 administratively-prohibited
Enter access-list 114 permit icmp any 172.32.2.0 0.0.0.255
echo
Enter access-list 114 permit icmp any 172.32.2.0 0.0.0.255
echo-reply
Enter access-list 114 permit icmp any 172.32.2.0 0.0.0.255
packet-too-big
Enter access-list 114 permit icmp any 172.32.2.0 0.0.0.255
time-exceeded
Enter access-list 114 permit icmp any 172.32.2.0 0.0.0.255
traceroute
Enter access-list 114 permit icmp any 172.32.2.0 0.0.0.255
unreachable
Question - Why were all of these ICMP
statements added to the access list?
Enter access-list 114 deny ip
any any
Step 6
Apply the access lists to correct
interface:
Enter interface serial 1 Enter ip access-group 104 out Enter ip access-group 114 in Enter exit
Question - What would happen if these
access lists were applied in reverse? (114 out, and 104 in)
Step 7
Configure global timeouts and
thresholds only if the default timeout values are not long enough,
or not short enough. The default times will be appropriate for our
network.
Question - Name one instance where we
might want to alter the default timout values.
Step 8
Define the inspection rule for
application layer protocols
Enter ip inspect name borderfw
ftp Enter ip inspect name borderfw http java-list 44
Question - What is the name of our
inspection list?
Question - What access list number
will java look at in order to determine if the packet should be
permitted?
Step 9
Define inspection rule for generic
tcp and udp inspection
Enter ip inspect name borderfw
udp timeout 15 Enter ip inspect name borderfw tcp timeout 30
Step 10
Since we defined a java applets will
be inspected according to access list 44, now create the standard
java access list to permit trusted websites, or deny statements to
deny websites that are not trusted.
Enter access-list 44 permit
172.32.3.1 Enter access-list 44 permit 172.32.4.0 0.0.0.255 Enter access-list 44 deny any
Step 11
Apply the inspection rule to an
interface
Enter interface serial 1 Enter ip inspect borderfw out Enter exit
Question - What would happen if we applied our CBAC inspection on
the incoming information instead of the outgoing information?
Step 12
Configure logging and audit trail
Enter service timestamps log
datetime
Enter ip inspect audit-trail (if you want it to run by
default)
Step 13
Other configuration information, to
help secure our network from intrusion.
Enter enable secret ccnp
Question - Why would we want to
enable the secret password on our firewall?
Enter no cdp run
Enter interface serial 1
Enter ntp disable
Enter no ip directed-broadcast
Enter no ip proxy-arp
Enter exit
Enter no ip source-route
Enter no service tcp-small-servers
Enter no service udp-small-servers
Question - Why are we disabling all
of these services on our firewall?
Enter CTRL-Z
Enter copy run start
Step 14
Verifying CBAC
Enter show ip inspect name
borderfw
Question - What information does the
router reply with?
Enter show ip inspect interfaces
Question - Which interfaces does the
router give information on after this command is executed?
Enter show ip inspect all
Question - What information does this
command give you?
Step 15
Debugging CBAC
Enter ip inspect audit-trail
(if not previously turned on)
Question- What other commands could
we use for debugging CBAC?
Step 16
Testing the CBAC.
From Router-A global
configuration
Enter ip http server
(to give us a place to surf to on our network for http traffic)
Enter exit
Question - If we had not remembered
that Cisco routers had a Web interface, what else could we have used
in order to get http traffic?
From a workstation on subnet
172.32.2.0
Ping Router-A
Question - Were you successful?
Telnet to Router-A (172.32.4.1)
Question - Were you successful?
Question - How did Router-B respond
at the console terminal?
Open Internet Explorer or Netscape
Navigator and surf to Router-A (172.32.4.1)
Question - Were you successful?
Question - How did Router-B respond
at the console terminal?
From a workstation on subnet
172.32.4.0
Ping Router-B
Question - Were you successful?
Try to telnet to Router-B
Question - Were you successful?
Question - Is our Context Based
Access Control (firewall) working the way it should be? Why or why
not?