8/10/2019 Configuring CBAC and Zone-Base Firewalls

1/33

Configuring CBAC and Zone-Base Firewalls

Device Interface IP Address Subnet Mask Default Gateway Switch Port

R1 Fa0/1 192.168.1.1 255.255.255.0 N/A S1Fa0/5

S0/0/0 (DCE) 10.1.1.1 255.255.255.252 N/A N/A

R2 S0/0/0 10.1.1.2 255.255.255.252 N/A N/A

S0/0/1 (DCE) 10.2.2.2 255.255.255.252 N/A N/A

R3 Fa0/1 192.168.3.1 255.255.255.0 N/A S3Fa0/5

S0/0/1 10.2.2.1 255.255.255.252 N/A N/A

PC-A NIC 192.168.1.3 255.255.255.0 192.168.1.1 S1Fa0/6

PC-C NIC 192.168.3.3 255.255.255.0 192.168.3.1 S3Fa0/18

8/10/2019 Configuring CBAC and Zone-Base Firewalls

2/33

Part 1: Basic Router Configuration

Task 1: Configure Basic Router Settings

Configure basic settings for each router.

Configure the EIGRP routing protocol

8/10/2019 Configuring CBAC and Zone-Base Firewalls

3/33

Verify basic network connectivity.

8/10/2019 Configuring CBAC and Zone-Base Firewalls

4/33

Configure basic console, auxiliary port, and vty lines.

8/10/2019 Configuring CBAC and Zone-Base Firewalls

5/33

Task 2: Use the Nmap Port Scanner to Determine Router Vulnerabilities

Scan for open ports on R1 using Nmap from external host PC-C

8/10/2019 Configuring CBAC and Zone-Base Firewalls

6/33

8/10/2019 Configuring CBAC and Zone-Base Firewalls

7/33

8/10/2019 Configuring CBAC and Zone-Base Firewalls

8/33

8/10/2019 Configuring CBAC and Zone-Base Firewalls

9/33

Configure settings for each router

R1

Current configuration : 1240 bytes

!version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname R1

!

boot-start-marker

boot-end-marker

!security passwords min-length 10

!

no aaa new-model

!

!

ip cef

!

!

no ip domain lookup

ip auth-proxy max-nodata-conns 3ip admission max-nodata-conns 3

!

!

voice-card 0

no dspfarm

!

!

!

!

!!

!

!

!

!

!

8/10/2019 Configuring CBAC and Zone-Base Firewalls

10/33

!

!

!

!

!

!

!

!

!

!

interface FastEthernet0/0

no ip address

shutdown

duplex auto

speed auto

!

interface FastEthernet0/1

description LAN Site 1

ip address 192.168.1.1 255.255.255.0

duplex auto

speed auto

!

interface Serial0/2/0

description Enlace Wan a R2

ip address 10.1.1.1 255.255.255.252

no fair-queue

clock rate 125000

!

interface Serial0/2/1

no ip address

shutdown

!

router eigrp 101

network 10.1.1.0 0.0.0.3

network 192.168.1.0

no auto-summary

!

ip forward-protocol nd

!

!

ip http server

no ip http secure-server

8/10/2019 Configuring CBAC and Zone-Base Firewalls

11/33

!

!

!

!

control-plane

!

!

!

!

!

!

!

!

!

!

line con 0

exec-timeout 5 0

password 7 13061E01080307252534292026

logging synchronous

login

line aux 0

exec-timeout 5 0

password 7 094F471A1A0A1607131C053938

login

line vty 0 4

exec-timeout 5 0

password 7 0822455D0A1613030B1B0D1739

login

!

scheduler allocate 20000 1000

!

end

8/10/2019 Configuring CBAC and Zone-Base Firewalls

12/33

R2

service password-encryption55.255.255/network-confg (T

!e

hostname R2 up

!

boot-start-marker

!

interfac

boot-end-markeropening tftp://

!5

security passwords min-length 10out)168.40.1 YES manual up

enable secret 5 $1$Dz73$sk0VuhKo6oNGYPQbq9gS5/- System Configuration

Dialog ---

no mop enabl

!

no aaa new-modelfnterface F

Wou

!

!u

ip cefo ente

!t

!

ip auth-proxy max-nodata-conns 3s/no]:er.

half-duplex

ip admission max-nodata-conns 3fi.255.25

% Please answer 'yes'

!r

!n

voice-card 0n

no dspfarmld you like

!o

!n

!r

!h

!i

!t

!l

!o

!i

8/10/2019 Configuring CBAC and Zone-Base Firewalls

13/33

!r

!i

!

!a

!g

![

!s

!o

!

!

!

!

interface FastEthernet0/0#show runerial0/2/1

R3#s

no ip address answer 'yes'

shutdown

Buildin

duplex autoon...o

Would

speed auto enter the

!i

interface FastEthernet0/1 [yes/no]:

no ip addressversion 12.4

shutdown

service

duplex auto answer 'yes

speed auto

!

interface Serial0/2/0ou like to enter the

description R2 Serial 0

network 192.1

!-

router eigrp 101

!

!

ip ce

network 10.1.1.0 0.0.0.3y max-nodata-

*Sep 16 12:

network 10.2.2.0 0.0.0.3LOC: Crypto engine: onboa

no auto-summarye

8/10/2019 Configuring CBAC and Zone-Base Firewalls

14/33

Building c

!f

ip forward-protocol nd marker.

!

!

!

!

!

line con 0

exec-timeout 5 0

password 7 13061E01080307252534292026

logging synchronous

login

line aux 0

exec-timeout 5 0

password 7 121A0C0411040D11323B253B20

login

line vty 0 4

exec-timeout 5 0

password 7 045802150C2E5A5A1009040401

login

!

scheduler allocate 20000 1000

!

end

R3

8/10/2019 Configuring CBAC and Zone-Base Firewalls

15/33

8/10/2019 Configuring CBAC and Zone-Base Firewalls

16/33

Part 2: Configuring a Context-Based Access Control (CBAC) Firewall

Active Auto Secure

Configure the R1 firewall to allow EIGRP updates.

8/10/2019 Configuring CBAC and Zone-Base Firewalls

17/33

Verify CBAC Functionalit

8/10/2019 Configuring CBAC and Zone-Base Firewalls

18/33

Test Telnet access from internal PC-A to external router R2.

8/10/2019 Configuring CBAC and Zone-Base Firewalls

19/33

Use the show ip inspect all command to see the configuration and inspection status

View detailed session information using the show ip inspect sessions detail command

Configure settings for each router.

R1

Current configuration : 3219 bytes

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

8/10/2019 Configuring CBAC and Zone-Base Firewalls

20/33

service sequence-numbers

!

hostname R1

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 10 log

security passwords min-length 10

logging buffered 4096 debugging

logging console critical

enable secret 5 $1$Kz15$nkPyCBVzKIq7bGGFB9k4R0

enable password 7 045802150C2E1A19514055

!

aaa new-model

!

!

aaa authentication login local_auth local

!

aaa session-id common

no ip source-route

no ip gratuitous-arps

!

!

ip cef

!

!

no ip bootp server

no ip domain lookup

ip inspect audit-trail

ip inspect udp idle-time 1800

ip inspect dns-timeout 7

ip inspect tcp idle-time 14400

ip inspect name autosec_inspect cuseeme timeout 3600

ip inspect name autosec_inspect ftp timeout 3600

ip inspect name autosec_inspect http timeout 3600

ip inspect name autosec_inspect rcmd timeout 3600

ip inspect name autosec_inspect realaudio timeout 3600

ip inspect name autosec_inspect smtp timeout 3600

ip inspect name autosec_inspect tftp timeout 30

ip inspect name autosec_inspect udp timeout 15

ip inspect name autosec_inspect tcp timeout 3600

8/10/2019 Configuring CBAC and Zone-Base Firewalls

21/33

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

login block-for 60 attempts 2 within 30

!

!

voice-card 0

no dspfarm

!

!

!

!

!

!

!

!

!

!

!

!

!

!

username admin password 7 030752180500701E1D5D4C

archive

log config

logging enable

!

!

!

!

!

!

!

interface FastEthernet0/0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

shutdown

duplex auto

speed auto

no mop enabled

!

8/10/2019 Configuring CBAC and Zone-Base Firewalls

22/33

interface FastEthernet0/1

description LAN Site 1

ip address 192.168.1.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

duplex auto

speed auto

no mop enabled

!

interface Serial0/2/0

description Enlace Wan a R2

ip address 10.1.1.1 255.255.255.252

ip access-group autosec_firewall_acl in

ip verify unicast source reachable-via rx allow-default 100

no ip redirects

no ip unreachables

no ip proxy-arp

ip inspect autosec_inspect out

no fair-queue

clock rate 125000

!

interface Serial0/2/1

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

shutdown

!

router eigrp 101

network 10.1.1.0 0.0.0.3

network 192.168.1.0

no auto-summary

!

ip forward-protocol nd

!

!

no ip http server

no ip http secure-server

!

ip access-list extended autosec_firewall_acl

permit udp any any eq bootpc

8/10/2019 Configuring CBAC and Zone-Base Firewalls

23/33

permit eigrp any any

permit tcp any any eq telnet

deny ip any any

!

logging trap debugging

logging facility local2

access-list 100 permit udp any any eq bootpc

no cdp run

!

!

!

control-plane

!

!

!

!

!

!

!

!

!

banner motd C Unauthorized Access Prohibited C

!

line con 0

exec-timeout 5 0

password 7 13061E01080307252534292026

logging synchronous

login authentication local_auth

transport output telnet

line aux 0

exec-timeout 15 0

password 7 094F471A1A0A1607131C053938

login authentication local_auth

transport output telnet

line vty 0 4

exec-timeout 5 0

password 7 0822455D0A1613030B1B0D1739

login authentication local_auth

transport input telnet

!

scheduler allocate 20000 1000

!

8/10/2019 Configuring CBAC and Zone-Base Firewalls

24/33

end

R2

R2#show running-configet started. E2 - OSPF

Building configuration... Access Verification

Current configuration : 1269 bytesS-I

% Password: timeout expired!-

!

version 12.4 IS-IS level

service timestamps debug datetime msect expired!, one per line. End with CN

service timestamps log datetime mseceout expired!ult, U - per-user stati

service password-encryptionexitYES m

!

hostname R2

S2 con0 i

!n

boot-start-markerP - periodic down

boot-end-markerURN to get star

!d

security passwords min-length 10

User Access Verificationrt is

enable secret 5 $1$Dz73$sk0VuhKo6oNGYPQbq9gS5/:0.0.0.0/3

Password:tted, 2 s

% Bad passwordse

!c

no aaa new-model

!

ip cefS2 con

!i

!n

ip auth-proxy max-nodata-conns 3

8/10/2019 Configuring CBAC and Zone-Base Firewalls

25/33

Press RETURN to get sta

ip admission max-nodata-conns 3t

User Access Verific

!i

!.

voice-card 0anua

!

!

!

!

!

line con 0

exec-timeout 5 0

password 7 13061E01080307252534292026

logging synchronous

login

line aux 0

exec-timeout 5 0

password 7 121A0C0411040D11323B253B20

login

line vty 0 4

exec-timeout 5 0

password 7 045802150C2E5A5A1009040401

login

!

scheduler allocate 20000 1000

!

end

8/10/2019 Configuring CBAC and Zone-Base Firewalls

26/33

Part 3: Configuring a Zone-Based Firewall (ZBF) Using CCP

Use the CCP Firewall wizard to configure a zone-based firewall.

8/10/2019 Configuring CBAC and Zone-Base Firewalls

27/33

8/10/2019 Configuring CBAC and Zone-Base Firewalls

28/33

8/10/2019 Configuring CBAC and Zone-Base Firewalls

29/33

8/10/2019 Configuring CBAC and Zone-Base Firewalls

30/33

8/10/2019 Configuring CBAC and Zone-Base Firewalls

31/33

8/10/2019 Configuring CBAC and Zone-Base Firewalls

32/33

Use CCP to examine the R3 firewall configuration.

Verify EIGRP Routing Functionality on R3

8/10/2019 Configuring CBAC and Zone-Base Firewalls

33/33

Verify Zone-Base Firewall Funcionality