Download pdf - Configuring CBAC and Zone-Base Firewalls

8/10/2019 Configuring CBAC and Zone-Base Firewalls

1/33

Configuring CBAC and Zone-Base Firewalls

Device Interface IP Address Subnet Mask Default Gateway Switch Port

R1 Fa0/1 192.168.1.1 255.255.255.0 N/A S1Fa0/5

S0/0/0 (DCE) 10.1.1.1 255.255.255.252 N/A N/A

R2 S0/0/0 10.1.1.2 255.255.255.252 N/A N/A

S0/0/1 (DCE) 10.2.2.2 255.255.255.252 N/A N/A

R3 Fa0/1 192.168.3.1 255.255.255.0 N/A S3Fa0/5

S0/0/1 10.2.2.1 255.255.255.252 N/A N/A

PC-A NIC 192.168.1.3 255.255.255.0 192.168.1.1 S1Fa0/6

PC-C NIC 192.168.3.3 255.255.255.0 192.168.3.1 S3Fa0/18


2/33

Part 1: Basic Router Configuration

Task 1: Configure Basic Router Settings

Configure basic settings for each router.

Configure the EIGRP routing protocol


3/33

Verify basic network connectivity.


4/33

Configure basic console, auxiliary port, and vty lines.


5/33

Task 2: Use the Nmap Port Scanner to Determine Router Vulnerabilities

Scan for open ports on R1 using Nmap from external host PC-C


6/33


7/33


8/33


9/33

Configure settings for each router

R1

Current configuration : 1240 bytes

!version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname R1

!

boot-start-marker

boot-end-marker

!security passwords min-length 10

!

no aaa new-model

!

!

ip cef

!

!

no ip domain lookup

ip auth-proxy max-nodata-conns 3ip admission max-nodata-conns 3

!

!

voice-card 0

no dspfarm

!

!

!

!

!!

!

!

!

!

!


10/33

!

!

!

!

!

!

!

!

!

!

interface FastEthernet0/0

no ip address

shutdown

duplex auto

speed auto

!


description LAN Site 1

ip address 192.168.1.1 255.255.255.0

duplex auto

speed auto

!

interface Serial0/2/0

description Enlace Wan a R2

ip address 10.1.1.1 255.255.255.252

no fair-queue

clock rate 125000

!


no ip address

shutdown

!

router eigrp 101

network 10.1.1.0 0.0.0.3

network 192.168.1.0

no auto-summary

!

ip forward-protocol nd

!

!

ip http server

no ip http secure-server


11/33

!

!

!

!

control-plane

!

!

!

!

!

!

!

!

!

!

line con 0

exec-timeout 5 0

password 7 13061E01080307252534292026

logging synchronous

login

line aux 0

exec-timeout 5 0

password 7 094F471A1A0A1607131C053938

login

line vty 0 4

exec-timeout 5 0

password 7 0822455D0A1613030B1B0D1739

login

!

scheduler allocate 20000 1000

!

end


12/33

R2

service password-encryption55.255.255/network-confg (T

!e

hostname R2 up

!

boot-start-marker

!

interfac

boot-end-markeropening tftp://

!5

security passwords min-length 10out)168.40.1 YES manual up

enable secret 5 $1$Dz73$sk0VuhKo6oNGYPQbq9gS5/- System Configuration

Dialog ---

no mop enabl

!

no aaa new-modelfnterface F

Wou

!

!u

ip cefo ente

!t

!

ip auth-proxy max-nodata-conns 3s/no]:er.

half-duplex

ip admission max-nodata-conns 3fi.255.25

% Please answer 'yes'

!r

!n

voice-card 0n

no dspfarmld you like

!o

!n

!r

!h

!i

!t

!l

!o

!i


13/33

!r

!i

!

!a

!g

![

!s

!o

!

!

!

!

interface FastEthernet0/0#show runerial0/2/1

R3#s

no ip address answer 'yes'

shutdown

Buildin

duplex autoon...o

Would

speed auto enter the

!i

interface FastEthernet0/1 [yes/no]:

no ip addressversion 12.4

shutdown

service

duplex auto answer 'yes

speed auto

!

interface Serial0/2/0ou like to enter the

description R2 Serial 0

network 192.1

!-

router eigrp 101

!

!

ip ce

network 10.1.1.0 0.0.0.3y max-nodata-

*Sep 16 12:

network 10.2.2.0 0.0.0.3LOC: Crypto engine: onboa

no auto-summarye


14/33

Building c

!f

ip forward-protocol nd marker.

!

!

!

!

!

line con 0

exec-timeout 5 0

password 7 13061E01080307252534292026

logging synchronous

login

line aux 0

exec-timeout 5 0

password 7 121A0C0411040D11323B253B20

login

line vty 0 4

exec-timeout 5 0

password 7 045802150C2E5A5A1009040401

login

!


!

end

R3


15/33


16/33

Part 2: Configuring a Context-Based Access Control (CBAC) Firewall

Active Auto Secure

Configure the R1 firewall to allow EIGRP updates.


17/33

Verify CBAC Functionalit


18/33

Test Telnet access from internal PC-A to external router R2.


19/33

Use the show ip inspect all command to see the configuration and inspection status

View detailed session information using the show ip inspect sessions detail command

Configure settings for each router.

R1

Current configuration : 3219 bytes

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption


20/33

service sequence-numbers

!

hostname R1

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 10 log

security passwords min-length 10

logging buffered 4096 debugging

logging console critical

enable secret 5 $1$Kz15$nkPyCBVzKIq7bGGFB9k4R0

enable password 7 045802150C2E1A19514055

!

aaa new-model

!

!

aaa authentication login local_auth local

!

aaa session-id common

no ip source-route

no ip gratuitous-arps

!

!

ip cef

!

!

no ip bootp server

no ip domain lookup

ip inspect audit-trail

ip inspect udp idle-time 1800

ip inspect dns-timeout 7

ip inspect tcp idle-time 14400

ip inspect name autosec_inspect cuseeme timeout 3600

ip inspect name autosec_inspect ftp timeout 3600

ip inspect name autosec_inspect http timeout 3600

ip inspect name autosec_inspect rcmd timeout 3600

ip inspect name autosec_inspect realaudio timeout 3600

ip inspect name autosec_inspect smtp timeout 3600

ip inspect name autosec_inspect tftp timeout 30

ip inspect name autosec_inspect udp timeout 15

ip inspect name autosec_inspect tcp timeout 3600


21/33

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

login block-for 60 attempts 2 within 30

!

!

voice-card 0

no dspfarm

!

!

!

!

!

!

!

!

!

!

!

!

!

!

username admin password 7 030752180500701E1D5D4C

archive

log config

logging enable

!

!

!

!

!

!

!


no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

shutdown

duplex auto

speed auto

no mop enabled

!


22/33


description LAN Site 1

ip address 192.168.1.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

duplex auto

speed auto

no mop enabled

!


description Enlace Wan a R2

ip address 10.1.1.1 255.255.255.252

ip access-group autosec_firewall_acl in

ip verify unicast source reachable-via rx allow-default 100

no ip redirects

no ip unreachables

no ip proxy-arp

ip inspect autosec_inspect out

no fair-queue

clock rate 125000

!


no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

shutdown

!

router eigrp 101

network 10.1.1.0 0.0.0.3

network 192.168.1.0

no auto-summary

!

ip forward-protocol nd

!

!

no ip http server

no ip http secure-server

!

ip access-list extended autosec_firewall_acl

permit udp any any eq bootpc


23/33

permit eigrp any any

permit tcp any any eq telnet

deny ip any any

!

logging trap debugging

logging facility local2

access-list 100 permit udp any any eq bootpc

no cdp run

!

!

!

control-plane

!

!

!

!

!

!

!

!

!

banner motd C Unauthorized Access Prohibited C

!

line con 0

exec-timeout 5 0

password 7 13061E01080307252534292026

logging synchronous

login authentication local_auth

transport output telnet

line aux 0

exec-timeout 15 0

password 7 094F471A1A0A1607131C053938


transport output telnet

line vty 0 4

exec-timeout 5 0

password 7 0822455D0A1613030B1B0D1739


transport input telnet

!


!


24/33

end

R2

R2#show running-configet started. E2 - OSPF

Building configuration... Access Verification

Current configuration : 1269 bytesS-I

% Password: timeout expired!-

!

version 12.4 IS-IS level

service timestamps debug datetime msect expired!, one per line. End with CN

service timestamps log datetime mseceout expired!ult, U - per-user stati

service password-encryptionexitYES m

!

hostname R2

S2 con0 i

!n

boot-start-markerP - periodic down

boot-end-markerURN to get star

!d

security passwords min-length 10

User Access Verificationrt is

enable secret 5 $1$Dz73$sk0VuhKo6oNGYPQbq9gS5/:0.0.0.0/3

Password:tted, 2 s

% Bad passwordse

!c

no aaa new-model

!

ip cefS2 con

!i

!n

ip auth-proxy max-nodata-conns 3


25/33

Press RETURN to get sta

ip admission max-nodata-conns 3t

User Access Verific

!i

!.

voice-card 0anua

!

!

!

!

!

line con 0

exec-timeout 5 0

password 7 13061E01080307252534292026

logging synchronous

login

line aux 0

exec-timeout 5 0

password 7 121A0C0411040D11323B253B20

login

line vty 0 4

exec-timeout 5 0

password 7 045802150C2E5A5A1009040401

login

!


!

end


26/33

Part 3: Configuring a Zone-Based Firewall (ZBF) Using CCP

Use the CCP Firewall wizard to configure a zone-based firewall.


27/33


28/33


29/33


30/33


31/33


32/33

Use CCP to examine the R3 firewall configuration.

Verify EIGRP Routing Functionality on R3


33/33

Verify Zone-Base Firewall Funcionality