Scribd Logo
Importer

Bienvenue sur Scribd !

  • Configuring CBAC and Zone-Base Firewalls

    Transféré par

    Adrián Chóez
    36 vues33 pages
    redes

    Copyright

    © © All Rights Reserved

    Formats disponibles

    PDF, TXT ou lisez en ligne sur Scribd

    Avez-vous trouvé ce document utile ?

    Ce contenu est-il inapproprié ?

    Signaler ce document
    redes

    Droits d'auteur :

    © All Rights Reserved
    Téléchargez comme PDF, TXT ou lisez en ligne sur Scribd
    Signaler comme contenu inapproprié
    36 vues33 pages

    Configuring CBAC and Zone-Base Firewalls

    Transféré par

    Adrián Chóez
    redes

    Droits d'auteur :

    © All Rights Reserved
    Téléchargez comme PDF, TXT ou lisez en ligne sur Scribd
    Signaler comme contenu inapproprié
    sur 33

    Configuring CBAC and Zone-Base Firewalls

    Device
    R1

    Interface
    Fa0/1

    IP Address
    192.168.1.1

    Subnet Mask
    255.255.255.0

    Default Gateway
    N/A

    Switch Port
    S1 Fa0/5

    S0/0/0 (DCE)

    10.1.1.1

    255.255.255.252

    N/A

    N/A

    S0/0/0

    10.1.1.2

    255.255.255.252

    N/A

    N/A

    S0/0/1 (DCE)

    10.2.2.2

    255.255.255.252

    N/A

    N/A

    Fa0/1

    192.168.3.1

    255.255.255.0

    N/A

    S3 Fa0/5

    S0/0/1

    10.2.2.1

    255.255.255.252

    N/A

    N/A

    PC-A

    NIC

    192.168.1.3

    255.255.255.0

    192.168.1.1

    S1 Fa0/6

    PC-C

    NIC

    192.168.3.3

    255.255.255.0

    192.168.3.1

    S3 Fa0/18

    R2
    R3

    Part 1: Basic Router Configuration


    Task 1: Configure Basic Router Settings
    Configure basic settings for each router.

    Configure the EIGRP routing protocol

    Verify basic network connectivity.

    Configure basic console, auxiliary port, and vty lines.

    Task 2: Use the Nmap Port Scanner to Determine Router Vulnerabilities


    Scan for open ports on R1 using Nmap from external host PC-C

    Configure settings for each router


    R1
    Current configuration : 1240 bytes
    !
    version 12.4
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    !
    hostname R1
    !
    boot-start-marker
    boot-end-marker
    !
    security passwords min-length 10
    !
    no aaa new-model
    !
    !
    ip cef
    !
    !
    no ip domain lookup
    ip auth-proxy max-nodata-conns 3
    ip admission max-nodata-conns 3
    !
    !
    voice-card 0
    no dspfarm
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !

    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    interface FastEthernet0/0
    no ip address
    shutdown
    duplex auto
    speed auto
    !
    interface FastEthernet0/1
    description LAN Site 1
    ip address 192.168.1.1 255.255.255.0
    duplex auto
    speed auto
    !
    interface Serial0/2/0
    description Enlace Wan a R2
    ip address 10.1.1.1 255.255.255.252
    no fair-queue
    clock rate 125000
    !
    interface Serial0/2/1
    no ip address
    shutdown
    !
    router eigrp 101
    network 10.1.1.0 0.0.0.3
    network 192.168.1.0
    no auto-summary
    !
    ip forward-protocol nd
    !
    !
    ip http server
    no ip http secure-server

    !
    !
    !
    !
    control-plane
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    line con 0
    exec-timeout 5 0
    password 7 13061E01080307252534292026
    logging synchronous
    login
    line aux 0
    exec-timeout 5 0
    password 7 094F471A1A0A1607131C053938
    login
    line vty 0 4
    exec-timeout 5 0
    password 7 0822455D0A1613030B1B0D1739
    login
    !
    scheduler allocate 20000 1000
    !
    end

    R2
    service password-encryption55.255.255/network-confg (T
    !e
    hostname R2
    up
    !
    boot-start-marker
    !
    interfac
    boot-end-markeropening tftp://
    !5
    security passwords min-length 10out)168.40.1 YES manual up
    enable secret 5 $1$Dz73$sk0VuhKo6oNGYPQbq9gS5/- System Configuration
    Dialog --no mop enabl
    !
    no aaa new-modelfnterface F
    Wou
    !
    !u
    ip cefo ente
    !t
    !
    ip auth-proxy max-nodata-conns 3s/no]:er.
    half-duplex
    ip admission max-nodata-conns 3fi.255.25
    % Please answer 'yes'
    !r
    !n
    voice-card 0n
    no dspfarmld you like
    !o
    !n
    !r
    !h
    !i
    !t
    !l
    !o
    !i

    !r
    !i
    !
    !a
    !g
    ![
    !s
    !o
    !
    !
    !
    !
    interface FastEthernet0/0#show runerial0/2/1
    R3#s
    no ip address answer 'yes'
    shutdown
    Buildin
    duplex autoon...o
    Would
    speed auto enter the
    !i
    interface FastEthernet0/1 [yes/no]:
    no ip addressversion 12.4
    shutdown
    service
    duplex auto answer 'yes
    speed auto
    !
    interface Serial0/2/0ou like to enter the
    description R2 Serial 0
    network 192.1
    !router eigrp 101
    !
    !
    ip ce
    network 10.1.1.0 0.0.0.3y max-nodata*Sep 16 12:
    network 10.2.2.0 0.0.0.3LOC: Crypto engine: onboa
    no auto-summarye

    Building c
    !f
    ip forward-protocol nd marker.
    !
    !
    !
    !
    !
    line con 0
    exec-timeout 5 0
    password 7 13061E01080307252534292026
    logging synchronous
    login
    line aux 0
    exec-timeout 5 0
    password 7 121A0C0411040D11323B253B20
    login
    line vty 0 4
    exec-timeout 5 0
    password 7 045802150C2E5A5A1009040401
    login
    !
    scheduler allocate 20000 1000
    !
    end
    R3

    Part 2: Configuring a Context-Based Access Control (CBAC) Firewall


    Active Auto Secure

    Configure the R1 firewall to allow EIGRP updates.

    Verify CBAC Functionalit

    Test Telnet access from internal PC-A to external router R2.

    Use the show ip inspect all command to see the configuration and inspection status

    View detailed session information using the show ip inspect sessions detail command

    Configure settings for each router.


    R1
    Current configuration : 3219 bytes
    !
    version 12.4
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime msec localtime show-timezone
    service timestamps log datetime msec localtime show-timezone
    service password-encryption

    service sequence-numbers
    !
    hostname R1
    !
    boot-start-marker
    boot-end-marker
    !
    security authentication failure rate 10 log
    security passwords min-length 10
    logging buffered 4096 debugging
    logging console critical
    enable secret 5 $1$Kz15$nkPyCBVzKIq7bGGFB9k4R0
    enable password 7 045802150C2E1A19514055
    !
    aaa new-model
    !
    !
    aaa authentication login local_auth local
    !
    aaa session-id common
    no ip source-route
    no ip gratuitous-arps
    !
    !
    ip cef
    !
    !
    no ip bootp server
    no ip domain lookup
    ip inspect audit-trail
    ip inspect udp idle-time 1800
    ip inspect dns-timeout 7
    ip inspect tcp idle-time 14400
    ip inspect name autosec_inspect cuseeme timeout 3600
    ip inspect name autosec_inspect ftp timeout 3600
    ip inspect name autosec_inspect http timeout 3600
    ip inspect name autosec_inspect rcmd timeout 3600
    ip inspect name autosec_inspect realaudio timeout 3600
    ip inspect name autosec_inspect smtp timeout 3600
    ip inspect name autosec_inspect tftp timeout 30
    ip inspect name autosec_inspect udp timeout 15
    ip inspect name autosec_inspect tcp timeout 3600

    ip auth-proxy max-nodata-conns 3
    ip admission max-nodata-conns 3
    login block-for 60 attempts 2 within 30
    !
    !
    voice-card 0
    no dspfarm
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    username admin password 7 030752180500701E1D5D4C
    archive
    log config
    logging enable
    !
    !
    !
    !
    !
    !
    !
    interface FastEthernet0/0
    no ip address
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    shutdown
    duplex auto
    speed auto
    no mop enabled
    !

    interface FastEthernet0/1
    description LAN Site 1
    ip address 192.168.1.1 255.255.255.0
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    duplex auto
    speed auto
    no mop enabled
    !
    interface Serial0/2/0
    description Enlace Wan a R2
    ip address 10.1.1.1 255.255.255.252
    ip access-group autosec_firewall_acl in
    ip verify unicast source reachable-via rx allow-default 100
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip inspect autosec_inspect out
    no fair-queue
    clock rate 125000
    !
    interface Serial0/2/1
    no ip address
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    shutdown
    !
    router eigrp 101
    network 10.1.1.0 0.0.0.3
    network 192.168.1.0
    no auto-summary
    !
    ip forward-protocol nd
    !
    !
    no ip http server
    no ip http secure-server
    !
    ip access-list extended autosec_firewall_acl
    permit udp any any eq bootpc

    permit eigrp any any


    permit tcp any any eq telnet
    deny ip any any
    !
    logging trap debugging
    logging facility local2
    access-list 100 permit udp any any eq bootpc
    no cdp run
    !
    !
    !
    control-plane
    !
    !
    !
    !
    !
    !
    !
    !
    !
    banner motd ^C Unauthorized Access Prohibited ^C
    !
    line con 0
    exec-timeout 5 0
    password 7 13061E01080307252534292026
    logging synchronous
    login authentication local_auth
    transport output telnet
    line aux 0
    exec-timeout 15 0
    password 7 094F471A1A0A1607131C053938
    login authentication local_auth
    transport output telnet
    line vty 0 4
    exec-timeout 5 0
    password 7 0822455D0A1613030B1B0D1739
    login authentication local_auth
    transport input telnet
    !
    scheduler allocate 20000 1000
    !

    end
    R2
    R2#show running-configet started. E2 - OSPF
    Building configuration... Access Verification
    Current configuration : 1269 bytesS-I
    % Password: timeout expired!!
    version 12.4 IS-IS level
    service timestamps debug datetime msect expired!, one per line. End with CN
    service timestamps log datetime mseceout expired!ult, U - per-user stati
    service password-encryptionexitYES m
    !
    hostname R2
    S2 con0 i
    !n
    boot-start-markerP - periodic down
    boot-end-markerURN to get star
    !d
    security passwords min-length 10
    User Access Verificationrt is
    enable secret 5 $1$Dz73$sk0VuhKo6oNGYPQbq9gS5/:0.0.0.0/3
    Password:tted, 2 s
    % Bad passwordse
    !c
    no aaa new-model
    !
    ip cefS2 con
    !i
    !n
    ip auth-proxy max-nodata-conns 3

    Press RETURN to get sta


    ip admission max-nodata-conns 3t
    User Access Verific
    !i
    !.
    voice-card 0anua
    !
    !
    !
    !
    !
    line con 0
    exec-timeout 5 0
    password 7 13061E01080307252534292026
    logging synchronous
    login
    line aux 0
    exec-timeout 5 0
    password 7 121A0C0411040D11323B253B20
    login
    line vty 0 4
    exec-timeout 5 0
    password 7 045802150C2E5A5A1009040401
    login
    !
    scheduler allocate 20000 1000
    !
    end

    Part 3: Configuring a Zone-Based Firewall (ZBF) Using CCP


    Use the CCP Firewall wizard to configure a zone-based firewall.

    Use CCP to examine the R3 firewall configuration.

    Verify EIGRP Routing Functionality on R3

    Verify Zone-Base Firewall Funcionality

    Vous aimerez peut-être aussi