Lab6-2.net file for Dynamips:
##################################################
#
# CCNP Version 5.0: Implementing Secure Converged Wide-Area Networks
# Lab 6.2 Configuring CBAC
# By Happy Peter http://blog.xuite.net/juilin77/happy
#
##################################################
autostart=false
[localhost:7200]
workingdir = /opt/dynamips/dynagen-0.10.1/UTS/CCNP2/Lab6-2/workingconfig
[[3725]]
# Specify 3725 IOS image on Linux here:
image = /opt/dynamips/images/c3725-ad.bin
ram = 256
idlepc =0x60bf8d58
mmap = true
ghostios = true
confreg = 0x2102
###########################
#
# Define router instances 1
#
###########################
[[Router INSIDE]]
model = 3725
console = 2001
slot1 = NM-4T
[[Router FW]]
model = 3725
console = 2002
slot1 = NM-4T
s1/0 = INSIDE s1/0
s1/1 = OUTSIDE s1/1
[[Router OUTSIDE]]
model = 3725
console = 2003
slot1 = NM-4T
Objectives
‧ Configure CBAC rules on a router
‧ Apply CBAC rules on a router
Scenario
Context-based access control (CBAC) is a powerful tool in the Cisco IOS Firewall feature set. It allows stateful packet inspection of certain types of attacks.
Basic Configuration:
enable
configure terminal
!
no ip domain lookup
!
line console 0
logging synchronous
exec-timeout 0 0
!
host *
Step 1: Configure the Physical Interfaces
INSIDE(config)#interface serial 1/0
INSIDE(config-if)#ip address 172.16.12.1 255.255.255.0
INSIDE(config-if)#clock rate 64000
INSIDE(config-if)#no shutdown
FW(config)#interface serial 1/0
FW(config-if)#ip address 172.16.12.2 255.255.255.0
FW(config-if)#no shutdown
FW(config)#interface serial 1/1
FW(config-if)#ip address 192.168.23.2 255.255.255.0
FW(config-if)#clock rate 64000
FW(config-if)#no shutdown
OUTSIDE(config)#interface serial 1/1
OUTSIDE(config-if)#ip addr 192.168.23.3 255.255.255.0
OUTSIDE(config-if)#no shutdown
Step 2: Configure Static Default Routes
On the INSIDE and OUTSIDE routers, configure static default routes directing traffic to unknown destinations to be forwarded to the FW router.
INSIDE(config)#ip route 0.0.0.0 0.0.0.0 172.16.12.2
OUTSIDE(config)#ip route 0.0.0.0 0.0.0.0 192.168.23.2
Step 3: Enable Telnet Access
INSIDE(config)#line vty 0 4
INSIDE(config-line)#password cisco
INSIDE(config-line)#login
INSIDE(config-line)#logging synchronous
OUTSIDE(config)#line vty 0 4
OUTSIDE(config-line)#password cisco
OUTSIDE(config-line)#login
OUTSIDE(config-line)#logging synchronous
Step 4: Create IP Inspect Rules
CBAC operates by statefully inspecting some protocols and tracking TCP connections and UDP flows.
FW(config)#ip inspect name myrules tcp
FW(config)#ip inspect name myrules udp
You can also set CBAC timeouts for various protocols.
FW(config)#ip inspect udp idle-time 60
In a secure network, you would likely set up a Syslog server to monitor security information including communication to external networks. Alert and audit trail messages allow holes in the firewall created by CBAC to be monitored and logged for later use.
W(config)#ip inspect name myrules icmp timeout 5
FW(config)#ip inspect name myrules http alert off
FW(config)#ip inspect name myrules ftp audit-trail on
To apply the rule set to an interface.
FW(config)#interface serial 1/0
FW(config-if)#ip inspect myrules in
Step 5: Block Unwanted Outside Traffic
Configure an extended access list to deny any traffic coming in the outside interface.
FW(config)#access-list 100 deny ip any any log
FW(config)#interface serial 1/1
FW(config-if)#ip access-group 100 in
Step 6: Verify CBAC Operation
OUTSIDE#telnet 172.16.12.1
Trying 172.16.12.1 ...
% Destination unreachable; gateway or host down
OUTSIDE#
FW#
*Mar 1 05:53:10.074: %SEC-6-IPACCESSLOGP: list 100 denied tcp 192.168.23.3(0) -> 172.16.12.1(0), 1 packet
FW#
INSIDE#telnet 192.168.23.3
Trying 192.168.23.3 ... Open
User Access Verification
Password: cisco
OUTSIDE>
FW#show ip inspect all
Session audit trail is disabled
Session alert is enabled
one-minute (sampling period) thresholds are [unlimited : unlimited] connections
max-incomplete sessions thresholds are [unlimited : unlimited]
max-incomplete tcp connections per host is unlimited. Block-time 0 minute.
tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec
tcp idle-time is 3600 sec -- udp idle-time is 60 sec
tcp reassembly queue length 16; timeout 5 sec; memory-limit 1024 kilo bytes
dns-timeout is 5 sec
Inspection Rule Configuration
Inspection name myrules
tcp alert is on audit-trail is off timeout 3600
udp alert is on audit-trail is off timeout 60
icmp alert is on audit-trail is off timeout 5
http alert is off audit-trail is off timeout 3600
ftp alert is on audit-trail is on timeout 3600
Interface Configuration
Interface Serial1/0
Inbound inspection rule is myrules
tcp alert is on audit-trail is off timeout 3600
udp alert is on audit-trail is off timeout 60
icmp alert is on audit-trail is off timeout 5
http alert is off audit-trail is off timeout 3600
ftp alert is on audit-trail is on timeout 3600
Outgoing inspection rule is not set
Inbound access list is not set
Outgoing access list is not set
Established Sessions
Session 66F7CF8C (172.16.12.1:11868)=>(192.168.23.3:23) tcp SIS_OPEN
FW#
FW#show ip inspect sessions detail
Established Sessions
Session 66F7CF8C (172.16.12.1:11868)=>(192.168.23.3:23) tcp SIS_OPEN
Created 00:01:22, Last heard 00:01:16
Bytes sent (initiator:responder) [31:76]
In SID 192.168.23.3[23:23]=>172.16.12.1[11868:11868] on ACL 100 (10 matches)
FW#
Close the telnet connection when you are done verifying CBAC operation.
OUTSIDE>exit
[Connection to 192.168.23.3 closed by foreign host]
INSIDE#
Enable debugging of IP inspection for ICMP traffic using the debug ip inspect protocol command.
FW#debug ip inspect protocol icmp
INSPECT ICMP Inspection debugging is on
FW#
From the INSIDE router, ping OUTSIDE.
INSIDE#ping 192.168.23.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.23.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/9/12 ms
INSIDE#
FW#
*Mar 1 06:02:22.910: CBAC: ICMP Echo pkt 172.16.12.1 => 192.168.23.3
*Mar 1 06:02:22.918: CBAC: ICMP Echo Reply pkt 192.168.23.3 => 172.16.12.1
*Mar 1 06:02:22.926: CBAC: ICMP Echo pkt 172.16.12.1 => 192.168.23.3
*Mar 1 06:02:22.930: CBAC: ICMP Echo Reply pkt 192.168.23.3 => 172.16.12.1
*Mar 1 06:02:22.934: CBAC: ICMP Echo pkt 172.16.12.1 => 192.168.23.3
*Mar 1 06:02:22.938: CBAC: ICMP Echo Reply pkt 192.168.23.3 => 172.16.12.1
*Mar 1 06:02:22.946: CBAC: ICMP Echo pkt 172.16.12.1 => 192.168.23.3
*Mar 1 06:02:22.950: CBAC: ICMP Echo Reply pkt 192.168.23.3 => 172.16.12.1
*Mar 1 06:02:22.954: CBAC: ICMP Echo pkt 172.16.12.1 => 192.168.23.3
*Mar 1 06:02:22.958: CBAC: ICMP Echo Reply pkt 192.168.23.3 => 172.16.12.1
FW#undebug all
Final Configurations
INSIDE:
hostname INSIDE
!
no ip domain lookup
!
interface Serial1/0
ip address 172.16.12.1 255.255.255.0
clock rate 64000
no shutdown
!
ip route 0.0.0.0 0.0.0.0 172.16.12.2
!
line con 0
exec-timeout 0 0
logging synchronous
!
line vty 0 4
password cisco
logging synchronous
login
!
end
FW:
hostname FW
!
no ip domain lookup
!
ip inspect udp idle-time 60
ip inspect name myrules tcp
ip inspect name myrules udp
ip inspect name myrules icmp timeout 5
ip inspect name myrules http alert off
ip inspect name myrules ftp audit-trail on
!
interface Serial1/0
ip address 172.16.12.2 255.255.255.0
ip inspect myrules in
no shutdown
!
interface Serial1/1
ip address 192.168.23.2 255.255.255.0
ip access-group 100 in
clock rate 64000
no shutdown
!
access-list 100 deny ip any any log
!
line con 0
exec-timeout 0 0
logging synchronous
!
end
FW#
OUTSIDE:
hostname OUTSIDE
!
no ip domain lookup
!
interface Serial1/1
ip address 192.168.23.3 255.255.255.0
no shutdown
!
ip route 0.0.0.0 0.0.0.0 192.168.23.2
!
line con 0
exec-timeout 0 0
logging synchronous
!
line vty 0 4
password cisco
logging synchronous
login
!
end
Reference:
Cisco Networking Academy
http://www.cisco.com/web/learning/netacad/index.html
CCNP Version 5.0: Implementing Secure Converged Wide-Area Networks
Student Lab Manual
最初發表 / 最後更新: 2008.10.08 / 2018.06.11
0 comments:
張貼留言