Published 6月 11, 2018 by with 0 comment

CCNP-ISCW-v5.0 Lab 6-2: Configuring CBAC



Lab6-2.net file for Dynamips:

##################################################
#
# CCNP Version 5.0: Implementing Secure Converged Wide-Area Networks
# Lab 6.2 Configuring CBAC
# By Happy Peter  http://blog.xuite.net/juilin77/happy
#
##################################################

autostart=false
[localhost:7200]
 workingdir = /opt/dynamips/dynagen-0.10.1/UTS/CCNP2/Lab6-2/workingconfig

[[3725]]
# Specify 3725 IOS image on Linux here:
 image = /opt/dynamips/images/c3725-ad.bin
 ram = 256
 idlepc =0x60bf8d58
 mmap = true
 ghostios = true
 confreg = 0x2102

###########################
#
# Define router instances 1
#
###########################
 
[[Router INSIDE]]
 model = 3725
 console = 2001
 slot1 = NM-4T

[[Router FW]]
 model = 3725
 console = 2002
 slot1 = NM-4T
 s1/0 = INSIDE s1/0
 s1/1 = OUTSIDE s1/1

[[Router OUTSIDE]]
 model = 3725
 console = 2003
 slot1 = NM-4T

Objectives
‧ Configure CBAC rules on a router
‧ Apply CBAC rules on a router



Scenario
Context-based access control (CBAC) is a powerful tool in the Cisco IOS Firewall feature set. It allows stateful packet inspection of certain types of attacks.


Basic Configuration:
enable
configure terminal
!
no ip domain lookup
!
line console 0
 logging synchronous
 exec-timeout 0 0
!
host *


Step 1: Configure the Physical Interfaces
INSIDE(config)#interface serial 1/0
INSIDE(config-if)#ip address 172.16.12.1 255.255.255.0
INSIDE(config-if)#clock rate 64000
INSIDE(config-if)#no shutdown

FW(config)#interface serial 1/0
FW(config-if)#ip address 172.16.12.2 255.255.255.0
FW(config-if)#no shutdown 
FW(config)#interface serial 1/1
FW(config-if)#ip address 192.168.23.2 255.255.255.0
FW(config-if)#clock rate 64000
FW(config-if)#no shutdown

OUTSIDE(config)#interface serial 1/1
OUTSIDE(config-if)#ip addr 192.168.23.3 255.255.255.0
OUTSIDE(config-if)#no shutdown


Step 2: Configure Static Default Routes
On the INSIDE and OUTSIDE routers, configure static default routes directing traffic to unknown destinations to be forwarded to the FW router.
INSIDE(config)#ip route 0.0.0.0 0.0.0.0 172.16.12.2

OUTSIDE(config)#ip route 0.0.0.0 0.0.0.0 192.168.23.2


Step 3: Enable Telnet Access
INSIDE(config)#line vty 0 4
INSIDE(config-line)#password cisco
INSIDE(config-line)#login
INSIDE(config-line)#logging synchronous

OUTSIDE(config)#line vty 0 4
OUTSIDE(config-line)#password cisco
OUTSIDE(config-line)#login
OUTSIDE(config-line)#logging synchronous


Step 4: Create IP Inspect Rules
CBAC operates by statefully inspecting some protocols and tracking TCP connections and UDP flows.
FW(config)#ip inspect name myrules tcp
FW(config)#ip inspect name myrules udp

You can also set CBAC timeouts for various protocols.
FW(config)#ip inspect udp idle-time 60

In a secure network, you would likely set up a Syslog server to monitor security information including communication to external networks. Alert and audit trail messages allow holes in the firewall created by CBAC to be monitored and logged for later use.
W(config)#ip inspect name myrules icmp timeout 5
FW(config)#ip inspect name myrules http alert off
FW(config)#ip inspect name myrules ftp audit-trail on

To apply the rule set to an interface.
FW(config)#interface serial 1/0
FW(config-if)#ip inspect myrules in


Step 5: Block Unwanted Outside Traffic
Configure an extended access list to deny any traffic coming in the outside interface.
FW(config)#access-list 100 deny ip any any log
FW(config)#interface serial 1/1
FW(config-if)#ip access-group 100 in


Step 6: Verify CBAC Operation
OUTSIDE#telnet 172.16.12.1
Trying 172.16.12.1 ...
% Destination unreachable; gateway or host down
OUTSIDE#

FW#
*Mar  1 05:53:10.074: %SEC-6-IPACCESSLOGP: list 100 denied tcp 192.168.23.3(0) -> 172.16.12.1(0), 1 packet
FW#

INSIDE#telnet 192.168.23.3
Trying 192.168.23.3 ... Open
User Access Verification
Password: cisco
OUTSIDE>

FW#show ip inspect all
Session audit trail is disabled
Session alert is enabled
one-minute (sampling period) thresholds are [unlimited : unlimited] connections
max-incomplete sessions thresholds are [unlimited : unlimited]
max-incomplete tcp connections per host is unlimited. Block-time 0 minute.
tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec
tcp idle-time is 3600 sec -- udp idle-time is 60 sec
tcp reassembly queue length 16; timeout 5 sec; memory-limit 1024 kilo bytes
dns-timeout is 5 sec
Inspection Rule Configuration
 Inspection name myrules
    tcp alert is on audit-trail is off timeout 3600
    udp alert is on audit-trail is off timeout 60
    icmp alert is on audit-trail is off timeout 5
    http alert is off audit-trail is off timeout 3600
    ftp alert is on audit-trail is on timeout 3600

Interface Configuration
 Interface Serial1/0
  Inbound inspection rule is myrules
    tcp alert is on audit-trail is off timeout 3600
    udp alert is on audit-trail is off timeout 60
    icmp alert is on audit-trail is off timeout 5
    http alert is off audit-trail is off timeout 3600
    ftp alert is on audit-trail is on timeout 3600
  Outgoing inspection rule is not set
  Inbound access list is not set
  Outgoing access list is not set

Established Sessions
 Session 66F7CF8C (172.16.12.1:11868)=>(192.168.23.3:23) tcp SIS_OPEN
FW#

FW#show ip inspect sessions detail
Established Sessions
 Session 66F7CF8C (172.16.12.1:11868)=>(192.168.23.3:23) tcp SIS_OPEN
  Created 00:01:22, Last heard 00:01:16
  Bytes sent (initiator:responder) [31:76]
  In  SID 192.168.23.3[23:23]=>172.16.12.1[11868:11868] on ACL 100  (10 matches)
FW#

Close the telnet connection when you are done verifying CBAC operation.
OUTSIDE>exit
[Connection to 192.168.23.3 closed by foreign host]
INSIDE#

Enable debugging of IP inspection for ICMP traffic using the debug ip inspect protocol command.
FW#debug ip inspect protocol icmp
INSPECT ICMP Inspection debugging is on
FW#

From the INSIDE router, ping OUTSIDE.
INSIDE#ping 192.168.23.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.23.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/9/12 ms
INSIDE#

FW#
*Mar  1 06:02:22.910: CBAC: ICMP Echo pkt 172.16.12.1 => 192.168.23.3
*Mar  1 06:02:22.918: CBAC: ICMP Echo Reply pkt 192.168.23.3 => 172.16.12.1
*Mar  1 06:02:22.926: CBAC: ICMP Echo pkt 172.16.12.1 => 192.168.23.3
*Mar  1 06:02:22.930: CBAC: ICMP Echo Reply pkt 192.168.23.3 => 172.16.12.1
*Mar  1 06:02:22.934: CBAC: ICMP Echo pkt 172.16.12.1 => 192.168.23.3
*Mar  1 06:02:22.938: CBAC: ICMP Echo Reply pkt 192.168.23.3 => 172.16.12.1
*Mar  1 06:02:22.946: CBAC: ICMP Echo pkt 172.16.12.1 => 192.168.23.3
*Mar  1 06:02:22.950: CBAC: ICMP Echo Reply pkt 192.168.23.3 => 172.16.12.1
*Mar  1 06:02:22.954: CBAC: ICMP Echo pkt 172.16.12.1 => 192.168.23.3
*Mar  1 06:02:22.958: CBAC: ICMP Echo Reply pkt 192.168.23.3 => 172.16.12.1
FW#undebug all


Final Configurations
INSIDE:
hostname INSIDE
!
no ip domain lookup
!
interface Serial1/0
 ip address 172.16.12.1 255.255.255.0
 clock rate 64000
 no shutdown
!
ip route 0.0.0.0 0.0.0.0 172.16.12.2
!
line con 0
 exec-timeout 0 0
 logging synchronous
!
line vty 0 4
 password cisco
 logging synchronous
 login
!
end

FW:
hostname FW
!
no ip domain lookup
!
ip inspect udp idle-time 60
ip inspect name myrules tcp
ip inspect name myrules udp
ip inspect name myrules icmp timeout 5
ip inspect name myrules http alert off
ip inspect name myrules ftp audit-trail on
!
interface Serial1/0
 ip address 172.16.12.2 255.255.255.0
 ip inspect myrules in
 no shutdown
!
interface Serial1/1
 ip address 192.168.23.2 255.255.255.0
 ip access-group 100 in
 clock rate 64000
 no shutdown
!
access-list 100 deny   ip any any log
!
line con 0
 exec-timeout 0 0
 logging synchronous
!
end

FW#

OUTSIDE:
hostname OUTSIDE
!
no ip domain lookup
!
interface Serial1/1
 ip address 192.168.23.3 255.255.255.0
 no shutdown
!
ip route 0.0.0.0 0.0.0.0 192.168.23.2
!
line con 0
 exec-timeout 0 0
 logging synchronous
!
line vty 0 4
 password cisco
 logging synchronous
 login
!
end


Reference:
Cisco Networking Academy
http://www.cisco.com/web/learning/netacad/index.html

CCNP Version 5.0: Implementing Secure Converged Wide-Area Networks
Student Lab Manual


最初發表 / 最後更新: 2008.10.08 / 2018.06.11

0 comments:

張貼留言