Download pdf - Free Books

More documents

Recommendations

Info

Section 13 IPexpert’s CCIE Security Proctor Guide – Version 4.1 pixfirewall(config-router)#network 10.0.0.0 pixfirewall(config-router)#network 192.1.12.0 pixfirewall(config-router)#passive outside b) Configure RIP such that it receives routes from the inside interface and also injects a default route from the inside interface. Since the network statement was already added in the previous step, we just need to configure the PIX to send a default route. pixfirewall(config)#router rip pixfirewall(config-router)#default-information originate 2.3 - Address Translation (4 Points) a) There is a Web/SMTP/DNS Server at 10.1.1.55. Create a Static Mapping to 192.1.12.55. Allow the appropriate entries in the access-list. Web servers use TCP ports 80 for http and 443 for HTTPS. SMTP is TCP port 25. DNS uses UDP port 53 for lookups and TCP port 53 for zone transfers. When allowing access, remember to configure the access-list using the translated address. pixfirewall(config)#static (inside,outside) 192.1.12.55 10.1.1.55 netmask 255.255.255.255 pixfirewall(config)#access-list outsideint permit tcp any host 192.1.12.55 eq 25 pixfirewall(config)#access-list outsideint permit tcp any host 192.1.12.55 eq 53 pixfirewall(config)#access-list outsideint permit tcp any host 192.1.12.55 eq 80 pixfirewall(config)#access-list outsideint permit tcp any host 192.1.12.55 eq 443 pixfirewall(config)#access-list outsideint permit udp any host 192.1.12.55 eq 53 pixfirewall(config)#access-group outsideint in interface outside b) Also create a static mapping to R1. Create a static mapping to 192.1.12.15. Allow Telnet access to R1 from R2 only in the access-list. pixfirewall(config)#static (inside,outside) 192.1.12.15 10.2.2.1 netmask 255.255.255.255 pixfirewall(config)#access-list outsideint permit tcp host 192.1.12.2 host 192.1.12.15 eq 23 c) Create a Static entry for the AAA server at 10.1.1.100. Translate it to 192.1.12.100. Allow the appropriate entries in the access-list for TACACS+. Only allow R2 to communicate to the TACACS+ server. R2 should communicate to the TACACS+ server using its loopback0 interface. pixfirewall(config)#static (inside,outside) 192.1.12.100 10.1.1.100 netmask 255.255.255.255 pixfirewall(config)#access-list outsideint permit tcp host 2.2.2.2 host 192.1.12.100 eq 49 R2(config)#ip tacacs source-int lo0 342 Copyright IPexpert, Inc. (http://www.ipexpert.com) 2007. All Rights Reserved.
IPexpert’s CCIE Security Proctor Guide – Version 4.1 Section 13 d) Enable Nat-control on the PIX. pixfirewall(config)#nat-control 2.4 – Transparent Firewall (2 points) a) Configure ASA1 in transparent firewall mode for the VLANs connecting R4 and R9. Make sure that the routing protocol adjacencies between R4 and R9 work after completing this step. Do not configure contexts for this step. ciscoasa(config)#firewall transparent ciscoasa(config)#hostname ASA1 ASA1(config)#int eth0/0 ASA1(config-if)#no shut ASA1(config-if)#int eth0/1 ASA1(config-if)#no shut ASA1(config)#int eth0/0 ASA1(config-if)#nameif outside IICMP: icmp_open Entry for context 0 NFO: Security level for "outside" set to 0 by default. ASA1(config-if)#int eth0/1 ASA1(config-if)#nameif inside IICMP: icmp_open Entry for context 0 NFO: Security level for "inside" set to 100 by default. ASA1(config)#ip address 192.1.49.55 255.255.255.0 At a minimum, we need to allow OSPF and BGP traffic, and possibly ICMP echo and echo-reply for ping testing. Since we are not given any restrictions on what traffic to allow, we can just allow all IP traffic. ASA1(config)#access-list ROUTING permit ip any any ASA1(config)#access-group ROUTING in interface outside ASA1(config)#access-group ROUTING in interface inside 2.5 – Contexts (2points) a) Configure ASA2 in transparent firewall mode for the VLANs connecting R5 and BB2, using contexts. Use the context name r5tobb2. Configure interfaces eth0/0 and eth0/1 for a security level of 100. Configuration for ASA2 will be similar, but we will be using contexts. Start by switching to multiple context mode. ciscoasa(config)#mode multiple WARNING: This command will change the behavior of the device WARNING: This command will initiate a Reboot Proceed with change mode? [confirm] Convert the system configuration? [confirm] Copyright IPexpert, Inc. (http://www.ipexpert.com) 2007. All Rights Reserved. 343
Page 1 and 2: Ultimate Lab Preparation Workbook F
Page 3 and 4: Introduction IPexpert’s Ultimate
Page 5 and 6: Introduction IPexpert’s Ultimate
Page 7 and 8: EULA IPexpert’s Ultimate Preparat
Page 9 and 10: Table of Contents IPexpert’s Ulti
Page 11 and 12: Table of Contents IPexpert’s Ulti
Page 13 and 14: Section 6 IPexpert’s Ultimate Pre
Page 15 and 16: Section 6 IPexpert’s Ultimate Pre
Page 17 and 18: Section 13 IPexpert’s Ultimate Pr
Page 27 and 28: IPexpert’s CCIE Security Proctor
Page 51: IPexpert’s CCIE Security Proctor
Page 77: IPexpert, Inc. Product Order Form F

Download pdf - Free Books

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?