Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Section 13 IPexpert’s CCIE Security Proctor Guide – Version 4.1<br />
8 - IOS Firewall Configuration (8 Points)<br />
8.1 - Cisco IOS Firewall (4 Points)<br />
a) On R4, inspect all tcp, udp and icmp traffic from the Ethernet segment going towards the Frame<br />
networks.<br />
<br />
Start by configuring the inspection, and apply to the interface.<br />
R4(config)#ip inspect name MYFW tcp<br />
R4(config)#ip inspect name MYFW udp<br />
R4(config)#ip inspect name MYFW icmp<br />
R4(config)#int ser0/0/0<br />
R4(config-if)#ip inspect MYFW out<br />
b) Only allow relevant traffic coming in.<br />
<br />
We have BGP and OSPF sessions to permit.<br />
R4(config)#ip access-list extended 121<br />
R4(config-ext-nacl)#permit tcp host 2.2.2.2 host 4.4.4.4 eq bgp<br />
R4(config-ext-nacl)#permit tcp host 2.2.2.2 eq bgp host 4.4.4.4 est<br />
R4(config-ext-nacl)#permit ospf host 192.1.24.2 host 224.0.0.5<br />
R4(config-ext-nacl)#permit ospf host 192.1.24.2 host 192.1.24.4<br />
R4(config-ext-nacl)#deny ip any any log<br />
c) ACL should be set to inbound on the Serial interface.<br />
R4(config)#int ser0/0/0<br />
R4(config-if)#ip access-group 121 in<br />
8.2 - Cisco IOS Firewall tuning (2 Points)<br />
a) Set the IOS Firewall such that it blocks half-open connections if they exceed 1000 and stop<br />
deleting the connections if the reach 800.<br />
b) Also set it for a one-minute high.<br />
c) Set the TCP idle time to 30 Minutes.<br />
R4(config)#ip inspect max-incomplete high 1000<br />
R4(config)#ip inspect max-incomplete low 801<br />
R4(config)#ip inspect one-minute high 1000<br />
R4(config)#ip inspect one-minute low 801<br />
R4(config)#ip inspect tcp idle-time 1800<br />
362 Copyright IPexpert, Inc. (http://www.ipexpert.com) 2007. All Rights Reserved.