Download pdf - Free Books

Section 13 IPexpert’s CCIE Security Proctor Guide – Version 4.1
9 - Advanced Security and Attacks Configuration (12 Points)
9.1 - Filtering Java and ActiveX applets (2 Points)
a) Setup the PIX to block the downloading of Java and ActiveX applets from anywhere.
pixfirewall(config)#filter java 80 0 0 0 0
pixfirewall(config)#filter activex 80 0 0 0 0
9.2 - Allow Remote Management of the PIX (2 Points)
a) Setup the PIX firewall so that the PC at 10.1.1.100 can telnet into the PIX for remote
management. Change the default Telnet password to ccie.
pixfirewall(config)#telnet 10.1.1.100 255.255.255.255 inside
pixfirewall(config)#passwd ccie
Verify by telnetting from the ACS server.
9.3 - Time-Based Access List (2 Points)
a) You do not want users on R6 Ethernet Network access a special application that uses TCP port
25000, during the Weekdays between 9:00 AM to 4:00 PM.
b) It is OK for them to use the application at other times.
R6(config)#time-range WEEKDAYS
R6(config-time-range)#periodic weekdays 09:00 to 15:59
R6(config)#access-list 131 deny tcp 192.1.6.0 0.0.0.255 any eq 25000
time-range WEEKDAYS
R6(config)#access-list 131 permit ip any any
R6(config)#int fa0/0
R6(config-if)#ip access-group 131 in
9.4 - Time-Based Access List (2 Points)
a) You do not want users on R6 Ethernet Network to use a customized application that uses UDP
port 20000, on the Weekend between 10:00 AM to 3:00 PM.
b) It is OK for them to use the application at other times.
Since this is on the same interface, make sure to merge this into the existing accesslist.
R6(config)#time-range WEEKEND
R6(config-time-range)#periodic weekend 10:00 to 14:59
R6(config)#ip access-list extended 131
R6(config-ext-nacl)#no permit ip any any
364 Copyright IPexpert, Inc. (http://www.ipexpert.com) 2007. All Rights Reserved.