You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Section 13 IPexpert’s CCIE Security Proctor Guide – Version 4.1<br />
9 - Advanced Security and Attacks Configuration (12 Points)<br />
9.1 - Filtering Java and ActiveX applets (2 Points)<br />
a) Setup the PIX to block the downloading of Java and ActiveX applets from anywhere.<br />
pixfirewall(config)#filter java 80 0 0 0 0<br />
pixfirewall(config)#filter activex 80 0 0 0 0<br />
9.2 - Allow Remote Management of the PIX (2 Points)<br />
a) Setup the PIX firewall so that the PC at 10.1.1.100 can telnet into the PIX for remote<br />
management. Change the default Telnet password to ccie.<br />
pixfirewall(config)#telnet 10.1.1.100 255.255.255.255 inside<br />
pixfirewall(config)#passwd ccie<br />
<br />
Verify by telnetting from the ACS server.<br />
9.3 - Time-Based Access List (2 Points)<br />
a) You do not want users on R6 Ethernet Network access a special application that uses TCP port<br />
25000, during the Weekdays between 9:00 AM to 4:00 PM.<br />
b) It is OK for them to use the application at other times.<br />
R6(config)#time-range WEEKDAYS<br />
R6(config-time-range)#periodic weekdays 09:00 to 15:59<br />
R6(config)#access-list 131 deny tcp 192.1.6.0 0.0.0.255 any eq 25000<br />
time-range WEEKDAYS<br />
R6(config)#access-list 131 permit ip any any<br />
R6(config)#int fa0/0<br />
R6(config-if)#ip access-group 131 in<br />
9.4 - Time-Based Access List (2 Points)<br />
a) You do not want users on R6 Ethernet Network to use a customized application that uses UDP<br />
port 20000, on the Weekend between 10:00 AM to 3:00 PM.<br />
b) It is OK for them to use the application at other times.<br />
<br />
Since this is on the same interface, make sure to merge this into the existing accesslist.<br />
R6(config)#time-range WEEKEND<br />
R6(config-time-range)#periodic weekend 10:00 to 14:59<br />
R6(config)#ip access-list extended 131<br />
R6(config-ext-nacl)#no permit ip any any<br />
364 Copyright IPexpert, Inc. (http://www.ipexpert.com) 2007. All Rights Reserved.