Lab 6.2 Configuring CBAC

More documents

Recommendations

Info

INSIDE(config-if)# no shutdown FW(config)# interface serial0/0/0 FW(config-if)# ip address 172.16.12.2 255.255.255.0 FW(config-if)# no shutdown FW(config-if)# interface serial0/0/1 FW(config-if)# ip address 192.168.23.2 255.255.255.0 FW(config-if)# clockrate 64000 FW(config-if)# no shutdown OUTSIDE(config)# interface serial0/0/1 OUTSIDE(config-if)# ip address 192.168.23.3 255.255.255.0 OUTSIDE(config-if)# no shutdown Step 2: Configure Static Default Routes On the INSIDE and OUTSIDE routers, configure static default routes directing traffic to unknown destinations to be forwarded to the FW router. FW will not need any routes because it has interfaces directly connected to both networks (as shown in the topology diagram.) INSIDE(config)# ip route 0.0.0.0 0.0.0.0 172.16.12.2 OUTSIDE(config)# ip route 0.0.0.0 0.0.0.0 192.168.23.2 Your network should have full IP connectivity at this point. If it does not have full connectivity, troubleshoot. Normally, a single-homed company might use Network Address Translation (NAT) at its corporate edge to protect its network and allow private addressing within the bounds of its network. In that case, the OUTSIDE router, normally a provider edge router would have a static route directing traffic to the address owned by the customer out one of its interfaces. In this scenario you will not configure NAT, and you will use a default route for simplicity. Step 3: Enable Telnet Access You will be using the Telnet protocol to test connectivity in this lab scenario. In order to enable Telnet access on a router beginning with its default configuration, simply apply the password string command on the virtual terminal lines. Apply this configuration change on the INSIDE and OUTSIDE routers. Use “cisco” as the line password. This will be used later for verification purposes. INSIDE(config)# line vty 0 4 INSIDE(config-line)# password cisco INSIDE(config-line)# login OUTSIDE(config)# line vty 0 4 OUTSIDE(config-line)# password cisco OUTSIDE(config-line)# login 2 - 8 CCNP: Implementing Secure Converged Wide-area Networks v5.0 - Lab 6-2 Copyright © 2007, Cisco Systems, Inc
Step 4: Create IP Inspect Rules CBAC operates by statefully inspecting some protocols and tracking TCP connections and UDP flows. CBAC examines the protocols to determine if incoming, untrusted (outside) traffic is return traffic for an inside-initiated connection, or the result of arbitrarily spoofed packets. For some well-known protocols, CBAC can also examine particular application-layer fields to make sure that the packets are following the protocols of those specific applications correctly. Any traffic that is not accepted by CBAC is treated appropriately according to the rules indicated by the access list on the interface. This is done by explicitly blocking untrusted traffic (which we will configure later) except when allowed by CBAC. Why is it important to keep track of connection states, especially with TCP connections The critical part of configuring CBAC involves creating rules to track connections and flows. Create rules to track TCP and UDP flows using the ip inspect name name protocol command. Use the name “myrules” and apply the CBAC rule to the to Serial0/0/0 interface in the inbound direction. To see the protocols available (most of the protocols listed will be application layer protocols), enter the ip inspect name name command followed by the character. Newer IOS versions will have more protocols listed. FW(config)# ip inspect name myrules 802-11-iapp IEEE 802.11 WLANs WG IAPP ace-svr ACE Server/Propagation aol America-Online appfw Application Firewall appleqtc Apple QuickTime bgp Border Gateway Protocol FW(config)# ip inspect name myrules tcp FW(config)# ip inspect name myrules udp You can also set CBAC timeouts for various protocols. To change the amount of time that should pass before a UDP flow times out, use the ip inspect udp idle-time timeout command in global configuration mode. The default UDP idle timeout is 30 seconds. Change the UDP timeout to 60 seconds. FW(config)# ip inspect udp idle-time 60 3 - 8 CCNP: Implementing Secure Converged Wide-area Networks v5.0 - Lab 6-2 Copyright © 2007, Cisco Systems, Inc
Page 1: Lab 6.2 Configuring CBAC Learning O
Page 5 and 6: Step 5: Block Unwanted Outside Traf
Page 7 and 8: attempted, the denied packets from

Lab 6.2 Configuring CBAC

Create successful ePaper yourself

Delete template?

Save as template?