Lab 6.2 Configuring CBAC

More documents

Recommendations

Info

max-incomplete tcp connections per host is 50. Block-time 0 minute. tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec tcp idle-time is 3600 sec -- udp idle-time is 30 sec dns-timeout is 5 sec Inspection Rule Configuration Inspection name myrules tcp alert is on audit-trail is off timeout 3600 udp alert is on audit-trail is off timeout 30 icmp alert is on audit-trail is off timeout 5 http alert is off audit-trail is off timeout 3600 ftp alert is on audit-trail is on timeout 3600 Interface Configuration Interface Serial0/0/0 Inbound inspection rule is myrules tcp alert is on audit-trail is off timeout 3600 udp alert is on audit-trail is off timeout 30 icmp alert is on audit-trail is off timeout 5 http alert is off audit-trail is off timeout 3600 ftp alert is on audit-trail is on timeout 3600 Outgoing inspection rule is not set Inbound access list is not set Outgoing access list is not set Established Sessions Session 458348C4 (172.16.12.1:54736)=>(192.168.23.3:23) tcp SIS_OPEN View detailed session information by issuing the show ip inspect detail command on FW. FW# show ip inspect sessions detail Established Sessions Session 458348C4 (172.16.12.1:54736)=>(192.168.23.3:23) tcp SIS_OPEN Created 00:03:25, Last heard 00:03:23 Bytes sent (initiator:responder) [37:79] In SID 192.168.23.3[23:23]=>172.16.12.1[54736:54736] on ACL 100 (11 matches) Close the telnet connection when you are done verifying CBAC operation. OUTSIDE> exit [Connection to 192.168.23.3 closed by foreign host] INSIDE# Note: If your Cisco IOS release does not support ICMP inspection, skip the following verification step since ICMP traffic will not be inspected. Enable debugging of IP inspection for ICMP traffic using the debug ip inspect protocol command. In a production environment, debugging CBAC is not recommended because of the high amounts of output it can generate. FW# debug ip inspect icmp INSPECT ICMP Inspection debugging is on From the INSIDE router, ping OUTSIDE. Note that this would not work if you try to ping the other way because it would be denied by the access list. If 6 - 8 CCNP: Implementing Secure Converged Wide-area Networks v5.0 - Lab 6-2 Copyright © 2007, Cisco Systems, Inc
attempted, the denied packets from OUTSIDE to INSIDE would be logged to FW’s console line as well. INSIDE# ping 192.168.23.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.23.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 56/56/60 ms FW# *Feb 18 02:23:29.591: CBAC: ICMP Echo pkt 172.16.12.1 => 192.168.23.3 *Feb 18 02:23:29.591: CBAC: ICMP Echo pkt 172.16.12.1 => 192.168.23.3 *Feb 18 02:23:29.591: CBAC: ICMP Echo pkt 172.16.12.1 => 192.168.23.3 *Feb 18 02:23:29.619: CBAC: ICMP Echo Reply pkt 192.168.23.3 => 172.16.12.1 *Feb 18 02:23:29.647: CBAC: ICMP Echo pkt 172.16.12.1 => 192.168.23.3 *Feb 18 02:23:29.675: CBAC: ICMP Echo Reply pkt 192.168.23.3 => 172.16.12.1 *Feb 18 02:23:29.703: CBAC: ICMP Echo pkt 172.16.12.1 => 192.168.23.3 *Feb 18 02:23:29.735: CBAC: ICMP Echo Reply pkt 192.168.23.3 => 172.16.12.1 *Feb 18 02:23:29.763: CBAC: ICMP Echo pkt 172.16.12.1 => 192.168.23.3 *Feb 18 02:23:29.791: CBAC: ICMP Echo Reply pkt 192.168.23.3 => 172.16.12.1 *Feb 18 02:23:29.819: CBAC: ICMP Echo pkt 172.16.12.1 => 192.168.23.3 *Feb 18 02:23:29.847: CBAC: ICMP Echo Reply pkt 192.168.23.3 => 172.16.12.1 FW# undebug all Final Configurations INSIDE# show run hostname INSIDE ! interface Serial0/0/0 ip address 172.16.12.1 255.255.255.0 clock rate 64000 no shutdown ! ip route 0.0.0.0 0.0.0.0 172.16.12.2 ! line vty 0 4 password cisco login end FW# show run hostname FW ! ip inspect name myrules tcp ip inspect name myrules udp ip inspect name myrules icmp timeout 5 ip inspect name myrules http alert off ip inspect name myrules ftp audit-trail on ip inspect udp idle-time 60 ! interface Serial0/0/0 ip address 172.16.12.2 255.255.255.0 ip inspect myrules in no shutdown ! interface Serial0/0/1 ip address 192.168.23.2 255.255.255.0 ip access-group 100 in clock rate 64000 no shutdown 7 - 8 CCNP: Implementing Secure Converged Wide-area Networks v5.0 - Lab 6-2 Copyright © 2007, Cisco Systems, Inc
Page 1 and 2: Lab 6.2 Configuring CBAC Learning O
Page 3 and 4: Step 4: Create IP Inspect Rules CBA
Page 5: Step 5: Block Unwanted Outside Traf

Lab 6.2 Configuring CBAC

Create successful ePaper yourself

Delete template?

Save as template?