Security Chp4 Lab-A CBAC-ZBF Instructor

Travaux pratiques du module Option scurit CCNA curit Con!
i"uration C#AC et $one-#ased %ire&alls C'cle (n"nieur )partement de Tlcommunications * +N A,
CHAPTER 4 LAB A CONFIGURING CBAC AND ZONE-BASED FIREWALLS INSTRUCTOR VERSION

[Documen !u" # $e%
[DATE%
[CO&PAN' NA&E% [Com()n* )++,e!!%
Anne universitaire 2013-2014
Travaux pratiques du module Option scurit CCNA curit Con!i"uration C#AC et $one-#ased %ire&alls C'cle (n"nieur )partement de Tlcommunications * +N A,
CCNA Security
Chapter 4 Lab A, Configuring CBAC and Zone-Based Firewalls

Topology
IP Addressing Table
Device -1 -2 -3 5C-A 5C-C
Interface %A0*1 0*0*0 3)C+4 0*0*0 0*0*1 3)C+4 %A0*1 0*0*1 N(C N(C
IP Address 1.2/101/1/1 10/1/1/1 10/1/1/2 10/2/2/2 1.2/101/3/1 10/2/2/1 1.2/101/1/3 1.2/101/3/3
Subnet Mask 222/222/222/0 222/222/222/222 222/222/222/222 222/222/222/222 222/222/222/0 222/222/222/222 222/222/222/0 222/222/222/0
Default Gateway N*A N*A N*A N*A N*A N*A 1.2/101/1/1 1.2/101/3/1
Switc Port 1 %A0*2 N*A N*A N*A 3 %A0*2 N*A 1 %A0*0 3 %A0*11
!b"ectives
5art 16 #asic -outer Con!i"uration Con!i"ure 7ost names8 inter!ace (5 addresses8 and access pass&ords/ Con!i"ure t7e +(9-5 d'namic routin" protocol/ :se t7e Nmap port scanner to test !or router vulnera;ilities
5art 26 Con!i"urin" a Context-#ased Access Control 3C#AC4 %ire&all Con!i"ure C#AC usin" Auto ecure/ +xamine t7e resultin" C#AC con!i"uration/ <eri!' t7e !ire&all !unctionalit'/
5art 36 Con!i"urin" a $one-#ased 5olic' %ire&all 3$#%8 $5% or $%=4 Con!i"ure a $one-#ased 5olic' %ire&all usin" )>/ +xamine t7e resultin" C#AC con!i"uration/ :se )> >onitor to veri!' con!i"uration/
#ackground
T7e most ;asic !orm o! a Cisco (O !ire&all uses access control lists 3AC?s4 &it7 !ilterin" (5 tra!!ic and monitorin" esta;lis7ed tra!!ic patterns/ T7is is re!erred to as a traditional Cisco (O !ire&all/ (n more recent Cisco (O versions8 t7is approac7 7as evolved into a met7od called context-;ased access control 3C#AC4 or (nspect*C#AC8 &7ic7 is ;ased on tate!ul 5ac@et (nspection 3 5(4/ C#AC ma@es creatin" !ire&alls easier and "ives t7e administrator "reater control over various t'pes o! application tra!!ic ori"inatin" !rom inside and outside o! t7e protected net&or@/ =7en Cisco (O Auto ecure is run8 it prompts to create a C#AC !ire&all and "enerates a ;asic con!i"uration/ %or simple net&or@s &it7 a sin"le inside and outside inter!ace8 C#AC is easier to con!i"ure t7an traditional Cisco (O !ire&alls/ Con!i"urations &it7 multiple inter!aces and )>$ requirements can ;ecome complex and di!!icult to mana"e usin" C#AC/ T7e current met7od used &it7 )> !or securin" router is called a Aone-;ased polic' !ire&all 3ma' ;e a;;reviated as $#%8 $5% or $%=4/ A Aone-;ased polic' !ire&all provides t7e same t'pe o! !unctionall' as C#AC8 ;ut is ;etter suited !or multiple inter!aces t7at 7ave similar or var'in" securit' requirements/ =7ile Auto ecure "enerates a C#AC !ire&all8 )> "enerates a $#% !ire&all ;' de!ault/
(n t7is la;8 'ou ;uild a multi-router net&or@ and con!i"ure t7e routers and 7osts/ Bou use Auto ecure to con!i"ure a C#AC !ire&all and )> to con!i"ure a Aone-;ased polic' !ire&all/ Note$ T7e router commands and output in t7is la; are !rom a Cisco 1141 &it7 Cisco (O -elease 12/43204T 3Advanced (5 ima"e4/ Ot7er routers and Cisco (O versions can ;e used/ ee t7e -outer (nter!ace ummar' ta;le at t7e end o! t7e la; to determine &7ic7 inter!ace identi!iers to use ;ased on t7e equipment in t7e la;/ )ependin" on t7e router model and Cisco (O version8 t7e commands availa;le and output produced mi"7t var' !rom &7at is s7o&n in t7is la;/ Note$ >a@e sure t7at t7e routers and t7e s&itc7es 7ave ;een erased and 7ave no startup con!i"urations/
%e&uired %esources
3 routers &it7 )> 2/2 installed 3Cisco 1141 &it7 Cisco (O -elease 12/43204T1 or compara;le4 2 s&itc7es 3Cisco 2.00 or compara;le4 5C-A 3=indo&s C5 or <ista4
5C-C 3=indo&s C5 or <ista4 erial and +t7ernet ca;les as s7o&n in t7e topolo"' -ollover ca;les to con!i"ure t7e routers via t7e console
Part '$ #asic %outer Configuration

(n 5art 1 o! t7is la;8 'ou set up t7e net&or@ topolo"' and con!i"ure ;asic settin"s8 suc7 as t7e inter!ace (5 addresses8 d'namic routin"8 device access8 and pass&ords/ Note$ All tas@s s7ould ;e per!ormed on routers -18 -2 and -3/ T7e procedure !or -1 is s7o&n 7ere as an example/
Task '$ Configure #asic %outer Settings

Step '$ Cable t e network as s own in t e topology(
Attac7 t7e devices s7o&n in t7e topolo"' dia"ram8 and ca;le as necessar'/
Step )$ Configure basic settings for eac router(

a/ Con!i"ure 7ost names as s7o&n in t7e topolo"'/ ;/ Con!i"ure t7e inter!ace (5 addresses as s7o&n in t7e (5 addressin" ta;le/ c/ Con!i"ure a cloc@ rate !or t7e serial router inter!aces &it7 a )C+ serial ca;le attac7ed/ R1(config)#interface S0/0/0 R1(config-if)#clock rate 64000
Step *( Disable DNS lookup(

To prevent t7e router !rom attemptin" to translate incorrectl' entered commands8 disa;le )N loo@up/ R1(config)#no ip domain-lookup
Step +$ Configure t e ,IG%P routing protocol on %'- %)- and %*(

a/ On -18 use t7e !ollo&in" commands/ R1(config)#router eigrp 101 R1(config-router)#network 192.168.1.0 0.0.0.255 R1(config-router)#network 10.1.1.0 0.0.0.3 R1(config-router)#no auto- ummar! ;/ On -28 use t7e !ollo&in" commands/ R2(config)#router eigrp 101 R2(config-router)#network 10.1.1.0 0.0.0.3 R2(config-router)#network 10.2.2.0 0.0.0.3 R2(config-router)#no auto- ummar! c/ On -38 use t7e !ollo&in" commands/ R3(config)#router eigrp 101 R3(config-router)#network 192.168.3.0 0.0.0.255 R3(config-router)#network 10.2.2.0 0.0.0.3
R3(config-router)#no auto- ummar!
Step .$ Configure PC ost IP settings(

a/ Con!i"ure a static (5 address8 su;net mas@8 and de!ault "ate&a' !or 5C-A8 as s7o&n in t7e (5 addressin" ta;le/ ;/ Con!i"ure a static (5 address8 su;net mas@8 and de!ault "ate&a' !or 5C-C8 as s7o&n in t7e (5 addressin" ta;le/
Step /$ 0erify basic network connectivity(

a/ 5in" !rom -1 to -3/ =ere t7e results success!ulD "ui (! t7e pin"s are not success!ul8 trou;les7oot t7e ;asic device con!i"urations ;e!ore continuin"/ ;/ 5in" !rom 5C-A on t7e -1 ?AN to 5C-C on t7e -3 ?AN/ =ere t7e results success!ulD "ui (! t7e pin"s are not success!ul8 trou;les7oot t7e ;asic device con!i"urations ;e!ore continuin"/ Note$ (! 'ou can pin" !rom 5C-A to 5C-C8 'ou 7ave demonstrated t7at t7e +(9-5 routin" protocol is con!i"ured and !unctionin" correctl'/ (! 'ou cannot pin" ;ut t7e device inter!aces are up and (5 addresses are correct8 use t7e #ow run and #ow ip route commands to 7elp identi!' routin" protocol-related pro;lems/
Step 1$ Configure a 2ini2u2 password lengt (

Note$ 5ass&ords in t7is la; are set to a minimum o! 10 c7aracters ;ut are relativel' simple !or t7e ;ene!it o! per!ormin" t7e la;/ >ore complex pass&ords are recommended in a production net&or@/ :se t7e ecurit! pa R1(config)# word command to set a minimum pass&ord len"t7 o! 10 c7aracters/ ecurit! pa word min-lengt# 10
Step 3$ Configure basic console- au4iliary port- and vty lines(

a/ Con!i"ure a console pass&ord and ena;le lo"in !or router -1/ %or additional securit'8 t7e e$ectimeout command causes t7e line to lo" out a!ter 2 minutes o! inactivit'/ T7e logging !nc#ronou command prevents console messa"es !rom interruptin" command entr'/ Note$ To avoid repetitive lo"ins durin" t7is la;8 t7e e$ec-timeout can ;e set to 0 08 &7ic7 prevents it !rom expirin"/ Eo&ever8 t7is is not considered a "ood securit' practice/ R1(config)#line con ole 0 R1(config-line)#pa word ci coconpa R1(config-line)#e$ec-timeout 5 0 R1(config-line)#login R1(config-line)#logging !nc#ronou ;/ Con!i"ure a pass&ord !or t7e aux port !or router -1/ R1(config)#line au$ 0 R1(config-line)#pa word ci coau$pa
R1(config-line)#e$ec-timeout 5 0 R1(config-line)#login c/ Con!i"ure t7e pass&ord on t7e vt' lines !or router -1/ R1(config)#line %t! 0 4 R1(config-line)#pa word ci co%t!pa R1(config-line)#e$ec-timeout 5 0 R1(config-line)#login d/ -epeat t7ese con!i"urations on ;ot7 -2 and -3/
Step 3$ ,nable 5TTP server and 5TTP server secure(

+na;lin" t7ese services allo&s t7e router to ;e mana"ed usin" t7e 9:( and a &e; ;ro&ser/ R1(config)#ip #ttp er%er
Step 6$ ,ncrypt clear te4t passwords(

a/ :se t7e er%ice pa pass&ords/ word-encr!ption command to encr'pt t7e console8 aux8 and vt' word-encr!ption
R1(config)# er%ice pa
;/ (ssue t7e #ow run command/ Can 'ou read t7e console8 aux8 and vt' pass&ordsD =7' or &7' notD &on on ne peut pa ' le c/ mot de pa e ont cr!pt(. -epeat t7is con!i"uration on ;ot7 -2 and -3/
Step '7$ Save t e basic running configuration for all t ree routers(
ave t7e runnin" con!i"uration to t7e startup con!i"uration !rom t7e privile"ed +C+C prompt/ R1#cop! running-config tartup-config
Task )$ 8se t e N2ap Port Scanner to Deter2ine %outer 0ulnerabilities

(n t7is tas@ 'ou determine open ports or services runnin" on -1 usin" Nmap8 ;e!ore con!i"urin" a !ire&all/
Step '$ 9!ptional: Download and install N2ap and t e ;en2ap G8I front<end(
Nmap 3FNet&or@ >apperF4 is a !ree and open source utilit' !or net&or@ exploration or securit' auditin"/ a/ (! Nmap is alread' installed on 5C-A and 5C-C8 "o to tep 2/ Ot7er&ise8 do&nload t7e latest =indo&s version !rom 7ttp6**nmap/or"*do&nload/7tml/ ;/ On 5C-A and 5C-C8 run t7e Nmap setup utilit' and install all components listed8 includin" t7e $enmap 9:( !ront-end/ Clic@ Ne4t to accept t7e de!aults &7en prompted/
Step )$ Scan for open ports on %' using N2ap fro2 internal ost PC<A(
a/ %rom internal 7ost 5C-A8 start t7e Nmap-$enmap application and enter t7e (5 address o! t7e de!ault "ate&a'8 -1 %a0*1 31.2/101/1/148 as t7e Target/ Accept t7e de!ault Nmap command entered !or 'ou in t7e Co22and &indo& and use t7e Intense scan pro!ile/ Note$ (! t7e 5C is runnin" a personal !ire&all it ma' ;e necessar' to turn it o!! temporaril' to o;tain accurate test results/
;/ Clic@ t7e Scan ;utton to ;e"in t7e scan o! -1 !rom internal 7ost 5C-A/ Allo& some time !or t7e scan to complete/ T7e next t&o screens s7o& t7e entire output o! t7e scan a!ter scrollin"/
c/
Clic@ t7e Service ;utton in t7e upper le!t side o! t7e screen/ =7at ports are open on -1 %a0*1 !rom t7e perspective o! internal 7ost 5C-AD . celui de /elnet 23 et 0//+ 80
"n )emar*ue *ue +,-- &map d(tecte deu$ port =7at is t7e >AC address o! t7e -1 %a0*1 inter!aceD +our ce routeur l1adre e mac e t
cc00.141c.0000
%or -18 &7at t'pe o! device and &7at O version does Nmap detectD )1 d(tecte un routeur a%ec un "S ,i co 2"S %er ion 12.4
Step *$ Scan for open ports on %' using N2ap fro2 e4ternal ost PC<C(
a/ %rom external 7ost 5C-C8 start t7e Nmap-$enmap application and enter t7e (5 address o! -1 0*0*0 310/1/1/14 as t7e Tar"et/ Accept t7e de!ault Nmap command entered !or 'ou in t7e Co22and &indo& and use t7e Intense scan pro!ile/ ;/ Clic@ t7e Scan ;utton/ Allo& some time !or t7e scan to complete/ T7e next t&o screens s7o& t7e entire output o! t7e scan a!ter scrollin"/
10
c/ 3e
Clic@ t7e Services ;utton ;elo& t7e Co22and entr' !ield/ =7at services are runnin" and availa;le on -1 !rom t7e perspective o! 5C-CD er%ice *ui ont en marc#e . /elnet et 0//+
d/ (n t7e Nmap scan output8 re!er to t7e T-AC+-O:T+ in!ormation/ Eo& man' 7ops are ;et&een 5C-C and -1 and t7rou"7 &7at (5 addresses did t7e scan 7ave to "o to reac7 -1D
11
3e nom4re de aut *ue le can pa e pour arri%er 5 )1 e t 3' le can commence de +,-, 5 )3 par l1interface 6a0/1 192.168.3.1 5 )2 S0/0/1 10.2.2.2 et finalement )1 S0/0/0 10.1.1.1 Note$ (n 5art 2 o! t7is la; 'ou &ill con!i"ure a C#AC !ire&all on -1 and t7en run Nmap a"ain to test access !rom external 7ost 5C-C to -1/
Part )$ Configuring a Conte4t<#ased Access Control 9C#AC: =irewall

(n 5art 2 o! t7is la;8 'ou con!i"ure C#AC on -1 usin" Auto ecure/ Bou t7en revie& and test t7e resultin" con!i"uration/
Task '$ 0erify Access to t e %' >AN fro2 %)

(n t7is tas@8 'ou veri!' t7at &it7 no !ire&all in place8 t7e external router -2 can pin" t7e -1 0*0*0 inter!ace and 5C-A on t7e -1 internal ?AN/
Step '$ Ping fro2 %) to %'(

a/ %rom -28 pin" t7e -1 inter!ace 0*0*0 at (5 address 10/1/1/1/ R2#ping 10.1.1.1 ;/ =ere t7e results success!ulD "ui (! t7e pin"s are not success!ul8 trou;les7oot t7e ;asic device con!i"urations ;e!ore continuin"/
Step )$ Ping fro2 %) to PC<A on t e %' >AN(

a/ %rom -28 pin" 5C-A on t7e -1 ?AN at (5 address 1.2/101/1/3/ R2#ping 192.168.1.3 ;/ =ere t7e results success!ulD "ui (! t7e pin"s are not success!ul8 trou;les7oot t7e ;asic device con!i"urations ;e!ore continuin"/
Step *$ Display t e %' running config prior to using AutoSecure(

a/ (ssue t7e #ow run command to revie& t7e current ;asic con!i"uration on -1/ ;/ Are t7ere an' securit' commands related to access controlD &on' ! on a pa ' eulement la longueur ma$imal 7108 et le login et mot de pa e et e$ec-timeout ont d(finit dan la con ole %t! et au$ line .
Task )$ 8se AutoSecure to Secure %' and ,nable C#AC

Auto ecure simpli!ies t7e securit' con!i"uration o! a router and 7ardens t7e router con!i"uration/ (n t7is tas@8 'ou run Auto ecure and ena;le C#AC durin" t7e process/
12
Step '$ 8se t e AutoSecure I!S feature to enable C#AC(

a/ +nter privile"ed +C+C mode usin" t7e ena4le command/ ;/ (ssue t7e auto ecure command on -1/ -espond as s7o&n in t7e !ollo&in" Auto ecure output to t7e Auto ecure questions and prompts/ T7e responses are ;olded/ Note6 T7e !ocus 7ere is t7e commands "enerated ;' Auto ecure !or C#AC8 so 'ou do not ena;le all t7e potential securit' !eatures t7at Auto ecure can provide8 suc7 as E access/ #e sure to respond H'esI to t7e prompt ,onfigure ,9-, 6irewall feature:( R1#auto ecure --- AutoSecure Configuration --*** AutoSecure configuration enhances the security of the router, but it will not a!e it absolutely resistant to all security attac!s *** AutoSecure will o"ify the configuration of your "e#ice$ All configuration changes will be shown$ %or a "etaile" e&'lanation of how the configuration changes enhance security an" any 'ossible si"e effects, 'lease refer to Cisco$co for Autosecure "ocu entation$ At any 'ro 't you ay enter ()( for hel'$ *se ctrl-c to abort this session at any 'ro 't$ +athering infor ation about the router for AutoSecure ,s this router connecte" to internet) -no./ ,nterface %ast0thernet565 %ast0thernet561 Serial56565 Serial56561 ,1-A""ress unassigne" 182$19:$1$1 15$1$1$1 unassigne" yes
0nter the nu ber of interfaces facing the internet -1./ 1 23) 4etho" Status 1rotocol 70S unset a" inistrati#ely "own "own 70S anual u' u' u' u'
70S S;AR1 70S unset
a" inistrati#ely "own "own

0nter the interface na e that is facing the internet/ serial7?7?7 Securing 4anage ent 'lane ser#ices$$$ <isabling ser#ice finger <isabling ser#ice 'a" <isabling u"' = tc' s all ser#ers 0nabling ser#ice 'asswor" encry'tion 0nabling ser#ice tc'-!ee'ali#es-in 0nabling ser#ice tc'-!ee'ali#es-out <isabling the c"' 'rotocol <isabling the boot' ser#er <isabling the htt' ser#er <isabling the finger ser#ice
13
<isabling source routing <isabling gratuitous ar' >ere is a sa 'le Security ?anner to be shown at e#ery access to "e#ice$ 4o"ify it to suit your enter'rise re@uire ents$ AuthoriAe" Access only Bhis syste is the 'ro'erty of So-=-So-0nter'rise$ *CA*B>2R,D0< ACC0SS B2 B>,S <0E,C0 ,S 1R2>,?,B0<$ 7ou ust ha#e e&'licit 'er ission to access this "e#ice$ All acti#ities 'erfor e" on this "e#ice are logge"$ Any #iolations of access 'olicy will result in "isci'linary action$ 0nter the security banner F1ut the banner between ! an" !, where ! is any characterG/ @ 8naut oriAed Access Pro ibited @ 0nable secret is either not configure" or is the sa e as enable 'asswor" 0nter the new enable secret/ cisco')*+. Confir the enable secret / cisco')*+. 0nter the new enable 'asswor"/ cisco/1367 Confir the enable 'asswor"/ cisco/1367 Configuration of local user "atabase 0nter the userna e/ ad2in 0nter the 'asswor"/ cisco')*+. Confir the 'asswor"/ cisco')*+. Configuring AAA local authentication Configuring Console, Au& an" EB7 lines for local authentication, e&ec-ti eout, an" trans'ort Securing "e#ice against ;ogin Attac!s Configure the following 'ara eters ?loc!ing 1erio" when ;ogin Attac! "etecte"/ /7 4a&i u 4a&i u ;ogin failures with the "e#ice/ ) ti e 'erio" for crossing the faile" login atte 'ts/ *7
Configure SS> ser#er) -yes./ no Configuring interface s'ecific AutoSecure ser#ices <isabling the following i' ser#ices on all interfaces/ no no no no i' i' i' i' re"irects 'ro&y-ar' unreachables "irecte"-broa"cast
14
no i' as!-re'ly <isabling o' on 0thernet interfaces Securing %orwar"ing 'lane ser#ices$$$ 0nabling C0% (Bhis ight i 'act the e ory re@uire ents for your 'latfor ) 0nabling unicast r'f on all interfaces connecte" to internet Configure C?AC %irewall feature) -yes6no./ yes Bhis is the configuration generate"/ no ser#ice finger no ser#ice 'a" no ser#ice u"'-s all-ser#ers no ser#ice tc'-s all-ser#ers ser#ice 'asswor"-encry'tion ser#ice tc'-!ee'ali#es-in ser#ice tc'-!ee'ali#es-out no c"' run no i' boot' ser#er no i' htt' ser#er no i' finger no i' source-route no i' gratuitous-ar's no i' i"ent" banner ot" HC *nauthoriAe" Access 1rohibite" HC security authentication failure rate 15 log enable secret I J1J $"eJ4'ItKr6,:LIEhuKo+9AoA1 enable 'asswor" M 5I5:5%1C22N31:I0N1ICNM userna e a" in 'asswor" M 525I5<N:5:58I0M31%1AIC aaa new- o"el aaa authentication login localOauth local line con 5 login authentication localOauth e&ec-ti eout I 5 trans'ort out'ut telnet line au& 5 login authentication localOauth e&ec-ti eout 15 5 trans'ort out'ut telnet line #ty 5 N login authentication localOauth trans'ort in'ut telnet line tty 1 login authentication localOauth e&ec-ti eout 1I 5 login bloc!-for 95 atte 'ts 2 within 35 ser#ice ti esta 's "ebug "ateti e sec localti e show-ti eAone ser#ice ti esta 's log "ateti e sec localti e show-ti eAone logging facility local2 logging tra' "ebugging
12
ser#ice se@uence-nu bers logging console critical logging buffere" interface %ast0thernet565 no i' re"irects no i' 'ro&y-ar' no i' unreachables no i' "irecte"-broa"cast no i' as!-re'ly no o' enable" interface %ast0thernet561 no i' re"irects no i' 'ro&y-ar' no i' unreachables no i' "irecte"-broa"cast no i' as!-re'ly no o' enable" interface Serial56565 no i' re"irects no i' 'ro&y-ar' no i' unreachables no i' "irecte"-broa"cast no i' as!-re'ly interface Serial56561 no i' re"irects no i' 'ro&y-ar' no i' unreachables no i' "irecte"-broa"cast no i' as!-re'ly interface Elan1 no i' re"irects no i' 'ro&y-ar' no i' unreachables no i' "irecte"-broa"cast no i' as!-re'ly no o' enable" access-list 155 'er it u"' any any e@ boot'c interface Serial56565 i' #erify unicast source reachable-#ia r& allow-"efault 155 i' ins'ect au"it-trail i' ins'ect "ns-ti eout M i' ins'ect tc' i"le-ti e 1NN55 i' ins'ect u"' i"le-ti e 1:55 i' ins'ect na e autosecOins'ect cusee e ti eout 3955 i' ins'ect na e autosecOins'ect ft' ti eout 3955 i' ins'ect na e autosecOins'ect htt' ti eout 3955 i' ins'ect na e autosecOins'ect rc " ti eout 3955 i' ins'ect na e autosecOins'ect realau"io ti eout 3955 i' ins'ect na e autosecOins'ect s t' ti eout 3955 i' ins'ect na e autosecOins'ect tft' ti eout 35 i' ins'ect na e autosecOins'ect u"' ti eout 1I i' ins'ect na e autosecOins'ect tc' ti eout 3955 i' access-list e&ten"e" autosecOfirewallOacl
10
'er it u"' any any e@ boot'c "eny i' any any interface Serial56565 i' ins'ect autosecOins'ect out i' access-grou' autosecOfirewallOacl in P en" A''ly this configuration to running-config) -yes./ yes A''lying the config generate" to running-config R1# 5555N3/ *<ec 28 21/2:/I8$223 *BC/ QA*B2S0C-1-42<,%,0</ AutoSecure configuration has been 4o"ifie" on this "e#ice
Step )$ Configure t e %' firewall to allow ,IG%P updates(

T7e Auto ecure C#AC !ire&all on -1 does not permit +(9-5 7ellos and nei"7;or associations to occur and8 t7ere!ore8 no updates can ;e sent or received/ #ecause +(9-5 updates are ;loc@ed8 -1 does not @no& o! t7e 10/2/2/0*30 or t7e 1.2/101/3/0*24 net&or@s8 and -2 does not @no& o! t7e 1.2/101/1/0*24 net&or@/ Note$ =7en 'ou con!i"ure t7e $#% !ire&all on -3 in 5art 3 o! t7is la;8 )> "ives t7e option o! allo&in" +(9-5 routin" updates to ;e received ;' -3/ a/ )ispla' t7e +xtended AC? named autosecBfirewallBacl8 &7ic7 is applied to 0*0*0 in;ound/ R1# #ow acce -li t auto ec;firewall;acl 0&ten"e" ,1 access list autosecOfirewallOacl 15 'er it u"' any any e@ boot'c 25 "eny i' any any (15) ;/ Notice t7e 10 matc7es on AC? line 20/ =7at is t7is a result o!D <2=)+ tentati%e c/ d1a ociation de %oi inage Con!i"ure -1 to allo& +(9-5 updates ;' addin" a statement to t7e +xtended AC? autosecJ!ire&allJacl t7at permits t7e +(9-5 protocol/
R1(config)#ip acce -li t e$tended auto ec;firewall;acl R1(config-e&t-nacl)#15 permit eigrp an! an! R1(config-e&t-nacl)#end d/ )ispla' t7e +xtended AC? autosecJ!ire&allJacl a"ain/ R1# #ow acce -li t auto ec;firewall;acl 0&ten"e" ,1 access list autosecOfirewallOacl 15 'er it u"' any any e@ boot'c 1I 'er it eigr' any any (I) 25 "eny i' any any (15) Notice t7at t7ere is no& some +(9-5 pac@et activit' !or AC? statement 12/
Step *$ Save t e running configuration(

+nter privile"ed +C+C mode usin" t7e ena4le command and provide t7e ena;le pass&ord cisco12342/ R1#cop! run tart
1G
Step +$ Scan for open ports on %' using N2ap fro2 e4ternal ost PC<C(
a/ %rom external 7ost 5C-C8 use Nmap-$enmap to scan -1 at Tar"et (5 address 10/1/1/1/ Accept t7e de!ault Nmap command entered !or 'ou in t7e Co22and &indo&/ :se t7e Intense scan pro!ile/ ;/ Clic@ t7e Scan ;utton to ;ein" scannin" -1/
No& t7at t7e -1 C#AC !ire&all is in place8 &7at services are availa;le on -1 and &7at is t7e status o! -1 !rom t7e perspective o! external 5C-CD -ucun Ser%ice n1e t d(tect(. Seulement le comme en panne depui &map ur +,-, tatut de )1 10.1.1.1 e t ignal(
Task *$ %eview t e AutoSecure C#AC Configuration

Step '$ %eview t e co22ands t at were delivered to router %'(
a/ )isplay t e running configuration for %'( T e AutoSecure output s ould look si2ilar
to t at s own in Task )- Step '(
11
;/ =7at is t7e most common command issued t7at is related to C#ACD 3a commande e t . ip in pect name auto ec;in pect c/ C#AC creates rules to trac@ TC5 and :)5 !lo&s usin" t7e ip in pect name name protocol command/ To &7at inter!ace is t7e autosecJinspect name applied and in &7at directionD ortie
2nterface et Serial0/0/0 en direction de
Step )$ Display t e protocols available wit t e ip in pect co22and(

a/ To see t7e protocols availa;le8 enter t7e ip in pect name name command in "lo;al con!i" mode8 !ollo&ed ;' a question mar@ 3D4/ Note$ >ost o! t7e protocols listed are application la'er protocols/ Ne&er Cisco (O versions 7ave more protocols listed/ R1(config)# ip in pect name auto ec;in pect : :52-11-ia'' ,000 :52$11 L;ACs L+ ,A11 ace-s#r AC0 Ser#er61ro'agation a''fw A''lication %irewall a''le@tc A''le Kuic!Bi e bg' ?or"er +ateway 1rotocol biff ?liff ail notification bittorrent bittorrent KOutput OmittedL ;/ Eo& man' protocols can be configured for inspectionC 0nor R ent, 'lus @ue cent 'rotocols c/ -e!er to t7e runnin" con!i"uration output or t7e Auto ecure output in Tas@ 28 tep 1/ =7ic7 protocols did Auto ecure con!i"ure to ;e inspected as t7e' leave t7e 0*0*0 inter!aceD ont . /,+' >?+' 6/+' 0//+' /6/+' S@/+' ),@?' )ealaudio et
3e protocole enfin ,u eeme.
d/ To &7ic7 inter!ace is t7e AC? autosecJ!ire&allJacl applied and in &7ic7 directionD 2nterface e t . S0/0/0 et la direction . Sortie e/ =7at is t7e purpose o! t7e AC? autosecJ!ire&allJaclD
-uto ec;firewall;acl autori e 4ootp trafic d1entrer 5 l1interface S0/0/0 et 4lo*ue le re te de conne$ion non (ta4li depui l1e$t(rieur de )1
Task +$ 0erify C#AC =unctionality

%or t7e protocols identi!ied to ;e inspected8 t7e C#AC !ire&all allo&s return tra!!ic !or connections initiated !rom t7e inside8 ;ut ;loc@s all ot7er connections !rom t7e outside/
Step '$ =ro2 PC<A- ping t e %' internal >AN interface(

a/ %rom 5C-A8 pin" -1 inter!ace %a0*1 at (5 address 1.2/101/1/1/ C/STping 192.168.1.1 ;/ =ere t7e pin"s success!ulD =7' or &7' notD
1.
3e ping marc#e parce *ue l1adre e 2+ de +,-- et celle de de l1interface 6a0/1 de )1 ont dan le mAme r( eau 7+a erelle de +,--8' et au i le firewall n1a pa d1effet ur le trafic.
Step )$ =ro2 PC<A- ping t e %) e4ternal DAN interface(

a/ %rom 5C-A8 pin" t7e -2 inter!ace 0*0*0 at (5 address 10/1/1/2/ C/STping 10.1.1.2 ;/ =ere t7e pin"s success!ulD =7' or &7' notD 3e ping ne pa e pa ' parce *ue le +rotocol 2,@+ n1e t pa inclut dan la li te d1auto ec;in pect' par con (*uent la r(pon e du ping e t 4lo*u( dan retour. le
Step *$ Add ICMP to t e autosecBinspect list(

%rom "lo;al con!i" mode8 con!i"ure -1 to inspect (C>5 and allo& (C>5 ec7o replies !rom outside 7osts ( R1(config)#ip in pect name auto ec;in pect icmp timeout 5
Step +$ =ro2 PC<A- ping t e %) e4ternal DAN interface(

a/ %rom 5C-A8 pin" t7e -2 inter!ace 0*0*0 at (5 address 10/1/1/2/ C/STping 10.1.1.2 ;/ =ere t7e pin"s success!ulD =7' or &7' notD "ui le ping 2,@+ pa e a%ec uccB ' parce *ue le +rotocol e t inclut maintenant dan la li te d1auto ec;in pect' et par con (*uent la r(pon e 2,@+ *ui pro%ienne de l1e$t(rieur )1 3-& e t autori ( en retour c/ -emove (C>5 !rom t7e inspect list/ T7is restores t7e C#AC con!i"uration to t7e one "enerated ;' Auto ecure/ R1(config)#no ip in pect name auto ec;in pect icmp timeout 5
Step .$ Test Telnet access fro2 %) to %'(

a/ %rom external router -28 telnet to -1 at (5 address 10/1/1/1/ R2Ttelnet 10.1.1.1 Brying 15$1$1$1 $$$ Q Connection ti e" outU re ote host not res'on"ing ;/ =as t7e telnettin" success!ulD =7' or &7' notD 3a conne$ion /elnet ne pa firewall -,3 la 4lo*u(. e pa ' parce *ue elle pro%ident de l1e$t(rieur' le
Step /$ Configure %' to allow Telnet access fro2 e4ternal osts(

a/ )ispla' t7e +xtended AC? named autosecBfirewallBacl t7at is applied to 0*0*0 in;ound/ R1# #ow acce -li t auto ec;firewall;acl 0&ten"e" ,1 access list autosecOfirewallOacl 15 'er it u"' any any e@ boot'c 1I 'er it eigr' any any (1I) 25 "eny i' any any (IM atches)
20
;/ Notice t7e 2G matc7es on AC? line 20/ =7at is t7is a result o!D ,e ont le 4lo*u(. c/ r( ultat de ancien tentati%e de conne$ion *ui ont (tait
Con!i"ure -1 to allo& Telnet access ;' addin" a statement to t7e +xtended AC? autosecJ!ire&allJacl t7at permits TC5 port 23 3Telnet4/ R1(config)#ip acce -li t e$tended auto ec;firewall;acl R1(config-e&t-nacl)#18 permit tcp an! an! e* 23 R1(config-e&t-nacl)#end
d/ %rom external router -28 telnet a"ain to -1 at (5 address 10/1/1/1/ R2Ttelnet 10.1.1.1 Brying 15$1$1$1 $$$ 2'en *nauthoriAe" Access 1rohibite" *ser Access Eerification *serna e/ admin 1asswor"/ ci co12345 R1T e/ %rom t7e Telnet session on -18 displa' t7e modi!ied +xtended AC? autosecJ!ire&allJacl/
R1T #ow acce -li t auto ec;firewall;acl 0&ten"e" ,1 access list autosecOfirewallOacl 15 'er it u"' any any e@ boot'c 1I 'er it eigr' any any (2I) 1: 'er it tc' any any e@ telnet (12 atches) 25 "eny i' any any (IM atches)
!/ Notice t7e ne& line 11 in t7e AC? and t7e 12 matc7es/ =7at is t7is a result o!D ,1e t le r( ultat de la tentati%e de conne$ion *ui %ienne d1Atre accept(. "/ -emove Telnet external access !rom t7e -1 !ire&all AC?/
R1(config)#ip acce -li t e$tended auto ec;firewall;acl R1(config-e&t-nacl)#no 18 permit tcp an! an! e* telnet R1(config-e&t-nacl)#end
Note$ E is recommended instead o! Telnet8 ;ecause it provides a more secure &a' to allo& remote administration access to a router or ot7er net&or@in" device/ E provides encr'pted communication8 7o&ever8 some additional con!i"uration is required to support t7e E connection/ -e!er to C7apter 2 ?a; A !or t7e procedure to ena;le E/ %or added securit'8 con!i"ure E as t7e onl' input transport on t7e vt' lines and remove Telnet as an input transport/ Allo&in" E access to -1 !rom external 7osts also requires addin" a statement to t7e +xtended AC? autosecJ!ire&allJacl t7at permits TC5 port 22 3 E4/
Step 1$ Test Telnet access fro2 internal PC<A to e4ternal router %)(
a/ %rom 5C-A8 telnet to -2 at (5 address 10/1/1/2/ C/STtelnet 10.1.1.2
21
;/ =as t7e telnet attempt success!ulD =7' or &7' notD 3a tentati%e de conne$ion /elnet a (t( e$(cut( a%ec (tait lanc(e 5 partir du 3-& )1 et a (t( autori (. c/ ?o" in to -2 ;' providin" t7e vt' pass&ord o! ciscovt'pass/ d/ ?eave t7e Telnet session open/ uccB ' parce *ue elle a
Task .$ 0erify C#AC Configuration and !peration

Step '$ Display C#AC inspection infor2ation(
a/ :se t7e #ow ip in pect all command to see t7e con!i"uration and inspection status/ Note$ T e end of t e co22and output s ows t e esta;lis7ed sessions and t7e inspected TC5 Telnet connection ;et&een 5C-A and -2/ R1# #ow ip in pect all Session au"it trail is enable" Session alert is enable" one- inute (sa 'ling 'erio") threshol"s are -unli ite" / unli ite". connections a&-inco 'lete sessions threshol"s are -unli ite" / unli ite". a&-inco 'lete tc' connections 'er host is unli ite"$ ?loc!-ti e 5 inute$ tc' synwait-ti e is 35 sec -- tc' finwait-ti e is I sec tc' i"le-ti e is 1NN55 sec -- u"' i"le-ti e is 1:55 sec tc' reasse bly @ueue length 19U ti eout I secU e ory-li it 152N !ilo bytes "ns-ti eout is M sec ,ns'ection Rule Configuration ,ns'ection na e autosecOins'ect cusee e alert is on au"it-trail is on ti eout 3955 ft' alert is on au"it-trail is on ti eout 3955 htt' alert is on au"it-trail is on ti eout 3955 rc " alert is on au"it-trail is on ti eout 3955 rc " alert is on au"it-trail is on ti eout 3955 s t' a&-"ata 25555555 alert is on au"it-trail is on ti eout 3955 tft' alert is on au"it-trail is on ti eout 35 u"' alert is on au"it-trail is on ti eout 1I tc' alert is on au"it-trail is on ti eout 3955 ,nterface Configuration ,nterface Serial56565 ,nboun" ins'ection rule is not set 2utgoing ins'ection rule is autosecOins'ect cusee e alert is on au"it-trail is on ti eout 3955 ft' alert is on au"it-trail is on ti eout 3955 htt' alert is on au"it-trail is on ti eout 3955 rc " alert is on au"it-trail is on ti eout 3955 realau"io alert is on au"it-trail is on ti eout 3955 s t' a&-"ata 25555555 alert is on au"it-trail is on ti eout 3955 tft' alert is on au"it-trail is on ti eout 35 u"' alert is on au"it-trail is on ti eout 1I tc' alert is on au"it-trail is on ti eout 3955 ,nboun" access list is autosecOfirewallOacl
22
2utgoing access list is not set < ta4li #ed Se ion Se ion 6556,128 7192.168.1.3.11858CD710.1.1.2.238 tcp S2S;"+<& ;/ (n t7e +sta;lis7ed essions section8 &7at is t7e source (5 address and port num;er !or ession 022C121D 312+ c/ ource e t . 192.168.1.3' et le &E port pour cette e e ion e t 1185 ion e t 23. =7at is t7e destination (5 address and port num;er !or ession 022C121D
312+ de tination e t 10.1.1.2' et le &E port pour cette
Step )$ 0iew detailed session infor2ation(

a/ <ie& detailed session in!ormation usin" t7e #ow ip in pect -1/ e ion detail command on
R1# #ow ip in pect e ion detail 0stablishe" Sessions Session 9II9C12: (182$19:$1$3/11:I)VT(15$1$1$2/23) tc' S,SO210C Create" 55/55/58, ;ast hear" 55/55/52 ?ytes sent (initiator/res'on"er) -NI/1IN. ,n S,< 15$1$1$2-23/23.VT182$19:$1$3-11:I/11:I. on AC; autosecOfirewallOacl (18 atches) ;/ Close t7e Telnet connection &7en 'ou are !inis7ed veri!'in" C#AC operation/
Part *$ Configuring a ;one<#ased =irewall 9;#=: 8sing SDM

(n 5art 3 o! t7is la;8 'ou con!i"ure a Aone-;ased !ire&all 3$#%4 on -3 usin" )>/
Task '$ 0erify Access to t e %* >AN fro2 %)

(n t7is tas@8 'ou veri!' t7at &it7 no !ire&all in place8 external router -2 can access t7e -3 0*0*1 inter!ace and 5C-C on t7e -3 internal ?AN/
Step '$ Ping fro2 %) to %*(

a/ %rom -28 ping t e %* interface S7?7?' at IP address '7()()('( R2#ping 10.2.2.1 ;/ =ere t7e results success!ulD "ui' a%ec uccB (! t7e pin"s are not success!ul8 trou;les7oot t7e ;asic device con!i"urations ;e!ore continuin"/
Step )$ Ping fro2 %) to PC<C on t e %* >AN(

a/ %rom -28 ping PC<C on t e %* >AN at IP address '6)('/3(*(*( R2#ping 192.168.3.3 ;/ =ere t7e results success!ulD
23
"ui' a%ec
uccB
(! t7e pin"s are not success!ul8 trou;les7oot t7e ;asic device con!i"urations ;e!ore continuin"/
Step *$ Display t e %* running config prior to starting SDM(

a/ (ssue t7e #ow run command to revie& t7e current ;asic con!i"uration on -3/ ;/ <eri!' t7e -3 ;asic con!i"uration as per!ormed in 5art 1 o! t7e la;/ Are t7ere an' securit' commands related to access controlD &on' ! on a pa ' eulement la longueur ma$imal 7108 et le login et mot de pa e et e$ec-timeout ont d(finit dan la con ole %t! et au$ line .
Task )$ Create a ;one<#ased Policy =irewall

(n t7is tas@8 'ou use Cisco )> to create a Aone-;ased polic' !ire&all on -3/
Step '$ Configure t e enable secret password and 5TTP router access prior to starting SDM(
a/ %rom t7e C?(8 con!i"ure t7e ena;le secret pass&ord !or use &it7 )> on -3/ R3(config)#ena4le R3(config)#ip #ttp ecret ci co12345 er%er ;/ +na;le t7e ETT5 server on -3/
Step )$ Access SDM and set co22and delivery preferences(

a/ -un t7e )> application or open a ;ro&ser on 5C-C and start )> ;' enterin" t7e -3 (5 address 1.2/101/3/1 in t7e address !ield/ ;/ ?o" in &it7 no username and t7e ena;le secret pass&ord cisco12342/ c/ d/ (n t7e 5ass&ord Needed Net&or@in" dialo" ;ox8 enter cisco')*+. in t7e 5ass&ord !ield and clic@ Ees/ elect ,dit L Preferences to con!i"ure )> to allo& 'ou to previe& t7e commands ;e!ore sendin" t7em to t7e router/ (n t7e :ser 5re!erences &indo&8 c7ec@ t7e Preview co22ands before delivering to router c7ec@ ;ox and clic@ !F/
Step *$ 8se t e SDM =irewall wiAard to configure a Aone<based firewall(

a/ On t7e )> Eome pa"e8 re!er to t7e Con!i"uration Overvie& portion o! t7e screen/ =7at is t7e state o! t7e %ire&all 5oliciesD 31(tat de politi*ue du firewall e t . inactif. ;/ Clic@ t7e Configure ;utton at t7e top o! t7e )> screen8 and t7en clic@ =irewall and AC>( -ead t7rou"7 t7e overvie& descriptions !or t7e #asic and Advanced %ire&all options/ =7at are some o! t7e @e' di!!erencesD 3a difference entre 9a ic 6irewall et -d%anced 6irewall. 9a ic 6irewall . appli*ue directement un nom4re de rBgle pr(d(finie pour la protection du r( eau local mai ne permet pa la cr(ation d1une Fone ?@G. -d%anced 6irewall . +ermet l1utili ation de rBgle de (curit( pr(d(finie ou le modifi( comme on %eut pour prot(ger le r( eau local' et au i permet la cr(ation et la configuration de la Fone ?@G.
24
c/
elect #asic =irewall and clic@ t7e >aunc t e selected task ;utton/
d/ (n t7e #asic %ire&all Con!i"uration =iAard &indo&8 !amiliariAe 'oursel! &it7 &7at t7e #asic %ire&all does/ =7at does t7e #asic %ire&all do &it7 tra!!ic !rom outside Aones to inside AonesD 9a ic 6irewall 4lo*ue le trafic de l1e$t(rieur 5 l1int(rieur. e/ Clic@ Ne4t to continue/ !/ C7ec@ t7e Inside 9trusted: c7ec@ ;ox !or =ast,t ernet7?' and t7e !utside 9untrusted: c7ec@ ;ox !or Serial7?7?'( Clic@ Ne4t/
22
"/
Clic@ !F &7en t7e &arnin" is displa'ed tellin" 'ou t7at 'ou cannot launc7 )> !rom t7e 0*0*1 inter!ace a!ter t7e %ire&all &iAard completes/
7/ >ove t7e slider ;et&een Ei"78 >edium8 and ?o& securit' to !amiliariAe 'oursel! &it7 &7at eac7 provides/ =7at is t7e main di!!erence ;et&een Ei"7 securit' and >edium or ?o& securit'D 3a difference e t . 0ig# ecurit! . ?(tecte le trafic entrant et ortant 72@' +2+8 et le 4lo*uent. @edium ecurit! . ?(tecte le trafic entrant et ortant 72@' +2+8 et le autori ent 5 pa er on leur fai ant un ui%i 7tracking8. 3ow ecurit! . &e d(tecte aucun trafic pour le application p(cifi*ue comme 2@ et +2+' mai malgr( tou le in pectent pour %(rifier l1origine de leur conne$ion' i c1(tait depui le r( eau interne' c1e t 4on inon il e t refu (. i/ >ove t7e slider to ?o& ecurit' and clic@ t7e Preview Co22ands ;utton to previe& t7e commands t7at are delivered to t7e router/ =7en 'ou are !inis7ed revie&in" t7e commands8 clic@ Close and t7en clic@ Ne4t/ -evie& t7e %ire&all Con!i"uration ummar'/ =7at does t7is displa' provideD
M/
6irewall ,onfiguration Summar! affic#er un r( umer de la configuration *ue nou a%on d(H5 fait a%ec l1utilitaire 6irewall wiFard. @/ l/ Clic@ =inis to complete t7e %ire&all &iAard/ =7en t7e -outin" tra!!ic con!i"uration &indo& displa's8 ensure t7at t7e c7ec@ ;ox Allow ,IG%P updates to co2e t roug t e firewall is c7ec@ed and clic@ !F/ Note$ T7is screen onl' displa's i! a d'namic routin" protocol is con!i"ured/
m/ =7at &ould 7appen i! t7is ;ox &as not c7ec@edD 3e routage <2=)+ era 4lo*u( par le firewall et par con (*uent la mi e 5 Hour de ta4le de routage n1aura pa lieu' du coup )3 ne era pa con cient de l1e$i tence du egment 10.1.1.0/30 ou 192.168.1.0/24
20
n/ (n addition to +(9-58 !or &7at ot7er routin" protocols does t7e !ire&all allo& updatesD 3e protocole de routage comme "S+6 et )2+ o/ (n t7e )eliver Con!i"uration to -outer &indo&8 ma@e sure t7at t7e Save running config to routerGs startup config c7ec@ ;ox is c7ec@ed and clic@ Deliver/ p/ Clic@ !F in t7e Commands )eliver' tatus &indo&/ Eo& man' commands &ere "enerated ;' t7e %ire&all &iAardD 3e nom4re de commande g(n(rer par 6irewall wiFard e t 115 commande . q/ Clic@ !F to displa' t7e messa"e t7at 'ou 7ave success!ull' con!i"ured a !ire&all on t7e router/ Clic@ !F to close t7e messa"e &indo&/ r/ T7e +dit %ire&all 5olic' &indo& displa's &it7 t7e -ule )ia"ram/
s/
(n t7e -ule )ia"ram8 locate access list 100 3!older icon4/ =7at action is ta@en and &7at rule options are applied !or tra!!ic &it7 an invalid source address in t7e 12G/0/0/0*1 address ran"eD
2G
3e trafic e t 4lo*u( et logged.
Task *$ %eview t e ;one<#ased =irewall Configuration

Step '$ ,4a2ine t e %* running configuration wit t e C>I(
a/ %rom t7e -3 C?(8 displa' t7e runnin" con!i"uration to vie& t7e c7an"es t7at t7e )> #asic %ire&all &iAard made to t7e router/ ;/ T7e !ollo&in" commands are related to AC? 100 and class-map sdm-invalid-source/ class- a' ty'e ins'ect atch-all s" -in#ali"-src atch access-grou' 155 'olicy- a' ty'e ins'ect s" -ins'ect class ty'e ins'ect s" -in#ali"-src "ro' log Wout'ut o itte"T access-list access-list access-list access-list c/ 155 155 155 155 re ar! 'er it 'er it 'er it S<4OAC; CategoryV12: i' host 2II$2II$2II$2II any i' 12M$5$5$5 5$2II$2II$2II any i' 15$2$2$5 5$5$5$3 any
(n AC? 1008 notice t7at t7e source addresses listed are permitted/ T7e AC? uses permit statements to identi!' t7ese addresses as a "roup so t7at t7e' can ;e matc7ed &it7 t7e cla -map t!pe in pect matc#-all dm-in%alid- rc command and t7en dropped and lo""ed ;' t7e cla t!pe in pect dm-in%alid- rc command8 &7ic7 is one o! t7e class t'pes speci!ied !or t7e sd2<inspect polic'-map/
d/ (ssue t7e command #ow run I 4eg <2=)+ to displa' t7e runnin" con!i"uration ;e"innin" &it7 t7e line t7at contains t7e !irst occurrence o! t7e text H+(9-5I/ Continue to press ,nter until 'ou see all t7e commands in t7e !ire&all con!i"uration t7at are related to +(9-5 routin" protocol updates on -3/ Bou s7ould see t7e !ollo&in" commands6 classatch classatch classa' ty'e ins'ect atch-any S<4O0,+R1 access-grou' na e S<4O0,+R1 a' ty'e ins'ect atch-any S<4O0,+R1OBRA%%,C class- a' S<4O0,+R1 a' ty'e ins'ect atch-all S<4O0,+R1O1B
'olicy- a' ty'e ins'ect s" -'er it class ty'e ins'ect S<4O0,+R1O1B 'ass class class-"efault "ro'
Step )$ ,4a2ine t e %* firewall configuration using SDM(

a/ -eturn to t7e )> Eome pa"e/ -e!er to t7e Con!i"uration Overvie& portion o! t7e screen/ =7at is t7e state o! %ire&all 5oliciesD 31(tat de politi*ue de (curit( du firewall e t . -ctif ;/ Clic@ t7e dou;le do&n arro& on t7e ri"7t o! t7e %ire&all 5olicies section/ =7at is displa'edD
21
Gone pair information c/ Clic@ t7e Configure ;utton and select Additional Tasks H AC> ,ditor H =irewall %ules/ T7ere s7ould ;e an AC? t7at lists !a@e source addresses8 suc7 as t7e ;roadcast address o! 222/222/222/222 and t7e 12G/0/0/0*1 net&or@/ T7ese &ere identi!ied in t7e runnin" con!i"uration output in Tas@ 38 tep 1;/
d/ Clic@ t7e Configure ;utton and select Additional Tasks H ;ones to veri!' t7e Aones con!i"uration/ =7at inter!aces are listed and in &7at Aone is eac7D "ut-Fone . Serial 0/0/1 2n-Fone . 6a t<t#ernet 0/1 e/ Clic@ Configure and select Additional Tasks H ;ones Pairs to veri!' t7e Aone pairs con!i"uration/ %ill in t7e !ollo&in" in!ormation/ Gone +air Sdm-Fp- elf-out Sdm-Fp-out- elf Sdm-Fp- elf-out !/ "/ =7at is C35? s7ort !orD ,i co ,ommon ,la ification +olic! 3anguage 7/ +xpand t7e C35? menu and select Class Map H Inspection( Eo& man' class maps &ere created ;' t7e )> %ire&all &iAardD S?@ 6irewall wiFard a cr(e 10 cla i/ map elect C*P> H Policy Map H Protocol Inspection/ Eo& man' polic' maps &ere created ;' t7e )> %ire&all &iAardD +xamine t7e details !or t7e polic' map sdm-permit t7at is applied to t7e sdm-Ap-out-sel! Aone pair/ %ill in t7e in!ormation ;elo&/ ?ist t7e action !or t7e tra!!ic matc7in" eac7 o! t7e class maps re!erenced &it7in t7e sdm-permit polic' map/ &ame. S?@;<2=)+;+/ &ame. cla -default -ction. +a -ction. ?rop
Source elf out-Fone in-Fone
?e tination out-Fone elf out-Fone
+olic! dm-permit-icmprepl! dm-permit dm-in pect
Clic@ Configure and select Additional Tasks H C*P>/
S?@ 6irewall wiFard a cr(e 3 polic! map M/
@atc# ,la @atc# ,la
Task +$ 0erify ,IG%P %outing =unctionality on %*

Step '$ Display t e %* routing table using t e C>I(
a/ (n Tas@ 28 tep 38 t7e %ire&all &iAard con!i"ured t7e router to allo& +(9-5 updates/ <eri!' t7at +(9-5 messa"es are still ;ein" exc7an"ed usin" t7e #ow ip route command and veri!' t7at t7ere are still +(9-5 learned routes in t7e routin" ta;le/ R3# #ow ip route Co"es/ C - connecte", S - static, R - R,1, 4 - obile, ? - ?+1 < - 0,+R1, 0X - 0,+R1 e&ternal, 2 - 2S1%, ,A - 2S1% inter area W2ut'ut o itte"T +ateway of last resort is not set 15$5$5$5635 is subnette", 2 subnets
2.
C < < C
15$2$2$5 is "irectly connecte", Serial56561 15$1$1$5 -8562152N555. #ia 15$2$2$2, 55/3N/12, Serial56561 182$19:$1$562N -85621529I95. #ia 15$2$2$2, 55/32/19, Serial56561 182$19:$3$562N is "irectly connecte", %ast0thernet561
;/ =7ic7 net&or@s 7as -3 learned via t7e +(9-5 routin" protocolD 3e r( eau 10.1.1.0/30 et 192.168.1.0/24
Task .$ 0erify ;one<#ased =irewall =unctionality

Step '$ =ro2 PC<C- ping t e %* internal >AN interface(
a/ %rom 5C-C8 ping t e %* interface =a7?' at IP address '6)('/3(*('( C/STping 192.168.3.1 ;/ =ere t7e pin"s success!ulD =7' or &7' notD 3e ping a (t( e$(cut( a%ec uccB ' parce *ue l1adre e 2+ de +,-, et de l1interface 6a0/1 de )3 e t dan le mAme r( eau 31interface 6a0/1 e t la pa erelle de +,-,8' et le firewall n1a aucun effet ur le trafic de ce egment.
Step )$ =ro2 PC<C- ping t e %) e4ternal DAN interface(

a/ %rom 5C-C8 ping t e %) interface S7?7?' at IP address '7()()()( C/STping 10.2.2.2 ;/ =ere t7e pin"s success!ulD =7' or &7' notD "ui' le r(pon e 2,@+ ont permet par dm-permit-icmprepl! polic!
Step *$ =ro2 %) ping PC<C(

a/ %rom external router -28 pin" 5C-C at IP address '6)('/3(*(*( R2#ping 192.168.3.3 &on le ping a (c#ou( 74lo*u(8' parce *u1il a (tait initi( de l1e$t(rieur de )2 S0/0/1.
;/ =ere t7e pin"s success!ulD =7' or &7' notD
Step +$ Telnet fro2 %) to %*(

a/ %rom router %)- telnet to %* at IP address '7()()('( R2#telnet 10.2.2.1 Brying 15$2$2$1 $$$ 2'en Brying 15$2$2$1 $$$ Q Connection ti e" outU re ote host not res'on"ing ;/ =7' &as telnettin" unsuccess!ulD +arce *ue le ping a (tait initi( de l1e$t(rieur de )2 S0/0/1 et par con (*uent 4lo*u(.
30
Step .$ Telnet fro2 internal PC<C to e4ternal router %)(

a/ %rom 5C-C on t e %* internal >AN- telnet to %) at IP address '7()()() and log in( C/STtelnet 10.2.2.2 *ser Access #erification 1asswor"/ ci co%t!pa ;/ =it7 t7e Telnet session open !rom 5C-C to -28 enter privile"ed +C+C mode &it7 t7e ena4le command and pass&ord cisco12342/ c/ (ssue t7e command #ow polic!-map t!pe in pect Fone-pair e ion on -3/ Continue pressin" enter until 'ou see an (nspect +sta;lis7ed session section to&ard t7e end/ Bour output s7ould loo@ similar to t7e !ollo&in"/ ,ns'ect Cu ber of 0stablishe" Sessions V 1 0stablishe" Sessions Session 9IM3NNC5 (182$19:$3$3/12MN)VT(15$2$2$2/23) tacacs/tc' S,SO210C Create" 55/51/25, ;ast hear" 55/51/13 ?ytes sent (initiator/res'on"er) -NI/9I. d/ (n t7e +sta;lis7ed essions in t7e output8 &7at is t7e source (5 address and port num;er !or ession 02G344C0D 31adre 31adre e 2+ e t 192.168.3.3 et &E du port e t 124J e 2+ e t 10.2.2.2 et &E du port 23 7celui du telnet8 e/ =7at is t7e destination (5 address and port num;er !or ession 02G344C0D
Step /$ 0erify t e ;#= function using SDM Monitor(

a/ %rom )>8 clic@ t7e Monitor ;utton at t7e top o! t7e screen and select =irewall Status/ ;/ c/ elect t7e sd2<Ap<out<self polic' !rom t7e list o! policies/ T7is polic' applies to tra!!ic !rom t7e outside Aone to t7e router 3sel!4 Aone/ <eri!' t7at Active Sessions is selected and t7at t7e vie& interval is set to %eal<ti2e data every '7 sec/ Clic@ t7e Monitor Policy ;utton to start monitorin" tra!!ic !rom outside t7e Aone to inside t7e Aone/
31
d/ %rom t7e -2 C?(8 pin" t7e -3 0*0*1 inter!ace at (5 address 10/2/2/1/ T7e pin"s s7ould !ail/ e/ %rom t7e -2 C?(8 telnet to t7e -3 0*0*1 inter!ace at (5 address 10/2/2/1/ T7e telnet attempt s7ould !ail/ !/ Clic@ t7e Dropped Packets option and o;serve t7e "rap7 s7o&in" t7e num;er o! dropped pac@ets resultin" !rom t7e !ailed pin" and telnet attempts/ Bour screen s7ould loo@ similar to t7e one ;elo&/
32
"/ Clic@ t7e Allowed Packets option and o;serve t7e "rap7 s7o&in" t7e num;er o! +(9-5 pac@ets received !rom router -3/ T7is num;er &ill continue to "ro& at a stead' pace as +(9-5 updates are received !rom -2/
33
7/ Clic@ t7e Stop Monitoring ;utton and close )>/
Task /$ %eflection
=7at are some !actors to consider &7en con!i"urin" !ire&alls usin" traditional manual C?( met7ods compared to usin" t7e automated Auto ecure C#AC and t7e )> %ire&all &iAard 9:( met7odsD 3e m(t#ode ,32 traditionnel . <$ige un a%oir-faire a%anc( de -,3 et de la manipulation de commande de (curit( ,i co 2"S. -u i ce m(t#ode con omme (norm(ment du temp durant leur manipulation et pro%o*ue de erreur de !nta$e %ue leur comple$it(. -utoSecure ,9-, . +eut cau er de pro4lBme par e$emple au ni%eau du routage comme d(H5 mentionn(e dan l1atelier le ca pour le protocole routage <2=)+' et "S+6 et au i la difficult( de configuration de interface interne ,9-, rend la tKc#e un peu dure. <nfin au ni%eau de manipulation de commande ' -utoSecure ,9-, facilite facilement la proc(dure a%ec de proce u automati ( et donne une alternati%e 5 la comple$it( de manipulation !nta$i*ue de commande ,i co 2"S pour l1admini trateur. du
34
S?@ . ,1e t la meilleure m(t#ode' elle permet une fle$i4ilit( une implicit( pour la configuration du firewall pour plu ieur routeur multiple interface et ?@G.
a%ec
32
-outer (nter!ace ummar' Ta;le %outer Interface Su22ary -outer >odel 1G00 1100 2000 2100 +t7ernet (nter!ace N1 %ast +t7ernet 0 3%A04 %ast +t7ernet 0*0 3%A0*04 %ast +t7ernet 0*0 3%A0*04 %ast +t7ernet 0*0 3%A0*04 +t7ernet (nter!ace N2 %ast +t7ernet 1 3%A14 %ast +t7ernet 0*1 3%A0*14 %ast +t7ernet 0*1 3%A0*14 %ast +t7ernet 0*1 3%A0*14 erial (nter!ace N1 erial 0 3 04 erial 0*0*0 3 0*0*04 erial 0*0 3 0*04 erial 0*0*0 3 0*0*04 erial (nter!ace N2 erial 1 3 14 erial 0*0*1 3 0*0*14 erial 0*1 3 0*14 erial 0*0*1 3 0*0*14
Note$ To !ind out 7o& t7e router is con!i"ured8 loo@ at t7e inter!aces to identi!' t7e t'pe o! router and 7o& man' inter!aces t7e router 7as/ T7ere is no &a' to e!!ectivel' list all t7e com;inations o! con!i"urations !or eac7 router class/ T7is ta;le includes identi!iers !or t7e possi;le com;inations o! +t7ernet and erial inter!aces in t7e device/ T7e ta;le does not include an' ot7er t'pe o! inter!ace8 even t7ou"7 a speci!ic router ma' contain one/ An example o! t7is mi"7t ;e an ( )N #-( inter!ace/ T7e strin" in parent7esis is t7e le"al a;;reviation t7at can ;e used in Cisco (O commands to represent t7e inter!ace/
3e
%outer %'
configuration
de
routeur
Configuration routeurs $ Partie '

)1L # run 9uilding configuration... ,urrent configuration . 1385 4!te M %er ion 12.4 er%ice time tamp de4ug datetime m ec er%ice time tamp log datetime m ec er%ice pa word-encr!ption M #o tname )1 M 4oot- tart-marker 4oot-end-marker M ecurit! pa word min-lengt# 10 logging me age-counter ! log M no aaa new-model dot11 ! log ip ource-route M
30
ip cef no ip domain lookup M no ip%6 cef multilink 4undle-name aut#enticated M M M arc#i%e log config #ideke! M interface 6a t<t#ernet0/0 no ip addre #utdown duple$ auto peed auto M interface 6a t<t#ernet0/1 ip addre 192.168.1.1 255.255.255.0 duple$ auto peed auto M interface 6a t<t#ernet0/1/0 M interface 6a t<t#ernet0/1/1 M interface 6a t<t#ernet0/1/2 M interface 6a t<t#ernet0/1/3 M interface Serial0/0/0 ip addre 10.1.1.1 255.255.255.252 no fair-*ueue clock rate 64000 M interface Serial0/0/1 no ip addre #utdown clock rate 2000000 M interface Nlan1 no ip addre M router eigrp 101 network 10.1.1.0 0.0.0.3 network 192.168.1.0 no auto- ummar! M ip forward-protocol nd no ip #ttp er%er no ip #ttp ecure- er%er M
3G
control-plane M line con 0 e$ec-timeout 0 0 pa word J 14141918060929242-38322631 logging !nc#ronou login line au$ 0 e$ec-timeout 5 0 pa word J 045802150,2<4?591109040401 login line %t! 0 4 e$ec-timeout 5 0 pa word J 0508061,2243581?0015160118 login M c#eduler allocate 20000 1000 end
%outer %)
)2L # run 9uilding configuration... ,urrent configuration . 1369 4!te M %er ion 12.4 er%ice time tamp de4ug datetime m ec er%ice time tamp log datetime m ec er%ice pa word-encr!ption M #o tname )2 M 4oot- tart-marker 4oot-end-marker M ecurit! pa word min-lengt# 10 logging me age-counter ! log M no aaa new-model dot11 ! log ip ource-route M ip cef no ip domain lookup M no ip%6 cef multilink 4undle-name aut#enticated M arc#i%e log config #ideke! M interface 6a t<t#ernet0/0
31
no ip addre #utdown duple$ auto peed auto M interface 6a t<t#ernet0/1 no ip addre #utdown duple$ auto peed auto M interface 6a t<t#ernet0/1/0 M interface 6a t<t#ernet0/1/1 M interface 6a t<t#ernet0/1/2 M interface 6a t<t#ernet0/1/3 M interface Serial0/0/0 ip addre 10.1.1.2 255.255.255.252 no fair-*ueue M interface Serial0/0/1 ip addre 10.2.2.2 255.255.255.252 clock rate 64000 M interface Nlan1 no ip addre M router eigrp 101 network 10.1.1.0 0.0.0.3 network 10.2.2.0 0.0.0.3 no auto- ummar! M ip forward-protocol nd no ip #ttp er%er no ip #ttp ecure- er%er M M control-plane M line con 0 e$ec-timeout 0 0 pa word J 0508061,22434?061J15160118 logging !nc#ronou login line au$ 0 e$ec-timeout 5 0 pa word J 104?000-0618131<141429383J login line %t! 0 4 e$ec-timeout 5 0
3.
pa word J 02050?4808091935555<080-16 login M c#eduler allocate 20000 1000 end )2L)2L
%outer %*
)3L # run 9uilding configuration... ,urrent configuration . 134J 4!te M %er ion 12.4 er%ice time tamp de4ug datetime m ec er%ice time tamp log datetime m ec er%ice pa word-encr!ption M #o tname )3 M 4oot- tart-marker 4oot-end-marker M ecurit! pa word min-lengt# 10 logging me age-counter ! log M no aaa new-model dot11 ! log ip ource-route M ip cef no ip domain lookup M no ip%6 cef multilink 4undle-name aut#enticated M arc#i%e log config #ideke! M interface 6a t<t#ernet0/0 no ip addre #utdown duple$ auto peed auto M interface 6a t<t#ernet0/1 ip addre 192.168.3.1 255.255.255.0 duple$ auto peed auto M interface 6a t<t#ernet0/1/0
40
)3L
M interface 6a t<t#ernet0/1/1 M interface 6a t<t#ernet0/1/2 M interface 6a t<t#ernet0/1/3 M interface Serial0/0/0 no ip addre #utdown no fair-*ueue clock rate 2000000 M interface Serial0/0/1 ip addre 10.2.2.1 255.255.255.252 M interface Nlan1 no ip addre M router eigrp 101 network 10.2.2.0 0.0.0.3 network 192.168.3.0 no auto- ummar! M ip forward-protocol nd no ip #ttp er%er no ip #ttp ecure- er%er M control-plane M line con 0 e$ec-timeout 0 0 pa word J 0110061J58040500265,461-0logging !nc#ronou login line au$ 0 e$ec-timeout 5 0 pa word J 09464J1-1-0-160J131,053938 login line %t! 0 4 e$ec-timeout 5 0 pa word J 1414191806093,363?38322631 login M c#eduler allocate 20000 1000 end
41
Configuration routeurs $ Partie )

%outer %'
)1L # run 9uilding configuration... ,urrent configuration . 334J 4!te M %er ion 12.4 no er%ice pad er%ice tcp-keepali%e -in er%ice tcp-keepali%e -out er%ice time tamp de4ug datetime m ec localtime #ow-timeFone er%ice time tamp log datetime m ec localtime #ow-timeFone er%ice pa word-encr!ption er%ice e*uence-num4er M #o tname )1 M 4oot- tart-marker 4oot-end-marker M ecurit! aut#entication failure rate 10 log ecurit! pa word min-lengt# 10 logging me age-counter ! log logging 4uffered 4096 logging con ole critical ena4le ecret 5 O1O*2,tOP$pf96o.20- P3m>omF)f/ ena4le pa word J 02050?48080959J6141J59 M aaa new-model M aaa aut#entication login local;aut# local M aaa e ion-id common dot11 ! log no ip ource-route no ip gratuitou -arp M ip cef no ip 4ootp er%er no ip domain lookup ip in pect audit-trail ip in pect udp idle-time 1800 ip in pect dn -timeout J ip in pect tcp idle-time 14400 ip in pect name auto ec;in pect cu eeme timeout 3600 ip in pect name auto ec;in pect ftp timeout 3600 ip in pect name auto ec;in pect #ttp timeout 3600 ip in pect name auto ec;in pect rcmd timeout 3600 ip in pect name auto ec;in pect realaudio timeout 3600 ip in pect name auto ec;in pect mtp timeout 3600
42
ip in pect name auto ec;in pect tftp timeout 30 ip in pect name auto ec;in pect udp timeout 15 ip in pect name auto ec;in pect tcp timeout 3600 login 4lock-for 60 attempt 2 wit#in 30 M no ip%6 cef multilink 4undle-name aut#enticated M u ername admin pa word J 151102160J25J-J6J96J60 arc#i%e log config logging ena4le #ideke! M interface 6a t<t#ernet0/0 no ip addre no ip redirect no ip unreac#a4le no ip pro$!-arp #utdown duple$ auto peed auto no mop ena4led M interface 6a t<t#ernet0/1 ip addre 192.168.1.1 255.255.255.0 no ip redirect no ip unreac#a4le no ip pro$!-arp duple$ auto peed auto no mop ena4led M interface 6a t<t#ernet0/1/0 M interface 6a t<t#ernet0/1/1 M interface 6a t<t#ernet0/1/2 M interface 6a t<t#ernet0/1/3 M interface Serial0/0/0 ip addre 10.1.1.1 255.255.255.252 ip acce -group auto ec;firewall;acl in ip %erif! unica t ource reac#a4le-%ia r$ allow-default 100 no ip redirect no ip unreac#a4le no ip pro$!-arp ip in pect auto ec;in pect out nmp trap ip %erif! drop-rate no fair-*ueue clock rate 64000 M
43
interface Serial0/0/1 no ip addre no ip redirect no ip unreac#a4le no ip pro$!-arp #utdown clock rate 2000000 M interface Nlan1 no ip addre no ip redirect no ip unreac#a4le no ip pro$!-arp no mop ena4led M router eigrp 101 network 10.1.1.0 0.0.0.3 network 192.168.1.0 no auto- ummar! M ip forward-protocol nd no ip #ttp er%er no ip #ttp ecure- er%er M ip acce -li t e$tended auto ec;firewall;acl permit udp an! an! e* 4ootpc den! ip an! an! M logging trap de4ugging logging facilit! local2 acce -li t 100 permit udp an! an! e* 4ootpc no cdp run M control-plane M 4anner motd Q, >naut#oriFed -cce +ro#i4ited Q, M line con 0 e$ec-timeout 5 0 pa word J 121-0,04110406092439253920 logging !nc#ronou login aut#entication local;aut# tran port output telnet line au$ 0 e$ec-timeout 15 0 pa word J 0508061,2243461,0115160118 login aut#entication local;aut# tran port output telnet line %t! 0 4 e$ec-timeout 5 0 pa word J 104?000-06180416151429383J login aut#entication local;aut#
44
tran port input telnet
c#eduler allocate 20000 1000 end )1L
Configuration routeurs $ Partie *

%outer %* $
)3L # run 9uilding configuration... ,urrent configuration . 3920 4!te M %er ion 12.4 er%ice time tamp de4ug datetime m ec er%ice time tamp log datetime m ec er%ice pa word-encr!ption M #o tname )3 M 4oot- tart-marker 4oot-end-marker M ecurit! pa word min-lengt# 10 logging me age-counter ! log no logging 4uffered ena4le ecret 5 O1ON?G,O?0dH4aFN2&w0l90p+0l6 1 M no aaa new-model dot11 ! log ip ource-route M ip cef no ip domain lookup M no ip%6 cef multilink 4undle-name aut#enticated M arc#i%e log config #ideke! M cla -map t!pe in pect matc#-an! dm-cl -in p-traffic matc# protocol cu eeme matc# protocol dn matc# protocol ftp matc# protocol #323 matc# protocol #ttp matc# protocol icmp matc# protocol imap
42
matc# protocol pop3 matc# protocol net #ow matc# protocol #ell matc# protocol realmedia matc# protocol rt p matc# protocol mtp e$tended matc# protocol *l-net matc# protocol treamwork matc# protocol tftp matc# protocol %doli%e matc# protocol tcp matc# protocol udp cla -map t!pe in pect matc#-all dm-in p-traffic matc# cla -map dm-cl -in p-traffic cla -map t!pe in pect matc#-an! S?@;<2=)+ matc# acce -group name S?@;<2=)+ cla -map t!pe in pect matc#-an! S?@;<2=)+;/)-662, matc# cla -map S?@;<2=)+ cla -map t!pe in pect matc#-all S?@;<2=)+;+/ matc# cla -map S?@;<2=)+;/)-662, cla -map t!pe in pect matc#-an! S?@-Noice-permit matc# protocol #323 matc# protocol kinn! matc# protocol ip cla -map t!pe in pect matc#-an! dm-cl -icmp-acce matc# protocol icmp cla -map t!pe in pect matc#-all dm-icmp-acce matc# cla -map dm-cl -icmp-acce cla -map t!pe in pect matc#-all dm-in%alid- rc matc# acce -group 100 cla -map t!pe in pect matc#-all dm-protocol-#ttp matc# protocol #ttp M polic!-map t!pe in pect dm-permit-icmprepl! cla t!pe in pect dm-icmp-acce in pect cla cla -default pa polic!-map t!pe in pect dm-in pect cla t!pe in pect dm-in%alid- rc drop log cla t!pe in pect dm-in p-traffic in pect cla t!pe in pect dm-protocol-#ttp in pect cla t!pe in pect S?@-Noice-permit in pect cla cla -default pa polic!-map t!pe in pect dm-permit cla t!pe in pect S?@;<2=)+;+/ pa cla cla -default
40
drop M Fone ecurit! out-Fone Fone ecurit! in-Fone Fone-pair ecurit! dm-Fp- elf-out ource elf de tination out-Fone er%ice-polic! t!pe in pect dm-permit-icmprepl! Fone-pair ecurit! dm-Fp-out- elf ource out-Fone de tination elf er%ice-polic! t!pe in pect dm-permit Fone-pair ecurit! dm-Fp-in-out ource in-Fone de tination out-Fone er%ice-polic! t!pe in pect dm-in pect M interface 6a t<t#ernet0/0 no ip addre #utdown duple$ auto peed auto M interface 6a t<t#ernet0/1 de cription O6R;2&S2?<O ip addre 192.168.3.1 255.255.255.0 Fone-mem4er ecurit! in-Fone duple$ auto peed auto M interface 6a t<t#ernet0/1/0 M interface 6a t<t#ernet0/1/1 M interface 6a t<t#ernet0/1/2 M interface 6a t<t#ernet0/1/3 M interface Serial0/0/0 no ip addre #utdown no fair-*ueue clock rate 2000000 M interface Serial0/0/1 de cription O6R;">/S2?<O ip addre 10.2.2.1 255.255.255.252 Fone-mem4er ecurit! out-Fone M interface Nlan1 no ip addre M router eigrp 101 network 10.2.2.0 0.0.0.3 network 192.168.3.0 no auto- ummar! M ip forward-protocol nd ip #ttp er%er
4G
no ip #ttp ecure- er%er M ip acce -li t e$tended S?@;<2=)+ remark S?@;-,3 ,ategor!C1 permit eigrp an! an! M acce -li t 100 remark S?@;-,3 ,ategor!C128 acce -li t 100 permit ip #o t 255.255.255.255 an! acce -li t 100 permit ip 12J.0.0.0 0.255.255.255 an! acce -li t 100 permit ip 10.2.2.0 0.0.0.3 an! M control-plane M line con 0 e$ec-timeout 0 0 pa word J 0110061J58040500265,461-0logging !nc#ronou login line au$ 0 e$ec-timeout 5 0 pa word J 13061<01080305363334292026 login line %t! 0 4 e$ec-timeout 5 0 pa word J 030J521805003J585J19181604 login M c#eduler allocate 20000 1000 end )3L
41

Security Chp4 Lab-A CBAC-ZBF Instructor

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Security Chp4 Lab-A CBAC-ZBF Instructor

Uploaded by

Copyright:

Available Formats

Travaux pratiques du module Option scurit CCNA curit Con!

i"uration C#AC et $one-#ased %ire&alls C'cle (n"nieur )partement de Tlcommunications * +N A,

CHAPTER 4 LAB A CONFIGURING CBAC AND ZONE-BASED FIREWALLS INSTRUCTOR VERSION

Anne universitaire 2013-2014

Chapter 4 Lab A, Configuring CBAC and Zone-Based Firewalls

Device -1 -2 -3 5C-A 5C-C

IP Address 1.2/101/1/1 10/1/1/1 10/1/1/2 10/2/2/2 1.2/101/3/1 10/2/2/1 1.2/101/1/3 1.2/101/3/3

Part '$ #asic %outer Configuration

Task '$ Configure #asic %outer Settings

Step )$ Configure basic settings for eac router(

Step *( Disable DNS lookup(

Step +$ Configure t e ,IG%P routing protocol on %'- %)- and %*(

R3(config-router)#no auto- ummar!

Step .$ Configure PC ost IP settings(

Step /$ 0erify basic network connectivity(

Step 1$ Configure a 2ini2u2 password lengt (

Step 3$ Configure basic console- au4iliary port- and vty lines(

Step 3$ ,nable 5TTP server and 5TTP server secure(

Step 6$ ,ncrypt clear te4t passwords(

Task )$ 8se t e N2ap Port Scanner to Deter2ine %outer 0ulnerabilities

Anne universitaire 2013-2014

Anne universitaire 2013-2014

Anne universitaire 2013-2014

Anne universitaire 2013-2014

Anne universitaire 2013-2014

Part )$ Configuring a Conte4t<#ased Access Control 9C#AC: =irewall

Task '$ 0erify Access to t e %' >AN fro2 %)

Step '$ Ping fro2 %) to %'(

Step )$ Ping fro2 %) to PC<A on t e %' >AN(

Step *$ Display t e %' running config prior to using AutoSecure(

Task )$ 8se AutoSecure to Secure %' and ,nable C#AC

Step '$ 8se t e AutoSecure I!S feature to enable C#AC(

70S S;AR1 70S unset

a" inistrati#ely "own "own

Anne universitaire 2013-2014

Anne universitaire 2013-2014

Step )$ Configure t e %' firewall to allow ,IG%P updates(

Step *$ Save t e running configuration(

Task *$ %eview t e AutoSecure C#AC Configuration

to t at s own in Task )- Step '(

Anne universitaire 2013-2014

2nterface et Serial0/0/0 en direction de

Step )$ Display t e protocols available wit t e ip in pect co22and(

3e protocole enfin ,u eeme.

Task +$ 0erify C#AC =unctionality

Step '$ =ro2 PC<A- ping t e %' internal >AN interface(

Step )$ =ro2 PC<A- ping t e %) e4ternal DAN interface(

Step *$ Add ICMP to t e autosecBinspect list(

Step +$ =ro2 PC<A- ping t e %) e4ternal DAN interface(

Step .$ Test Telnet access fro2 %) to %'(

Step /$ Configure %' to allow Telnet access fro2 e4ternal osts(

Task .$ 0erify C#AC Configuration and !peration

Anne universitaire 2013-2014

312+ de tination e t 10.1.1.2' et le &E port pour cette

Step )$ 0iew detailed session infor2ation(

Part *$ Configuring a ;one<#ased =irewall 9;#=: 8sing SDM

Task '$ 0erify Access to t e %* >AN fro2 %)

Step '$ Ping fro2 %) to %*(

Step )$ Ping fro2 %) to PC<C on t e %* >AN(

Anne universitaire 2013-2014

Step *$ Display t e %* running config prior to starting SDM(

Task )$ Create a ;one<#ased Policy =irewall

Step )$ Access SDM and set co22and delivery preferences(

Step *$ 8se t e SDM =irewall wiAard to configure a Aone<based firewall(

Step $ Display t e % running config prior to starting SDM(