Di Posting Oleh : Simple Learning
Kategori : Security
Prerequisites: CCNP level skills.
Topology
Pic 1. Topology Diagram.
Consider VLAN 215 as DMZ in the above topology. Configure basic connectivity between BB3 and the rest of the system. Use R1 as the gateway to the internal domain. You can use default routes to accomplish this.
Task 2
Enable WWW service on R5 (R5's loopback address 10.0.5.5 will imitate the web server). Check the WWW access from BB3 and R2.
Task 3
Configure firewall that does not utilize TCP idle timers but removes the state of the sessions if they are properly closed. The firewalls rules should be as follows:
- All traffic OUT (towards BB3) is allowed
- Traffic towards DMZ should only allow WWW access (10.0.5.5)
- Traffic from DMZ out should be allowed only if sent towards WWW server (10.0.5.5)
Solution
Task 1
Consider VLAN 215 as DMZ in the above topology. Configure basic connectivity between BB3 and the rest of the system. Use R1 as the gateway to the internal domain. You can use default routes to accomplish this.
BB3 Config:
!
ip route 0.0.0.0 0.0.0.0 192.0.2.1
!
R1 Config:
!
ip route 0.0.0.0 0.0.0.0 192.0.2.254
!
router eigrp 1
redistribute static metric 1 1 1 1 1
network 10.0.1.1 0.0.0.0
network 172.16.123.1 0.0.0.0
network 172.16.215.1 0.0.0.0
no auto-summary
!
Task 2
Enable WWW service on R5 (R5's loopback address 10.0.5.5 will imitate the web server). Check the WWW access from BB3 and R2.
R5 Config:
!
ip http server
!
Verification:
Task 3
Configure firewall that does not utilize TCP idle timers but removes the state of the sessions if they are properly closed. The firewalls rules should be as follows:
Step 1Consider VLAN 215 as DMZ in the above topology. Configure basic connectivity between BB3 and the rest of the system. Use R1 as the gateway to the internal domain. You can use default routes to accomplish this.
BB3 Config:
!
ip route 0.0.0.0 0.0.0.0 192.0.2.1
!
R1 Config:
!
ip route 0.0.0.0 0.0.0.0 192.0.2.254
!
router eigrp 1
redistribute static metric 1 1 1 1 1
network 10.0.1.1 0.0.0.0
network 172.16.123.1 0.0.0.0
network 172.16.215.1 0.0.0.0
no auto-summary
!
Task 2
Enable WWW service on R5 (R5's loopback address 10.0.5.5 will imitate the web server). Check the WWW access from BB3 and R2.
R5 Config:
!
ip http server
!
Verification:
Pic. 2 - WWW Access from BB3.
Pic. 3 - WWW Access from BB3.
Task 3
Configure firewall that does not utilize TCP idle timers but removes the state of the sessions if they are properly closed. The firewalls rules should be as follows:
- All traffic OUT (towards BB3) is allowed
- Traffic towards DMZ should only allow WWW access (10.0.5.5)
- Traffic from DMZ out should be allowed only if sent towards WWW server (10.0.5.5)
Configure and apply ACL on the OUTSIDE interface blocking all the traffic.
R1 Config:
!
ip access-list extended OUTSIDE_INBOUND
permit tcp any host 10.0.5.5 eq www
!
interface FastEthernet0/0
description OUTSIDE
ip address 192.0.2.1 255.255.255.0
ip access-group OUTSIDE_INBOUND in
speed 100
full-duplex
!
interface Serial0/0
description INSIDE
!
Step 2
Configure inspection rules allowing all traffic out. Apply the rules on the OUTSIDE interface.
R1 Config:
!
ip inspect name ALL_TRAFFIC_OUT tcp
ip inspect name ALL_TRAFFIC_OUT udp
ip inspect name ALL_TRAFFIC_OUT icmp
!
interface FastEthernet0/0
description OUTSIDE
ip address 192.0.2.1 255.255.255.0
ip access-group OUTSIDE_INBOUND in
ip inspect ALL_TRAFFIC_OUT out
speed 100
full-duplex
!
Verification:
Pic. 4 - Traffic OUTSIDE --> OUT.
Pic. 5 - Traffic OUTSIDE --> IN.
DMZ configuration.
R1 Config:
!
ip access-list extended DMZ_INBOUND
permit eigrp any any
deny ip any any
!
ip inspect name HTTP_TRAFFIC http
!
!
interface FastEthernet0/1
description DMZ
ip address 172.16.215.1 255.255.255.0
ip access-group DMZ_INBOUND in
ip inspect HTTP_TRAFFIC out
speed 100
full-duplex
!
Verification:
Both R2 (inside host address) and BB3 (outside host addres) can reach WWW (10.0.5.5). R1 show ip inspection session, shows entries. Pinging does not work
REMOVE CBAC CONFIGURATION BEFORE NEXT LAB!
0 Response to "Lab 221 - CBAC"
Post a Comment