Sie sind auf Seite 1von 33

Configuring CBAC and Zone-Base Firewalls

Device
R1

Interface
Fa0/1

IP Address
192.168.1.1

Subnet Mask
255.255.255.0

Default Gateway
N/A

Switch Port
S1 Fa0/5

S0/0/0 (DCE)

10.1.1.1

255.255.255.252

N/A

N/A

S0/0/0

10.1.1.2

255.255.255.252

N/A

N/A

S0/0/1 (DCE)

10.2.2.2

255.255.255.252

N/A

N/A

Fa0/1

192.168.3.1

255.255.255.0

N/A

S3 Fa0/5

S0/0/1

10.2.2.1

255.255.255.252

N/A

N/A

PC-A

NIC

192.168.1.3

255.255.255.0

192.168.1.1

S1 Fa0/6

PC-C

NIC

192.168.3.3

255.255.255.0

192.168.3.1

S3 Fa0/18

R2
R3

Part 1: Basic Router Configuration


Task 1: Configure Basic Router Settings
Configure basic settings for each router.

Configure the EIGRP routing protocol

Verify basic network connectivity.

Configure basic console, auxiliary port, and vty lines.

Task 2: Use the Nmap Port Scanner to Determine Router Vulnerabilities


Scan for open ports on R1 using Nmap from external host PC-C

Configure settings for each router


R1
Current configuration : 1240 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
security passwords min-length 10
!
no aaa new-model
!
!
ip cef
!
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!

!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
description LAN Site 1
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/2/0
description Enlace Wan a R2
ip address 10.1.1.1 255.255.255.252
no fair-queue
clock rate 125000
!
interface Serial0/2/1
no ip address
shutdown
!
router eigrp 101
network 10.1.1.0 0.0.0.3
network 192.168.1.0
no auto-summary
!
ip forward-protocol nd
!
!
ip http server
no ip http secure-server

!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 5 0
password 7 13061E01080307252534292026
logging synchronous
login
line aux 0
exec-timeout 5 0
password 7 094F471A1A0A1607131C053938
login
line vty 0 4
exec-timeout 5 0
password 7 0822455D0A1613030B1B0D1739
login
!
scheduler allocate 20000 1000
!
end

R2
service password-encryption55.255.255/network-confg (T
!e
hostname R2
up
!
boot-start-marker
!
interfac
boot-end-markeropening tftp://
!5
security passwords min-length 10out)168.40.1 YES manual up
enable secret 5 $1$Dz73$sk0VuhKo6oNGYPQbq9gS5/- System Configuration
Dialog --no mop enabl
!
no aaa new-modelfnterface F
Wou
!
!u
ip cefo ente
!t
!
ip auth-proxy max-nodata-conns 3s/no]:er.
half-duplex
ip admission max-nodata-conns 3fi.255.25
% Please answer 'yes'
!r
!n
voice-card 0n
no dspfarmld you like
!o
!n
!r
!h
!i
!t
!l
!o
!i

!r
!i
!
!a
!g
![
!s
!o
!
!
!
!
interface FastEthernet0/0#show runerial0/2/1
R3#s
no ip address answer 'yes'
shutdown
Buildin
duplex autoon...o
Would
speed auto enter the
!i
interface FastEthernet0/1 [yes/no]:
no ip addressversion 12.4
shutdown
service
duplex auto answer 'yes
speed auto
!
interface Serial0/2/0ou like to enter the
description R2 Serial 0
network 192.1
!router eigrp 101
!
!
ip ce
network 10.1.1.0 0.0.0.3y max-nodata*Sep 16 12:
network 10.2.2.0 0.0.0.3LOC: Crypto engine: onboa
no auto-summarye

Building c
!f
ip forward-protocol nd marker.
!
!
!
!
!
line con 0
exec-timeout 5 0
password 7 13061E01080307252534292026
logging synchronous
login
line aux 0
exec-timeout 5 0
password 7 121A0C0411040D11323B253B20
login
line vty 0 4
exec-timeout 5 0
password 7 045802150C2E5A5A1009040401
login
!
scheduler allocate 20000 1000
!
end
R3

Part 2: Configuring a Context-Based Access Control (CBAC) Firewall


Active Auto Secure

Configure the R1 firewall to allow EIGRP updates.

Verify CBAC Functionalit

Test Telnet access from internal PC-A to external router R2.

Use the show ip inspect all command to see the configuration and inspection status

View detailed session information using the show ip inspect sessions detail command

Configure settings for each router.


R1
Current configuration : 3219 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption

service sequence-numbers
!
hostname R1
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 10 log
security passwords min-length 10
logging buffered 4096 debugging
logging console critical
enable secret 5 $1$Kz15$nkPyCBVzKIq7bGGFB9k4R0
enable password 7 045802150C2E1A19514055
!
aaa new-model
!
!
aaa authentication login local_auth local
!
aaa session-id common
no ip source-route
no ip gratuitous-arps
!
!
ip cef
!
!
no ip bootp server
no ip domain lookup
ip inspect audit-trail
ip inspect udp idle-time 1800
ip inspect dns-timeout 7
ip inspect tcp idle-time 14400
ip inspect name autosec_inspect cuseeme timeout 3600
ip inspect name autosec_inspect ftp timeout 3600
ip inspect name autosec_inspect http timeout 3600
ip inspect name autosec_inspect rcmd timeout 3600
ip inspect name autosec_inspect realaudio timeout 3600
ip inspect name autosec_inspect smtp timeout 3600
ip inspect name autosec_inspect tftp timeout 30
ip inspect name autosec_inspect udp timeout 15
ip inspect name autosec_inspect tcp timeout 3600

ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
login block-for 60 attempts 2 within 30
!
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username admin password 7 030752180500701E1D5D4C
archive
log config
logging enable
!
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
duplex auto
speed auto
no mop enabled
!

interface FastEthernet0/1
description LAN Site 1
ip address 192.168.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
duplex auto
speed auto
no mop enabled
!
interface Serial0/2/0
description Enlace Wan a R2
ip address 10.1.1.1 255.255.255.252
ip access-group autosec_firewall_acl in
ip verify unicast source reachable-via rx allow-default 100
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect autosec_inspect out
no fair-queue
clock rate 125000
!
interface Serial0/2/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
!
router eigrp 101
network 10.1.1.0 0.0.0.3
network 192.168.1.0
no auto-summary
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
ip access-list extended autosec_firewall_acl
permit udp any any eq bootpc

permit eigrp any any


permit tcp any any eq telnet
deny ip any any
!
logging trap debugging
logging facility local2
access-list 100 permit udp any any eq bootpc
no cdp run
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
banner motd ^C Unauthorized Access Prohibited ^C
!
line con 0
exec-timeout 5 0
password 7 13061E01080307252534292026
logging synchronous
login authentication local_auth
transport output telnet
line aux 0
exec-timeout 15 0
password 7 094F471A1A0A1607131C053938
login authentication local_auth
transport output telnet
line vty 0 4
exec-timeout 5 0
password 7 0822455D0A1613030B1B0D1739
login authentication local_auth
transport input telnet
!
scheduler allocate 20000 1000
!

end
R2
R2#show running-configet started. E2 - OSPF
Building configuration... Access Verification
Current configuration : 1269 bytesS-I
% Password: timeout expired!!
version 12.4 IS-IS level
service timestamps debug datetime msect expired!, one per line. End with CN
service timestamps log datetime mseceout expired!ult, U - per-user stati
service password-encryptionexitYES m
!
hostname R2
S2 con0 i
!n
boot-start-markerP - periodic down
boot-end-markerURN to get star
!d
security passwords min-length 10
User Access Verificationrt is
enable secret 5 $1$Dz73$sk0VuhKo6oNGYPQbq9gS5/:0.0.0.0/3
Password:tted, 2 s
% Bad passwordse
!c
no aaa new-model
!
ip cefS2 con
!i
!n
ip auth-proxy max-nodata-conns 3

Press RETURN to get sta


ip admission max-nodata-conns 3t
User Access Verific
!i
!.
voice-card 0anua
!
!
!
!
!
line con 0
exec-timeout 5 0
password 7 13061E01080307252534292026
logging synchronous
login
line aux 0
exec-timeout 5 0
password 7 121A0C0411040D11323B253B20
login
line vty 0 4
exec-timeout 5 0
password 7 045802150C2E5A5A1009040401
login
!
scheduler allocate 20000 1000
!
end

Part 3: Configuring a Zone-Based Firewall (ZBF) Using CCP


Use the CCP Firewall wizard to configure a zone-based firewall.

Use CCP to examine the R3 firewall configuration.

Verify EIGRP Routing Functionality on R3

Verify Zone-Base Firewall Funcionality