Thursday, April 25, 2013

Lab 221 - CBAC

Prerequisites: CCNP level skills.

Topology

Pic 1. Topology Diagram.

Task 1
Consider VLAN 215 as DMZ in the above topology. Configure basic connectivity between BB3 and the rest of the system. Use R1 as the gateway to the internal domain. You can use default routes to accomplish this.

Task 2
Enable WWW service on R5 (R5's loopback address 10.0.5.5 will imitate the web server). Check the WWW access from BB3 and R2.

Task 3
Configure firewall that does not utilize TCP idle timers but removes the state of the sessions if they are properly closed. The firewalls rules should be as follows:
  • All traffic OUT (towards BB3) is allowed
  • Traffic towards DMZ should only allow WWW access (10.0.5.5)
  • Traffic from DMZ out should be allowed only if sent towards WWW server (10.0.5.5)
Solution

Task 1
Consider VLAN 215 as DMZ in the above topology. Configure basic connectivity between BB3 and the rest of the system. Use R1 as the gateway to the internal domain. You can use default routes to accomplish this.

BB3 Config:
!
ip route 0.0.0.0 0.0.0.0 192.0.2.1
!


R1 Config:
!
ip route 0.0.0.0 0.0.0.0 192.0.2.254
!
router eigrp 1
 redistribute static metric 1 1 1 1 1
 network 10.0.1.1 0.0.0.0
 network 172.16.123.1 0.0.0.0
 network 172.16.215.1 0.0.0.0
 no auto-summary
!


Task 2
Enable WWW service on R5 (R5's loopback address 10.0.5.5 will imitate the web server). Check the WWW access from BB3 and R2.

R5 Config:
!
ip http server
!

Verification:
Pic. 2 - WWW Access from BB3.

Pic. 3 - WWW Access from BB3.


Task 3
Configure firewall that does not utilize TCP idle timers but removes the state of the sessions if they are properly closed. The firewalls rules should be as follows:
  • All traffic OUT (towards BB3) is allowed
  • Traffic towards DMZ should only allow WWW access (10.0.5.5)
  • Traffic from DMZ out should be allowed only if sent towards WWW server (10.0.5.5)
Step 1
Configure and apply ACL on the OUTSIDE interface blocking all the traffic.

R1 Config:
!
ip access-list extended OUTSIDE_INBOUND
 permit tcp any host 10.0.5.5 eq www
!

interface FastEthernet0/0
 description OUTSIDE
 ip address 192.0.2.1 255.255.255.0
 ip access-group OUTSIDE_INBOUND in
 speed 100
 full-duplex

!
interface Serial0/0
 description INSIDE
!

Step 2 
Configure inspection rules allowing all traffic out. Apply the rules on the OUTSIDE interface.

R1 Config:
!
ip inspect name ALL_TRAFFIC_OUT tcp
ip inspect name ALL_TRAFFIC_OUT udp
ip inspect name ALL_TRAFFIC_OUT icmp

!
interface FastEthernet0/0
 description OUTSIDE
 ip address 192.0.2.1 255.255.255.0
 ip access-group OUTSIDE_INBOUND in
 ip inspect ALL_TRAFFIC_OUT out
 speed 100
 full-duplex
!


Verification:
Pic. 4 - Traffic OUTSIDE --> OUT.
 Pic. 5 - Traffic OUTSIDE --> IN.

Step 3
DMZ configuration.

R1 Config:
!
ip access-list extended DMZ_INBOUND
permit eigrp any any
 deny   ip any any

!
ip inspect name HTTP_TRAFFIC http
!

!
interface FastEthernet0/1
 description DMZ
 ip address 172.16.215.1 255.255.255.0
 ip access-group DMZ_INBOUND in
 ip inspect HTTP_TRAFFIC out
 speed 100
 full-duplex
!


Verification:
Both R2 (inside host address) and BB3 (outside host addres) can reach WWW (10.0.5.5). R1 show ip inspection session, shows entries. Pinging does not work

REMOVE CBAC CONFIGURATION BEFORE NEXT LAB!