Topology
Pic 1. Topology Diagram.
Consider R1 as the edge router. It's interface Fa0/0 is the OUTSIDE and Se0/0 is the INSIDE interface. Configure firewall on R1 using the following rules:
- Allow all traffic from INSIDE to OUTSIDE
- Allow only SSH traffic from OUTSIDE to R1's address 192.0.2.1
- Allow BGP protocol between R1 and BB3 (to be implemented) and log all other dropped traffic
Solution
Task 1
Consider R1 as the edge router. It's interface Fa0/0 is the OUTSIDE and Se0/0 is the INSIDE interface. Configure firewall on R1 using the following rules:
- Allow all traffic from INSIDE to OUTSIDE
- Allow only SSH traffic from OUTSIDE to R1's address 192.0.2.1
- Allow BGP protocol between R1 and BB3 (to be implemented) and log all other dropped traffic
R1 Config:
! Current routing configuration on R1:
!
ip route 0.0.0.0 0.0.0.0 192.0.2.254
!
router eigrp 1
redistribute static metric 1 1 1 1 1
network 10.0.1.1 0.0.0.0
network 172.16.123.1 0.0.0.0
network 172.16.215.1 0.0.0.0
no auto-summary
!
!
! Current routing on BB3:
!
ip route 0.0.0.0 0.0.0.0 192.0.2.1
!
Zone-base firewall configuration on R1:
Step 1
Define the zones.
!
zone security INSIDE
zone security OUTSIDE
!
Step 2
Classify interesting traffic (traffic that is allowed from INSIDE to OUTSIDE).
Classify the traffic exceptions.
!
class-map type inspect match-all ICMP
match protocol icmp
class-map type inspect match-all UDP
match protocol udp
class-map type inspect match-all TCP
match protocol tcp
!
! Traffic Exceptions
!
ip access-list extended SSH_TO_R1
permit tcp any host 192.0.2.1 eq 22
!
class-map type inspect match-any OUTSIDE_TO_SELF_EXCEPTIONS
match protocol bgp
match access-group name SSH_TO_R1
!
Step 3
Configure policy regarding the interesting traffic.
!
policy-map type inspect INSIDE_TO_OUTSIDE_POLICY
class type inspect TCP
inspect
class type inspect UDP
inspect
class type inspect ICMP
inspect
!
!
policy-map type inspect OUTSIDE_TO_SELF_POLICY
class type inspect OUTSIDE_TO_SELF_EXCEPTIONS
pass
class class-default
drop log
!
Step 4
Configure associations between zones. Apply policy map to the zone pairings.
!
zone-pair security INSIDE_TO_OUTSIDE_PAIRING source INSIDE destination OUTSIDE
service-policy type inspect INSIDE_TO_OUTSIDE_POLICY
!
!
zone-pair security OUTSIDE_TO_SELF_PAIRING source OUTSIDE destination self
service-policy type inspect OUTSIDE_TO_SELF_POLICY
!
Step 5
Assign interfaces to the zones.
!
interface FastEthernet0/0
description OUTSIDE
ip address 192.0.2.1 255.255.255.0
zone-member security OUTSIDE
speed 100
full-duplex
!
!
interface Serial0/0
description INSIDE
ip address 172.16.123.1 255.255.255.0
zone-member security INSIDE
encapsulation frame-relay
clock rate 2000000
frame-relay map ip 172.16.123.2 102 broadcast
no frame-relay inverse-arp
!
Verification:
Pic. 2 Traffic INSIDE_TO_OUTSIDE.
Pic. 3 - Traffic OUTSIDE_TO_INSIDE (BB3_TO_SW1).
Pic. 4 - OUTSIDE_TO_R1 using SSH.
KEEP THE CONFIGURATION FOR THE NEXT LAB!
