R2's Fa0/1 is connected to R1 and is considered the INSIDE network. R2's Fa0/0 is connected to R3 and is considered the OUTSIDE network. R2's Se0/1/0 will connect to R4's S0/1. R1 and R3's FastEthernet interfaces are part of the 10.1.13.0/24 network, which requires R2 to bridge between the two interfaces.
I want to allow R1 to access R3's http service, but not be allowed to telnet to R3. I want R3 to be allowed to telnet to R1, but not be allowed to access R1's http service. I want both R1 and R3 to be able to access R4.
Since R1 and R3 are both on the same subnet, my first step is to configure bridging on R2. I will apply the bridge group to the two FastEthernet interfaces, enable a BVI interface, and assign it an IP address on the 10.1.13.0/24 network.
R2(config)#bridge 1 protocol ieeeR2(config)#interface fa0/0R2(config-if)#bridge-group 1R2(config-if)#interface fa0/0R2(config-if)#bridge-group 1R2(config-if)#bridge irbR2(config)#bridge 1 route ipR2(config)#interface bvi1R2(config-if)#ip address 10.1.13.2 255.255.255.0R2(config-if)#no shutI'll verify the bridge is operational:
R2#show ip interface brief | inc BVIBVI1 10.1.13.2 YES manual up up R2#show bridge
Total of 300 station blocks, 298 freeCodes: P - permanent, S - self
Bridge Group 1:
Address Action Interface Age RX count TX count000d.2846.5f60 forward FastEthernet0/0 0 33392 2831000c.31ef.3de0 forward FastEthernet0/1 0 33801 3226R2#The fa0/0 and fa0/1 interfaces are already enabled on R2 with no ip addresses assigned, and there have been no rules configured to filter any traffic. At this point, I should be able to ping between R1 and R3.
R1#ping 10.1.13.3
Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.1.13.3, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 msR1#Next I'll write the ip inspect rules for the OUTSIDE and INSIDE interfaces.
R2(config)#ip inspect name INSIDE httpR2(config)#ip inspect name INSIDE icmpR2(config)#ip inspect name OUTSIDE telnetR2(config)#ip inspect name OUTSIDE icmpI will also need to write ACLs for the INSIDE and OUTSIDE interfaces to allow access for the INSIDE to R3 on TCP 80 as well as sending echo and echo replies. I also want to allow access for the OUTSIDE to telnet to R1 as well as sending echo and echo replies.
R2(config)#ip access-list extended INSIDE_LISTR2(config-ext-nacl)# permit tcp any host 10.1.13.3 eq wwwR2(config-ext-nacl)# permit icmp any host 10.1.13.3 echoR2(config-ext-nacl)# permit icmp any host 10.1.13.3 echo-replyR2(config-ext-nacl)# deny ip any host 10.1.13.3R2(config-ext-nacl)# permit ip any anyR2(config-ext-nacl)#ip access-list extended OUTSIDE_LISTR2(config-ext-nacl)# permit tcp any host 10.1.13.1 eq telnetR2(config-ext-nacl)# permit icmp any host 10.1.13.1 echoR2(config-ext-nacl)# permit icmp any host 10.1.13.1 echo-replyR2(config-ext-nacl)# deny ip any host 10.1.13.1R2(config-ext-nacl)# permit ip any anyNow I'll apply the ip inspect rules and ACLs to the correct interfaces in the correct directions.
R2(config)#interface fa0/0R2(config-if)#ip access-group OUTSIDE_LIST inR2(config-if)#ip inspect INSIDE outR2(config-if)#interface fa0/1R2(config-if)#ip access-group OUTSIDE_LIST inR2(config-if)#ip inspect OUTSIDE outThis completes the configuration.
R1 should still be able to ping R3.
R1#ping 10.1.13.3
Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.1.13.3, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 msI should be able to ping R4 from both R1 and R3:
R1#ping 10.1.24.4
Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.1.24.4, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 msBut, R1 should not be able to telnet to R2 due to the ACL applied to R2's fa0/1.
R1:
R1#telnet 10.1.13.3Trying 10.1.13.3 ...% Connection timed out; remote host not respondingSince telnet is allowed for R3 to R1, I'll apply debug ip inspect l2-transparent packets on R2 and see some of the result
R3#telnet 10.1.13.1Trying 10.1.13.1 ... Open
User Access Verification
Password: The resulting Debug on R2:As expected the ACL allows the sending traffic. The debug should show the result of the return traffic.
R2#debug ip inspect l2-transparent packetsINSPECT L2 firewall debugging is on*Sep 22 04:03:55.229: L2FW*:insp_l2_fast_inspection: pak 659EA0BC, input-interface FastEthernet0/0, output-interface FastEthernet0/1*Sep 22 04:03:55.229: L2FW*:Src 10.1.13.3 dst 10.1.13.1 protocol tcp*Sep 22 04:03:55.229: TBAP: Check AuthProxy is configured on idb=FastEthernet0/0 path=1 linktype=38*Sep 22 04:03:55.229: L2FW:Input ACL check SUCCESS*Sep 22 04:03:55.229: L2FW:Output ACL is not configured or ACL is bypassed*Sep 22 04:03:55.229: L2FW:L2 header length(initiator->responder) is 14*Sep 22 04:03:55.229: L2FW:info_start is NULL for init->rsp*Sep 22 04:03:55.229: L2FW*:insp_l2_fast_inspection returning INSP_L2_OK*Sep 22 04:03:55.229: L2FW*:CCE FW l2 fast returning INSP_L2_OK*Sep 22 04:03:55.229: TBAP: Check if AP return traffic (fast path) foroutput idb=FastEthernet0/1 IP->prot=6*Sep 22 04:03:55.233: L2FW*:insp_l2_fast_inspection: pak 65BDC430, input-interface FastEthernet0/1, output-interface FastEthernet0/0
With the telnet session open, I will verify that a session is open and being inspected.
R2#show ip inspect sessions detail Established Sessions Session 662947E0 (10.1.13.3:33012)=>(10.1.13.1:23) telnet SIS_OPEN Created 00:00:32, Last heard 00:00:29 Bytes sent (initiator:responder) [37:74] In SID 10.1.13.1[23:23]=>10.1.13.3[33012:33012] on ACL OUTSIDE_LIST (11 matches)
Part 1
Part 2
Part 3
Part 4
Part 5
Part 6
Part 7
Part 8
Part 9
Part 10
Great Article
ReplyDeleteNetwork Security Final Year Project Ideas
Project Centers in Chennai
JavaScript Training in Chennai
JavaScript Training in Chennai