Lab 3
Context-Based Access Control
Lab Objective:
The objective of this lab exercise is for you to learn and understand how implement the Cisco Context-based Access Control.
Lab Purpose:
CBAC intelligently filters TCP and UDP packets based on application-layer protocol session information. You can configure CBAC to permit specified TCP and UDP traffic through a firewall only when the connection is initiated from within the network you want to protect. CBAC can inspect traffic for sessions that originate from either side of the firewall, and CBAC can be used for intranet, extranet, and Internet perimeters of your network.
Lab Difficulty:
This lab has a difficulty rating of 7/10.
Readiness Assessment:
When you are ready for your certification exam, you should complete this lab in no more than 15 minutes.
Lab Topology:
Please use the following topology to complete this lab exercise:
Lab 3 Configuration Tasks
Task 1:
Configure the hostnames and IP addresses on R3 and R4 as illustrated in the network diagram. Configure R4 to send R3 clocking information at a rate of 768Kbps. Ping between R3 and R4 to verify your configuration and ensure that the two routers have IP connectivity.
Task 2:
Configure Host 1 with the IP address illustrated in the diagram and a default gateway of the Ethernet0/0 interface of R3, which is 172.16.1.3.
NOTE:
If you do not have a Host in your lab, you can simply substitute Host 1 for another router with an Ethernet interface and a default static route pointing to 172.16.1.3.
|
Task 3:
Configure R4 with a default static route pointing to R3. Configure the username cisco with a password of cisco and privilege level of 15 on R4. Finally, configure R4 to allow Telnet and HTTP access while authenticating using the local database.
Verify that Host 1 and R4 can ping each other and have complete network connectivity.
Task 4:
Configure CBAC on R3 as follows:
- Use the name MY-CBAC for the inspection policy
- Configure CBAC to inspect ICMP traffic
- Configure CBAC to inspect TCP traffic
- Configure CBAC to inspect HTTP traffic
- Use ACL 150 for CBAC and explicitly deny all traffic
- The Ethernet0/0 interface of R3 should be considered the private/trusted interface
- The Serial0/0 interface of R3 should be considered the public/untrusted interface
Task 5:
Test your configuration as follows:
- Ping from Host 1 to R4 and verify that CBAC works as configured
- Telnet from Host 1 to R4 and verify that CBAC works as configured
Lab 3 Configuration and Verification
Task 1:
Router(config)#hostname R3
R3(config)#interface ethernet0/0 R3(config-if)#ip address 172.16.1.3 255.255.255.0 R3(config-if)#no shutdown R3(config-if)#exit R3(config)#interface serial0/0 R3(config-if)#ip address 10.1.1.3 255.255.255.0 R3(config-if)#no shutdown R3(config-if)#exit R3(config)#exit R3# |
Router(config)#hostname R4
R4(config)#interface serial0/0 R4(config-if)#ip address 10.1.1.4 255.255.255.0 R4(config-if)#clock rate 768000 R4(config-if)#no shut R4(config-if)#exit R4(config)#exit R4# R4#ping 10.1.1.3
Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms |
Task 2:
Task 3:
R4(config)#ip route 0.0.0.0 0.0.0.0 serial0/0
R4(config)#username cisco privilege 15 secret cisco R4(config)#ip http server R4(config)#ip http authentication local R4(config)#line vty 0 4 R4(config-line)#login local R4(config-line)#exit R4(config)#exit R4# |
Task 4:
R3(config)#ip inspect name MY-CBAC icmp
R3(config)#ip inspect name MY-CBAC tcp R3(config)#ip inspect name MY-CBAC http R3(config)#access-list 150 deny ip any any R3(config)#int e0/0 R3(config-if)#ip inspect MY-CBAC in R3(config-if)#ip access-group 150 out R3(config-if)#exit R3(config)#int s0/0 R3(config-if)#ip access-group 150 in R3(config-if)#ip inspect MY-CBAC out R3(config-if)#exit R3(config)#exit R3# |
Task 5:
R3#show ip inspect sessions detail
Established Sessions Session 646642E0 (172.16.1.254:8)=>(10.1.1.4:0) icmp SIS_OPEN Created 00:00:09, Last heard 00:00:06 ECHO request Bytes sent (initiator:responder) [128:128] Out SID 10.1.1.4[0:0]=>172.16.1.254[0:0] on ACL 150 In SID 10.1.1.4[0:0]=>172.16.1.254[0:0] on ACL 150 (4 matches) Out SID 0.0.0.0[0:0]=>172.16.1.254[3:3] on ACL 150 In SID 0.0.0.0[0:0]=>172.16.1.254[3:3] on ACL 150 Out SID 0.0.0.0[0:0]=>172.16.1.254[11:11] on ACL 150 In SID 0.0.0.0[0:0]=>172.16.1.254[11:11] on ACL 150 |
R3#show ip inspect sessions detail
Established Sessions Session 646642E0 (172.16.1.254:2075)=>(10.1.1.4:23) tcp SIS_OPEN Created 00:00:07, Last heard 00:00:04 Bytes sent (initiator:responder) [45:82] Out SID 10.1.1.4[23:23]=>172.16.1.254[2075:2075] on ACL 150 In SID 10.1.1.4[23:23]=>172.16.1.254[2075:2075] on ACL 150 (16 matches) |
Lab 3 Configurations
R3 Configuration
R3#show run
Building configuration…
Current configuration : 1019 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R3 ! boot-start-marker boot-end-marker ! no logging console ! no aaa new-model ! ! ip cef ! ! ip inspect name MY-CBAC icmp ip inspect name MY-CBAC tcp ip inspect name MY-CBAC http ip auth-proxy max-nodata-conns 3 ip admission max-nodata-conns 3 ! ! ! ! ! ! interface Ethernet0/0 ip address 172.16.1.3 255.255.255.0 ip access-group 150 out ip inspect MY-CBAC in full-duplex ! interface Serial0/0 ip address 10.1.1.3 255.255.255.0 ip access-group 150 in ip inspect MY-CBAC out ! interface Ethernet0/1 no ip address shutdown half-duplex ! ip http server ip http authentication local ip http secure-server ! ip forward-protocol nd ! ! access-list 150 deny ip any any ! ! ! control-plane ! ! ! ! ! ! ! ! ! ! line con 0 line aux 0 line vty 0 4 password cisco login local ! ! end |
R4 Configuration
R4#show run
Building configuration…
Current configuration : 876 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R4 ! boot-start-marker boot-end-marker ! no logging console ! no aaa new-model ! ! ip cef ! ! ip auth-proxy max-nodata-conns 3 ip admission max-nodata-conns 3 ! username cisco privilege 15 secret 5 $1$5xfY$qduHuWEcucGng94cEg6q7/ !
interface Ethernet0/0 no ip address full-duplex ! interface Serial0/0 ip address 10.1.1.4 255.255.255.0 clock rate 768000 no fair-queue ! interface Ethernet0/1 no ip address shutdown half-duplex ! ip http server ip http authentication local no ip http secure-server ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 Serial0/0 ! control-plane ! ! line con 0 line aux 0 line vty 0 4 login local ! ! end |