CBT IT Certification Training

Unlimited IT Certification Courses via Streaming Video

Context-Based Access Control

Lab 3 

Context-Based Access Control

Back to book index.

Lab Objective:

The objective of this lab exercise is for you to learn and understand how implement the Cisco Context-based Access Control.

Lab Purpose:

CBAC intelligently filters TCP and UDP packets based on application-layer protocol session information. You can configure CBAC to permit specified TCP and UDP traffic through a firewall only when the connection is initiated from within the network you want to protect. CBAC can inspect traffic for sessions that originate from either side of the firewall, and CBAC can be used for intranet, extranet, and Internet perimeters of your network.

Lab Difficulty:

This lab has a difficulty rating of 7/10.

Readiness Assessment:

When you are ready for your certification exam, you should complete this lab in no more than 15 minutes.

Lab Topology:

Please use the following topology to complete this lab exercise:

Lab 3 1 

Lab 3 Configuration Tasks 

Task 1:

Configure the hostnames and IP addresses on R3 and R4 as illustrated in the network diagram. Configure R4 to send R3 clocking information at a rate of 768Kbps. Ping between R3 and R4 to verify your configuration and ensure that the two routers have IP connectivity.

Task 2:

Configure Host 1 with the IP address illustrated in the diagram and a default gateway of the Ethernet0/0 interface of R3, which is 172.16.1.3.

NOTE:

 

If you do not have a Host in your lab, you can simply substitute Host 1 for another router with an Ethernet interface and a default static route pointing to 172.16.1.3.

 

Task 3:

Configure R4 with a default static route pointing to R3. Configure the username cisco with a password of cisco and privilege level of 15 on R4. Finally, configure R4 to allow Telnet and HTTP access while authenticating using the local database.

Verify that Host 1 and R4 can ping each other and have complete network connectivity.

Task 4:

Configure CBAC on R3 as follows:

  • Use the name MY-CBAC for the inspection policy
  • Configure CBAC to inspect ICMP traffic
  • Configure CBAC to inspect TCP traffic
  • Configure CBAC to inspect HTTP traffic
  • Use ACL 150 for CBAC and explicitly deny all traffic
  • The Ethernet0/0 interface of R3 should be considered the private/trusted interface
  • The Serial0/0 interface of R3 should be considered the public/untrusted interface 

Task 5:

Test your configuration as follows:

  • Ping from Host 1 to R4 and verify that CBAC works as configured
  • Telnet from Host 1 to R4 and verify that CBAC works as configured

Lab 3 Configuration and Verification

Task 1:

Router(config)#hostname R3

R3(config)#interface ethernet0/0

R3(config-if)#ip address 172.16.1.3 255.255.255.0

R3(config-if)#no shutdown

R3(config-if)#exit

R3(config)#interface serial0/0

R3(config-if)#ip address 10.1.1.3 255.255.255.0

R3(config-if)#no shutdown

R3(config-if)#exit

R3(config)#exit

R3#

 

Router(config)#hostname R4

R4(config)#interface serial0/0

R4(config-if)#ip address 10.1.1.4 255.255.255.0

R4(config-if)#clock rate 768000

R4(config-if)#no shut

R4(config-if)#exit

R4(config)#exit

R4#

R4#ping 10.1.1.3

 

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.1.3, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms

Task 2:

9 2 1

 Task 3:

R4(config)#ip route 0.0.0.0 0.0.0.0 serial0/0

R4(config)#username cisco privilege 15 secret cisco

R4(config)#ip http server

R4(config)#ip http authentication local

R4(config)#line vty 0 4

R4(config-line)#login local

R4(config-line)#exit

R4(config)#exit

R4#

Task 4:

R3(config)#ip inspect name MY-CBAC icmp

R3(config)#ip inspect name MY-CBAC tcp

R3(config)#ip inspect name MY-CBAC http

R3(config)#access-list 150 deny ip any any

R3(config)#int e0/0

R3(config-if)#ip inspect MY-CBAC in

R3(config-if)#ip access-group 150 out

R3(config-if)#exit

R3(config)#int s0/0

R3(config-if)#ip access-group 150 in

R3(config-if)#ip inspect MY-CBAC out

R3(config-if)#exit

R3(config)#exit

R3#

Task 5:

Lab 3 3

R3#show ip inspect sessions detail

Established Sessions

Session 646642E0 (172.16.1.254:8)=>(10.1.1.4:0) icmp SIS_OPEN

Created 00:00:09, Last heard 00:00:06

ECHO request

Bytes sent (initiator:responder) [128:128]

Out SID 10.1.1.4[0:0]=>172.16.1.254[0:0] on ACL 150

In  SID 10.1.1.4[0:0]=>172.16.1.254[0:0] on ACL 150  (4 matches)

Out SID 0.0.0.0[0:0]=>172.16.1.254[3:3] on ACL 150

In  SID 0.0.0.0[0:0]=>172.16.1.254[3:3] on ACL 150

Out SID 0.0.0.0[0:0]=>172.16.1.254[11:11] on ACL 150

In  SID 0.0.0.0[0:0]=>172.16.1.254[11:11] on ACL 150

Lab 3 4

R3#show ip inspect sessions detail

Established Sessions

Session 646642E0 (172.16.1.254:2075)=>(10.1.1.4:23) tcp SIS_OPEN

Created 00:00:07, Last heard 00:00:04

Bytes sent (initiator:responder) [45:82]

Out SID 10.1.1.4[23:23]=>172.16.1.254[2075:2075] on ACL 150

In  SID 10.1.1.4[23:23]=>172.16.1.254[2075:2075] on ACL 150  (16 matches)

Lab 3 Configurations

R3 Configuration

R3#show run

Building configuration…

 

Current configuration : 1019 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R3

!

boot-start-marker

boot-end-marker

!

no logging console

!

no aaa new-model

!

!

ip cef

!

!

ip inspect name MY-CBAC icmp

ip inspect name MY-CBAC tcp

ip inspect name MY-CBAC http

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

!

!

!

!

!

interface Ethernet0/0

ip address 172.16.1.3 255.255.255.0

ip access-group 150 out

ip inspect MY-CBAC in

full-duplex

!

interface Serial0/0

ip address 10.1.1.3 255.255.255.0

ip access-group 150 in

ip inspect MY-CBAC out

!

interface Ethernet0/1

no ip address

shutdown

half-duplex

!

ip http server

ip http authentication local

ip http secure-server

!

ip forward-protocol nd

!

!

access-list 150 deny   ip any any

!

!

!

control-plane

!

!

!

!

!

!

!

!

!

!

line con 0

line aux 0

line vty 0 4

password cisco

login local

!

!

end

R4 Configuration

R4#show run

Building configuration…

 

Current configuration : 876 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R4

!

boot-start-marker

boot-end-marker

!

no logging console

!

no aaa new-model

!

!

ip cef

!

!

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

username cisco privilege 15 secret 5 $1$5xfY$qduHuWEcucGng94cEg6q7/

!

 

interface Ethernet0/0

no ip address

full-duplex

!

interface Serial0/0

ip address 10.1.1.4 255.255.255.0

clock rate 768000

no fair-queue

!

interface Ethernet0/1

no ip address

shutdown

half-duplex

!

ip http server

ip http authentication local

no ip http secure-server

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Serial0/0

!

control-plane

!

!

line con 0

line aux 0

line vty 0 4

login local

!

!

end
content-filler