1 / 7

CBAC Lab

CBAC Lab. CBAC Lab. Nmap Port scanner Nmap : the beef , Zenmap : GUI frontend Findings before CBAC firewall c. What services are running and available on R1 from the perspective of PC-C? Telnet and HTTP

heller
Download Presentation

CBAC Lab

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CBAC Lab

  2. CBAC Lab • Nmap • Port scanner • Nmap: the beef, Zenmap: GUI frontend • Findingsbefore CBAC firewall • c. What services are running and available on R1 from the perspective of PC-C? Telnet and HTTP • d. In the Nmap scan output, refer to the TRACEROUTE information. How many hops are between PC-C and R1 and through what IP addresses? Three hops. The scan went from PC-C to the R3 Fa0/1 default gateway (192.168.3.1) to R2 S0/0/1 (10.2.2.2) and then to R1 S0/0/0 (10.1.1.1).

  3. CBAC Lab • In Part 2 of this lab you configured a CBAC firewall on R1 and then used Nmap again to test access from external host PC-C to R1. • You used the AutoSecureIOS feature to enable CBAC. • A sort of a dialog mode, automatically do things like disabling services • Configure CBAC Firewall feature? [yes/no]: yes

  4. CBAC Lab • Automaticallygeneratedconfigurationrequiresfinetuning • The AutoSecure CBAC firewall on R1 does not permit EIGRP hellos and neighbor associations to occur • permit eigrpanyany • permit udp any anyeqbootpc

  5. CBAC Lab • After CBAC config the result of the portscan • Whenthe R1 CBAC firewall is in place, what services are available on R1 and what is the status of R1 from the perspective of external PC-C? No services are detected. Nmap, run from PC-C, reports the status of host R1 10.1.1.1 as down.

  6. CBAC Lab • c. Whichprotocolsdid AutoSecure configure to be inspected as they leave the S0/0/0 interface? Cuseeme, FTP, HTTP, RCMD, Realaudio, SMTP, TFTP, UDP AND TCP. • d. To which interface is the ACL autosec_firewall_acl applied and in which direction? S0/0/0 inbound. • e. What is the purpose of the ACL autosec_firewall_acl? It allows bootp traffic to enter the S0/0/0 interface and blocks all other non-established connections from outside R1.

  7. CBAC Lab Step 2: From PC-A, ping the R2 external WAN interface. a. From PC-A, ping the R2 interface S0/0/0 at IP address 10.1.1.2. C:\>ping 10.1.1.2 b. Were the pings successful? Why or why not? No. The ICMP protocol was not included in the autosec_inspectlist, so the pings that PC-A sends are blocked from returning. Step 3: Add ICMP to the autosec_inspect list. R1(config)#ip inspect name autosec_inspecticmp timeout 5 Step 4: From PC-A, ping the R2 external WAN interface. a. From PC-A, ping the R2 interface S0/0/0 at IP address 10.1.1.2. C:\>ping 10.1.1.2 b. Were the pings successful? Why or why not? Yes, ICMP is now included in the autosec_inspect list, so the ICMP replies for ICMP requests originating from within the R1 LAN are allowed to return.

More Related