1 / 24

Lab 12 – Cisco Firewall

Lab 12 – Cisco Firewall . Next Labs. Lab 13 In-lab project work time TA available for help Will take attendance Status sheet with signatures due by end of lab period Lab 14 Project due Presentations. Brief overview. Cisco Firewall . Background:. Your network is 152.8.0.0/16 .

opal
Download Presentation

Lab 12 – Cisco Firewall

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lab 12 – Cisco Firewall

  2. Next Labs • Lab 13 • In-lab project work time • TA available for help • Will take attendance • Status sheet with signatures due by end of lab period • Lab 14 • Project due • Presentations

  3. Brief overview Cisco Firewall

  4. Background: • Your network is 152.8.0.0/16. • Everyone has the same IP address range • A local network • Any address that starts with 152.8 is considered local. • Anything else is “outside” • Rules specify source and destination IP addresses

  5. ACLs • Rules are for many types of interface • 2 styles for IP • Basic (in bound only from a source) • Extended (in and out bound) • We’ll concentrate on the extended IP style

  6. General format for a Cisco-like firewall configuration command (extended IP) • access-list number {permit | deny} [protocol] {any | ipaddr mask | hostipaddr} {any | ipaddr mask | hostipaddr} [operator port | established] [log] • Bold items are entered verbatim • […] items are optional • {…} must be entered • | denotes “or” • The command must be all on one line • access-list111permittcpanyhost 152.8.1.10eq 80

  7. Definitions: • access-list • All firewall configuration ACL commands start with this keyword • number • A number typically between • E.g. IP is 0-99 or 1300-1999, IPX is 100-199 or 2000-2699 • Think of it as the name of the list • Number range implies type of protocol involved • permit or deny • Whether to permit or deny this packet of information if conditions match • protocol (optional) • Type of protocol for this packet: IP, ICMP, SNMP, UDP or TCP • If omitted, then this command pertains to all network traffic regardless of protocol

  8. Definitions: • Source Address • Internet address of the sender of the packet • Can be: • any- This access command applies to packets from any source • host ipaddr- Command applies to one particular computer • IP address of the computer • Dotted decimal format (i.e. 152.8.1.2) • ipaddr mask – “sub-net” range affected • IP network address of the packet's source • Dotted-decimal format • Followed by a mask (dotted-decimal format) • When comparing the packet's source address, any address bit whose mask bit is one is ignored • 152.8.12.47 0.0.255.255 • represents all IP addresses whose first 16 bits match • Destination Address • Internet address of the network packet's destination • Specified in the same three formats as the source address

  9. Definitions: • Operator (optional) • Applies to TCP or UDP ports only • Indicates how the port number in the packet should be compared • If omitted, command applies for all ports • eqequal • ltless than • gtgreater than • neqnot equal • range a range of ports • Must specify two different port numbers • estestablished connections • Allows packets to pass through the firewall from the Internet if they are the response to a connection established from within the intranet

  10. Definitions: • Port (optional) • TCP/UDP destination port number • If omitted, command applies for all port numbers • Port number must be specified if an operator is given • Log (optional) • Whether to log this entry to the console

  11. Notes: • Commands are case insensitive • Note: all access-list commands must fit on one line • Comments can be included configuration • Comments start with an exclamation point ( ! ) • Examples: • access-list 111 permit tcp any host 152.8.1.10 eq 80 • Permits any computer on the Internet to connect to the computer whose • IP host address is 152.8.1.1 • uses the TCP protocol • port 80 • access-list 123 deny any 178.22.8.9 0.0.255.255 • This will prohibit any computer from accessing a computer on the 178.22 domain using any protocol

  12. Access-list command order is important • When a packet arrives at your firewall • it will be compared with each access-list statement in the order they appear • The first statement that applies to that packet determines if it is permitted or denied • For incoming traffic • Implicit deny everything else at the end of the access-lists • For outgoing traffic • Implicit permit everything else at the end of the access-lists

  13. Firewall • IP address format: • any • matches anything • host 152.8.1.10 • matches one IP address • 152.8.1.1 0.0.255.255 • matches a (sub)network • Note: the Cisco netmaskis backwards from what you're used to! • Called an inverse mask • 0's mean "don't care"

  14. Examples • access-list 101 deny tcpany152.8.0.0 0.0.255.255 eq 80 • Block all incoming TCP traffic to port 80 • “any” is the source address • “152.8.0.0 0.0.255.255” is the destination. • In this case, it refers to any IP address that starts with 152.8. • This blocks packets from entering your network from outside • Protects your internal or rogue Web servers

  15. Examples • access-list 101 deny tcp152.8.0.0 0.0.255.255 anyeq 80 • Block all outgoing TCP traffic to port 80 • “152.8.0.0 0.0.255.255” is the source • “any” is the destination. • block all packets from the local network to the everything on port 80 outside

  16. Examples • access-list 101 allow tcp any host 152.8.1.10 eq 80 • access-list 101 deny tcp any 152.8.0.0 0.0.255.255 eq 80 • Block all incoming port 80 traffic EXCEPT traffic to our Web server • First rule permits packets to the Web server • 152.8.1.10 • Second rule blocks packets from outside to all inside • 152.8.0.0 0.0.255.255 • A packet going to the Web server • Matches the first rule and stops being processed • Packet allowed to go to the Web server • A packet going anywhere else • Doesn't match the first rule, so it gets caught by the second rule • It is denied, or blocked

  17. Examples • We don't want employees in a certain subnet reading Reddit while at work. Block packets from 152.8.100.0/24 to www.reddit.com (72.246.25.35) access-list 101 deny tcp 152.8.100.0 0.0.0.255 host 72.246.25.35 • Note: we're only interested in IP addresses starting with 152.8.100, so the netmask is 0.0.0.255

  18. Important Note • The ACLs are for an interface • E.g for a specific Ethernet port (plug) • For extended IP rules need ACLs: • For the outward facing ports (the internet) • For the internal ones • Each rule needs source and destination addresses

  19. Final notes • The protocol for a service isn't always TCP • DNS, for example, uses UDP • You can leave out the protocol entirely to operate on all protocols. • The number after “access-list” isn't important • Can use the same number for every rule • Should use a number for the type of rule • Any incoming packets not covered by a rule are blocked by default • Any outgoing packets not covered by a rule are allowed by default

  20. Cisco Router Modes • These Cisco IOS command modes are hierarchical. • When you begin a router session, you are in user EXEC mode. • You can see a list of available commands for a particular mode by entering a question mark (?) at the prompt.

  21. General Notes • When the 850 is reset: • Get a default UID of “cisco” and PW of “cisco” • One time use only! • Must create a new user for use next time restart/login • Otherwise will need to reset the router and start all over again!

  22. Lab 12 notes • When first started or reset the Cisco 850 router does absolutely nothing • Must turn on and configure services • Enable NAT • Enable and configure DHCP • Set up ACLs (Access Control Lists) • This lab will use Minicom to configure the router through the serial port

  23. Lab 12 – Graduated from being a Pilot Lab! • Answer the questions and the items marked ** • Work in pairs • When “fresh from the box” or reset: • The router is a brick • Does nothing • Needs to be configured • Includes new ID and PW • Optional: • Turn in copy of lab with comments • Only if errors or incomplete instructions

  24. Lab 12 Deliverables • Short paper describing the lab with an introduction, body and summary • Answer the questions and the **ed items

More Related