Aruba Advanced Technical Training

Lab 3
Firewalls and Roles
Goals

Configure destinations and services

Configure firewall rules
Configure firewall policies
Create and configure roles
Apply firewall policies to interfaces

Configure Destination and Service Aliases

Netdestination
The netdestination command allows multiple networks and ranges of networks to be
configured with easy to understand alias names assigned to them.
1. Set up a new netdestination called Internal_Network where x equals your
Tables subnet.
CLI:

# conf t
(config) # netdestination Internal_Network
(config-dest) # network 172.16.x.0 255.255.255.0
(config-dest) # end

GUI:
a. Navigate the following menu path Configuration Security Advanced
Destinations
b. Click on the Add button to begin adding a new destination
c. Name the destination Internal_Network, and click the Add button
d. In the Add Rule section, use the following settings:
i.
Rule Type = network
ii.
IP Address = 172.16.x.0
iii.
Network Mask/Range = 255.255.255.0
e. Click on the Add button to accept these rules
f. Click on the Apply button to save this netdestination
This command could be used to create netdestinations to be used with firewall
rules to allow access to certain portions of the network, but not others.

Aruba Technical Training

V 2.4-1 08/05

2. Create netdestinations for the other subnets in the class, including the network
that the server is connected to (11.2.1.0/24). Use Backbone as the name for the
network the server is connected to, and Tablex_Network as the naming
convention for each of the netdestinations.

Netservice
netservice is similar to netdestination, but allows you to create aliases for commonly
used network protocols such as HTTP, FTP, SMTP, etc.
1. Examine the pre-configured services. Then create a new service called svctest1. This service will use TCP port 1818.
CLI:
# show running-config
# conf t
(config) # netservice svc-test1 tcp 1818
(config) # end

GUI:
a. Navigate the following menu path Configuration Security Advanced
Services
b. Click on the Add button to begin adding a new service
c. In the Add Rule section, use the following settings:
i.
Service Name = svc-test1
ii.
Protocol = TCP
iii.
Starting Port = 1818
d. Click on the Apply button to save this netservice

2. Services can also exist across a range of port numbers. For example, svc-dhcp
uses UDP ports 67 and 68. Create a new service svc-test2 with a range of UDP
ports from 1900 to 1921
3. Services can also be defined by IP protocol. For example, svc-esp is IP
protocol 50. Create a new service svc-test3 with an IP protocol number 250.

Aruba Technical Training

V 2.4-1 08/05

Create Firewall Policies

Firewall rules can be constructed using netdestination and netservice aliases, or they
can be created using specific addresses. Using names instead of addresses can simplify
the configuration and make it easier to understand.
1. Examine the pre-configured firewall policies. Then create a new firewall policy
called Internet_Only. This policy can be used to restrict access only to the
Internet by denying access to the internal network. You will use the
Internal_Network netdestination you created early to accomplish this. When
reviewing the firewall policies using the CLI, look for ip access-list session,
which is what all firewall policies begin with. Also notice that the use of
netservice names makes the policies very easy to understand.
CLI:
# show running-config
# conf t
(config)# ip access-list session Internet_Only
(config-sess-Internet_Only)# user alias Internal_Network any deny
(config-sess-Internet_Only)# user any any permit
(config-sess-Internet_Only)# end

GUI:
a. Navigate the following menu path Configuration Security Policies
b. Click on the Add button to begin adding a new Firewall Policy
c. Name the policy Internet_Only, and click the Add button
d. In the Rules section, add your first rule using the following settings:
i.
Source = user
ii.
Destination = Alias
iii.
Alias = Internal_Network
iv.
Service = any
v.
Action = drop
e. Add a second rule to this policy using the following settings:
i.
Source = user
ii.
Destination = any
iii.
Service = any
iv.
Action = permit
f. The rules must be in this order since the firewall processes them sequentially
and stops processing once a match is found.
g. When the rules are properly created, click the Apply button to save this policy

Aruba Technical Training

V 2.4-1 08/05

2. Now insert a new line into the firewall policy you just created. The purpose of
this new rule will be to deny access to one more network. The rule needs to be at
priority/position 2, so that it is executed before the any any permit statement:
CLI:
# conf t
(config)# ip access-list session Internet_Only
(config-sess-Internet_Only)# user network 124.13.2.0
255.255.255.0 any deny position 2
(config-sess-Internet_Only)# end

GUI:
a. Navigate the following menu path Configuration Security Policies
b. Next to the Internet_Only policy, click on the Edit button to begin editing
this Firewall Policy
c. In the Rules section, click on the Add button to add a new rule using the
following settings:
i.
Source = user
ii.
Destination = network
iii.
Host IP = 124.13.2.0
iv.
Mask = 255.255.255.0
v.
Service = any
vi.
Action = drop
d. After all of the settings are entered, click on the Add button to accept this new
rule, and then click on the up arrow next to the rule to move it to the 2nd
position in the list.
e. Click on Apply to save the changes to this firewall policy.

Create Roles
Once firewall policies have been defined, they need to be applied to roles. In this section,
you will create a new role and edit an existing role. As part of these tasks, you will
assign firewall policies to these roles
Aruba Technical Training
V 2.4-1 08/05

1. Examine the pre-configured user-roles. Then create a role named employee and
then assign the allowall policy to the role.
CLI:
# show running-config | begin user-role
# conf t
(config)# user-role employee
(config-role)# session-acl allowall
(config-role)# end

GUI:
a. Navigate the following menu path Configuration Security Roles
b. Click on the Add button to begin adding a new User Role
c. In the Role Name field, enter employee
d. In the Firewall Policies section, click on Add to add a policy to this role
e. Select the radio button next to Choose from Configured Policies and select
the policy allowall from the drop down menu. Click on the Done button to
accept this firewall policy.
f. Scroll to the bottom of the window, and click on the Apply button to save
these changes.
2. Now view the role you just created. First, view the summary of all roles:
# show rights

3. Next, view the rights for the role employee:

# show rights employee

4. There is an existing role called guest. View the rights for the role and then
modify the role to allow Internet access using the firewall policy you created
earlier.
CLI:
# show rights guest
# conf t
(config)# user-role guest
(config-role)# session-acl Internet_Only
(config-role)# end

GUI:
a. Navigate the following menu path Configuration Security Roles
b. Next to the Guest role, click on the Edit button to begin editing this User
Role.
c. In the Firewall Policies section, click on Add to add a policy to this role.
d. Select the radio button next to Choose from Configured Policies and select
Internet_Only from the drop down selection box.
e. Click on the Done button to accept this policy.
Aruba Technical Training
V 2.4-1 08/05

f. At the bottom of the window, click on Apply to save the changes to this role.

View ACL and Firewall Activity

1. Use the following command to view firewall and ACL activity. This is an
important command to use when troubleshooting firewall problems. Note that
since you applied this policy to an unused port, you will not have any data.
CLI:

# show acl hits

GUI:
a. Navigate the following menu path Monitoring Switch Firewall Hits

Save Config
Dont forget to save all of your configuration changes by typing the command
copy running-config startup-config (or Save Configuration in the GUI). This saves
the running-config to flash (startup-config).

Exercise
Now that you have become familiar with firewalls, role derivations, and ACLs, use these
skills to create a realistic configuration for a customer. You may work together with the
entire class to solve this exercise. This is to be a pencil and paper exercise. Do not
configure these policies on the switch.
The customer is a large financial services firm that wants to deploy secure wireless
access. They have four classes of users on the network employees, contractors, guests,
and the IT staff. Here are the important IP addresses for this customer:
Corporate network: 10.16.0.0/16
Mail server: 10.16.22.5 and 10.16.22.6
Intranet server: 10.16.22.9
DNS server: 10.16.22.11, 10.16.23.11, and 10.16.26.11
DHCP server: 10.16.22.10
Aruba Technical Training
V 2.4-1 08/05

Out-of-band network management subnet: 10.16.30.0/24

The company would like employees to have full access to the network, except for the outof-band network management subnet. Employees should also have full Internet access.
Guests should have only Internet access using HTTP, POP3, SMTP, IPSEC, and PPTP,
the corporate DNS and DHCP servers and should be prevented from accessing any other
network service inside the company.
Contractors should have the same access that normal employees have, but should not be
allowed to use the Internet.
The IT staff should have full access to the entire network.

Aruba Technical Training

V 2.4-1 08/05