Lab 3
Firewalls and Roles
Goals
# conf t
(config) # netdestination Internal_Network
(config-dest) # network 172.16.x.0 255.255.255.0
(config-dest) # end
GUI:
a. Navigate the following menu path Configuration Security Advanced
Destinations
b. Click on the Add button to begin adding a new destination
c. Name the destination Internal_Network, and click the Add button
d. In the Add Rule section, use the following settings:
i.
Rule Type = network
ii.
IP Address = 172.16.x.0
iii.
Network Mask/Range = 255.255.255.0
e. Click on the Add button to accept these rules
f. Click on the Apply button to save this netdestination
This command could be used to create netdestinations to be used with firewall
rules to allow access to certain portions of the network, but not others.
2. Create netdestinations for the other subnets in the class, including the network
that the server is connected to (11.2.1.0/24). Use Backbone as the name for the
network the server is connected to, and Tablex_Network as the naming
convention for each of the netdestinations.
Netservice
netservice is similar to netdestination, but allows you to create aliases for commonly
used network protocols such as HTTP, FTP, SMTP, etc.
1. Examine the pre-configured services. Then create a new service called svctest1. This service will use TCP port 1818.
CLI:
# show running-config
# conf t
(config) # netservice svc-test1 tcp 1818
(config) # end
GUI:
a. Navigate the following menu path Configuration Security Advanced
Services
b. Click on the Add button to begin adding a new service
c. In the Add Rule section, use the following settings:
i.
Service Name = svc-test1
ii.
Protocol = TCP
iii.
Starting Port = 1818
d. Click on the Apply button to save this netservice
2. Services can also exist across a range of port numbers. For example, svc-dhcp
uses UDP ports 67 and 68. Create a new service svc-test2 with a range of UDP
ports from 1900 to 1921
3. Services can also be defined by IP protocol. For example, svc-esp is IP
protocol 50. Create a new service svc-test3 with an IP protocol number 250.
GUI:
a. Navigate the following menu path Configuration Security Policies
b. Click on the Add button to begin adding a new Firewall Policy
c. Name the policy Internet_Only, and click the Add button
d. In the Rules section, add your first rule using the following settings:
i.
Source = user
ii.
Destination = Alias
iii.
Alias = Internal_Network
iv.
Service = any
v.
Action = drop
e. Add a second rule to this policy using the following settings:
i.
Source = user
ii.
Destination = any
iii.
Service = any
iv.
Action = permit
f. The rules must be in this order since the firewall processes them sequentially
and stops processing once a match is found.
g. When the rules are properly created, click the Apply button to save this policy
2. Now insert a new line into the firewall policy you just created. The purpose of
this new rule will be to deny access to one more network. The rule needs to be at
priority/position 2, so that it is executed before the any any permit statement:
CLI:
# conf t
(config)# ip access-list session Internet_Only
(config-sess-Internet_Only)# user network 124.13.2.0
255.255.255.0 any deny position 2
(config-sess-Internet_Only)# end
GUI:
a. Navigate the following menu path Configuration Security Policies
b. Next to the Internet_Only policy, click on the Edit button to begin editing
this Firewall Policy
c. In the Rules section, click on the Add button to add a new rule using the
following settings:
i.
Source = user
ii.
Destination = network
iii.
Host IP = 124.13.2.0
iv.
Mask = 255.255.255.0
v.
Service = any
vi.
Action = drop
d. After all of the settings are entered, click on the Add button to accept this new
rule, and then click on the up arrow next to the rule to move it to the 2nd
position in the list.
e. Click on Apply to save the changes to this firewall policy.
Create Roles
Once firewall policies have been defined, they need to be applied to roles. In this section,
you will create a new role and edit an existing role. As part of these tasks, you will
assign firewall policies to these roles
Aruba Technical Training
V 2.4-1 08/05
1. Examine the pre-configured user-roles. Then create a role named employee and
then assign the allowall policy to the role.
CLI:
# show running-config | begin user-role
# conf t
(config)# user-role employee
(config-role)# session-acl allowall
(config-role)# end
GUI:
a. Navigate the following menu path Configuration Security Roles
b. Click on the Add button to begin adding a new User Role
c. In the Role Name field, enter employee
d. In the Firewall Policies section, click on Add to add a policy to this role
e. Select the radio button next to Choose from Configured Policies and select
the policy allowall from the drop down menu. Click on the Done button to
accept this firewall policy.
f. Scroll to the bottom of the window, and click on the Apply button to save
these changes.
2. Now view the role you just created. First, view the summary of all roles:
# show rights
4. There is an existing role called guest. View the rights for the role and then
modify the role to allow Internet access using the firewall policy you created
earlier.
CLI:
# show rights guest
# conf t
(config)# user-role guest
(config-role)# session-acl Internet_Only
(config-role)# end
GUI:
a. Navigate the following menu path Configuration Security Roles
b. Next to the Guest role, click on the Edit button to begin editing this User
Role.
c. In the Firewall Policies section, click on Add to add a policy to this role.
d. Select the radio button next to Choose from Configured Policies and select
Internet_Only from the drop down selection box.
e. Click on the Done button to accept this policy.
Aruba Technical Training
V 2.4-1 08/05
f. At the bottom of the window, click on Apply to save the changes to this role.
GUI:
a. Navigate the following menu path Monitoring Switch Firewall Hits
Save Config
Dont forget to save all of your configuration changes by typing the command
copy running-config startup-config (or Save Configuration in the GUI). This saves
the running-config to flash (startup-config).
Exercise
Now that you have become familiar with firewalls, role derivations, and ACLs, use these
skills to create a realistic configuration for a customer. You may work together with the
entire class to solve this exercise. This is to be a pencil and paper exercise. Do not
configure these policies on the switch.
The customer is a large financial services firm that wants to deploy secure wireless
access. They have four classes of users on the network employees, contractors, guests,
and the IT staff. Here are the important IP addresses for this customer:
Corporate network: 10.16.0.0/16
Mail server: 10.16.22.5 and 10.16.22.6
Intranet server: 10.16.22.9
DNS server: 10.16.22.11, 10.16.23.11, and 10.16.26.11
DHCP server: 10.16.22.10
Aruba Technical Training
V 2.4-1 08/05