Taller # 3

Configuring CBAC and Zone-Base Firewalls

14/09/2014
Integrantes:
Katiuska Criollo, Johnny Segarra, Byron Asencio, Luis Pilay, Boris De la Torre
 Taller 3
Configuring CBAC and Zone-Base Firewalls

Device Interface IP Address Subnet Mask Default Gateway Switch Port

R1 Fa0/1 192.168.1.1 255.255.255.0 N/A S1 Fa0/5
S0/0/0 (DCE) 10.1.1.1 255.255.255.252 N/A N/A
R2 S0/0/0 10.1.1.2 255.255.255.252 N/A N/A
S0/0/1 (DCE) 10.2.2.2 255.255.255.252 N/A N/A
R3 Fa0/1 192.168.3.1 255.255.255.0 N/A S3 Fa0/5
S0/0/1 10.2.2.1 255.255.255.252 N/A N/A
PC-A NIC 192.168.1.3 255.255.255.0 192.168.1.1 S1 Fa0/6
PC-C NIC 192.168.3.3 255.255.255.0 192.168.3.1 S3 Fa0/18
Parte 1: Configuracin bsica de Router
Tarea 1: Configuracin de los dispositivos
1. Configurar cada Router con el plan de direccionamiento indicado y activar EIGRP
2. Verificar conectividad entre dispositivos
3. Configurar Passwords Encriptados de la consola, Aux y Vty
Tarea 2: Usar el Nmap para determinar las vulnerabilidades del Router
1. Escanear los puertos abiertos de R1 desde PC-A
2. Verificar los puertos abiertos (80 y 23)

Http puerto 80

Telnet, Puerto 23
3. Configuracin de los dispositivos

R1
Current configuration : 1240 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
security passwords min-length 10
!
no aaa new-model
!
!
ip cef
!
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
description LAN Site 1
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/2/0
description Enlace Wan a R2
ip address 10.1.1.1 255.255.255.252
no fair-queue
clock rate 125000
!
interface Serial0/2/1
no ip address
shutdown
!
router eigrp 101
network 10.1.1.0 0.0.0.3
network 192.168.1.0
no auto-summary
!
ip forward-protocol nd
!
!
ip http server
no ip http secure-server
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 5 0
password 7 13061E01080307252534292026
logging synchronous
login
line aux 0
exec-timeout 5 0
password 7 094F471A1A0A1607131C053938
login
line vty 0 4
exec-timeout 5 0
password 7 0822455D0A1613030B1B0D1739
login
!
scheduler allocate 20000 1000
!
end
R2
service password-encryption55.255.255/network-confg (T
!e
hostname R2 up
!
boot-start-marker
!
interfac
boot-end-markeropening tftp://
!5
security passwords min-length 10out)168.40.1 YES manual up
enable secret 5 $1$Dz73$sk0VuhKo6oNGYPQbq9gS5/- System Configuration
Dialog ---
no mop enabl
!
no aaa new-modelfnterface F

Wou
!
!u
ip cefo ente
!t
!
ip auth-proxy max-nodata-conns 3s/no]:er.
half-duplex
ip admission max-nodata-conns 3fi.255.25
% Please answer 'yes'
!r
!n
voice-card 0n

no dspfarmld you like

!o
!n
!r
!h
!i
!t
!l
!o
!i
!r
!i
!
!a
!g
![
!s
!o
!
!

!
!
interface FastEthernet0/0#show runerial0/2/1
R3#s
no ip address answer 'yes'
shutdown
Buildin
duplex autoon...o
Would
speed auto enter the
!i
interface FastEthernet0/1 [yes/no]:
no ip addressversion 12.4
shutdown
service
duplex auto answer 'yes
speed auto
!
interface Serial0/2/0ou like to enter the
description R2 Serial 0
network 192.1

!-
router eigrp 101
!
!
ip ce
network 10.1.1.0 0.0.0.3y max-nodata-
*Sep 16 12:
network 10.2.2.0 0.0.0.3LOC: Crypto engine: onboa
no auto-summarye
Building c
 !f
ip forward-protocol nd marker.

!
!
!
!
!
line con 0
exec-timeout 5 0
password 7 13061E01080307252534292026
logging synchronous
login
line aux 0
exec-timeout 5 0
password 7 121A0C0411040D11323B253B20
login
line vty 0 4
exec-timeout 5 0
password 7 045802150C2E5A5A1009040401
login
!
scheduler allocate 20000 1000
!
end
R3
Parte 2: Configurando un CBAC

1. Activar Auto Secure

2. Acl modificada para permitir actualizaciones Eigrp

3. Verificar funcionalidad de CBAC, Pemitiendo ping al para R2

4. Permitir conexiones telnet para R1

5. Veficicar Telnet desde PC-A al R2

6. Resultado del "show ip inspect all"

7. Resultado del los detalles de las sesiones abiertas

8. Configuracin de dispositivos

R1
Current configuration : 3219 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname R1
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 10 log
security passwords min-length 10
logging buffered 4096 debugging
logging console critical
enable secret 5 $1$Kz15$nkPyCBVzKIq7bGGFB9k4R0
enable password 7 045802150C2E1A19514055
!
aaa new-model
!
!
aaa authentication login local_auth local
!
aaa session-id common
no ip source-route
no ip gratuitous-arps
!
!
ip cef
!
!
no ip bootp server
no ip domain lookup
ip inspect audit-trail
ip inspect udp idle-time 1800
ip inspect dns-timeout 7
ip inspect tcp idle-time 14400
ip inspect name autosec_inspect cuseeme timeout 3600
ip inspect name autosec_inspect ftp timeout 3600
ip inspect name autosec_inspect http timeout 3600
ip inspect name autosec_inspect rcmd timeout 3600
ip inspect name autosec_inspect realaudio timeout 3600
ip inspect name autosec_inspect smtp timeout 3600
ip inspect name autosec_inspect tftp timeout 30
ip inspect name autosec_inspect udp timeout 15
ip inspect name autosec_inspect tcp timeout 3600
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
login block-for 60 attempts 2 within 30
!
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username admin password 7 030752180500701E1D5D4C
archive
log config
logging enable
!
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/1
description LAN Site 1
ip address 192.168.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
duplex auto
speed auto
no mop enabled
!
interface Serial0/2/0
description Enlace Wan a R2
ip address 10.1.1.1 255.255.255.252
ip access-group autosec_firewall_acl in
ip verify unicast source reachable-via rx allow-default 100
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect autosec_inspect out
no fair-queue
clock rate 125000
!
interface Serial0/2/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
!
router eigrp 101
network 10.1.1.0 0.0.0.3
network 192.168.1.0
no auto-summary
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
ip access-list extended autosec_firewall_acl
permit udp any any eq bootpc
permit eigrp any any
permit tcp any any eq telnet
deny ip any any
!
logging trap debugging
logging facility local2
access-list 100 permit udp any any eq bootpc
no cdp run
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
banner motd ^C Unauthorized Access Prohibited ^C
!
line con 0
exec-timeout 5 0
password 7 13061E01080307252534292026
logging synchronous
login authentication local_auth
transport output telnet
line aux 0
exec-timeout 15 0
password 7 094F471A1A0A1607131C053938
login authentication local_auth
transport output telnet
line vty 0 4
exec-timeout 5 0
password 7 0822455D0A1613030B1B0D1739
login authentication local_auth
transport input telnet
!
 scheduler allocate 20000 1000
!
end
R2
R2#show running-configet started. E2 - OSPF
Building configuration... Access Verification

Current configuration : 1269 bytesS-I

% Password: timeout expired!-
!
version 12.4 IS-IS level
service timestamps debug datetime msect expired!, one per line. End with CN
service timestamps log datetime mseceout expired!ult, U - per-user stati
service password-encryptionexitYES m
!

hostname R2

S2 con0 i
!n
boot-start-markerP - periodic down
boot-end-markerURN to get star
!d
security passwords min-length 10

User Access Verificationrt is

enable secret 5 $1$Dz73$sk0VuhKo6oNGYPQbq9gS5/:0.0.0.0/3
Password:tted, 2 s
% Bad passwordse
!c
no aaa new-model
!

ip cefS2 con
!i
!n
ip auth-proxy max-nodata-conns 3
Press RETURN to get sta
ip admission max-nodata-conns 3t

User Access Verific

!i
!.
voice-card 0anua
!
!
!
!
!
line con 0
exec-timeout 5 0
password 7 13061E01080307252534292026
logging synchronous
login
line aux 0
exec-timeout 5 0
password 7 121A0C0411040D11323B253B20
login
line vty 0 4
exec-timeout 5 0
password 7 045802150C2E5A5A1009040401
login
!
scheduler allocate 20000 1000
!
end
Parte 3: Configurando una (ZBF) Using CCP
Tarea 1: Use el CCP Firewall Wizard para configurar una zona basada en firewall

1. Instalar CCP Firewall

2. Use CCP para examinar la configuracion del R3.

3. Verificando EIGRP Routing Functionality on R3

4. Verify Zone-Base Firewall Funcionality