pix advanced lab 3v3

Task 2—Configure an Outbound ACL Configure ACLs on the PIX Firewall that will satisfy the following: ■ Allow outbound web traffic ■ Deny outbound ftp traffic from your internal network

Trang 1

Lab Exercise—Configure ACLs in the PIX Firewall

Complete the following lab exercises to practice what you have learned

Objectives

In this lab exercise, you will complete the following tasks:

■ Disable pinging to an interface

■ Configure inbound and outbound ACLs

■ Filter malicious active code

■ Configure the PIX Firewall to work with a URL-filtering application

Visual Objective

The following figure displays the topology of the lab environment used in this exercise

Lab Visual Objective

Inside host Internet server

web, FTP, and TFTP server

PIX Firewall

192.168.P.0/24

e1 inside 1

.2 10.0.P.0 /24

e0 outside 1

e2 dmz 172.16.1.P Bastion host

web and FTP server

192.168.P.2

.50

172.16.1.0/24

Internet

192.168.P.254

To adjacent pod P1-P2 P3-P4 P7-P8 P9-P10

Access and Lab Setup

To do this lab exercise, you must be connected to the lab at www.labgear.net Your instructor will provide the username and password for logging into this site Once logged on, the lab diagram will be displayed (the picture below is for Pod #1):

Trang 2

To access the PIX Firewall from the main lab diagram, click on the “CONSOLE” icon

associated with the PIX Firewall A window will open to the PIX console To access the

inside or outside clients, click on the appropriate ”PC Desktop” icon For these devices you must first authenticate at the “VNC Authentication” screen before you can access the PC

desktop

Passwords

Use the following passwords for this lab:

■ Lab Gear password: Your instructor will provide it

■ PIX password: Either no password (just press the Enter key) or cisco

■ PC client or server: The username is administrator and there is no password (just press the Enter key)

■ VNC password: When you connect to the PCs or servers, use a password of

cisco at the VNC screen

Trang 3

Task 1—Disable Pinging to an Interface

Perform the following lab steps to configure an ICMP ACL to prevent pinging to your PIX Firewall interfaces:

Step 1 On your inside host open a command window to reach the DOS prompt

(Start->Run…->Enter “cmd” as the program to Open) and ping the inside interface

of your PIX Firewall:

C:\>ping 10.0.P.1

Pinging 10.0.P.1 with 32 bytes of data:

Reply from 10.0.P.1: bytes=32 time<10ms TTL=255 Reply from 10.0.P.1: bytes=32 time<10ms TTL=255 Reply from 10.0.P.1: bytes=32 time<10ms TTL=255 Reply from 10.0.P.1: bytes=32 time<10ms TTL=255

(where P = pod number)

Step 2 From your inside host, ping the outside interface By default, pinging through the

PIX Firewall to a PIX Firewall interface is not allowed:

C:\>ping 192.168.P.1

Request timed out

Request timed out.

Step 3 Deny all ping requests at the inside interface:

pixP(config)# icmp deny any echo-reply inside

Step 4 View your ICMP ACL:

pixP(config)# show icmp

icmp deny any echo-reply inside

Step 5 From your inside host, ping the PIX Firewall inside interface The ICMP ACL

causes the ping to fail:

C:\>ping 10.0.P.1

Request timed out

Step 6 Enable pinging to your PIX Firewall’s inside interface:

pixP(config)# clear icmp

Trang 4

Step 7 Verify that you can once again ping the inside interface of your PIX Firewall:

C:\>ping 10.0.P.1

Step 8 From your inside host, ping the outside host Notice that by default, ICMP is not

allowed inbound This causes the echo reply to fail

C:\>ping 192.168.P.2

Request timed out

Step 9 Enable echo replies from the outside to the inside with the conduit command

pixP(config)# conduit permit icmp any any echo-reply

Step 10 From your inside host, ping the outside server:

C:\>ping 192.168.P.2

Step 11 Save your configuration

pixP(config)# write memory

Trang 5

Task 2—Configure an Outbound ACL

Configure ACLs on the PIX Firewall that will satisfy the following:

■ Allow outbound web traffic

■ Deny outbound ftp traffic from your internal network to 192.168.P.2

■ Allow all other IP traffic

Step 1 Test web access to the outside server by completing the following steps:

1 Open a web browser on the inside client PC

2 Use the web browser to access the outside server by entering:

http://192.168.P.2

You should be able to access the outside server

Step 2 Test FTP access to the outside server:

On your inside client, attempt to access the outside server:

Start>Run> ftp 192.168.P.2 User: administrator Password: (no password, just hit Enter)

User administrator logged in

You should be able to access the outside server via FTP

Step 3 Enter an access-list command to create an ACL that allows the internal network

Internet access:

pixP(config)# access-list ACLOUT permit tcp any any eq www

Step 4 Enter the access-group command to create an access group that will bind the ACL

to an interface:

pixP(config)# access-group ACLOUT in interface inside

Step 5 Display the access list you configured Observe the hit count

pixP(config)# show access-list

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096) alert-interval 300

access-list ACLOUT; 1 elements

access-list ACLOUT line 1 permit tcp any any eq www (hitcnt=0)

http://192.168.P.2

Trang 6

Start>Run> ftp 192.168.P.2

ftp: connect :Connection refused

ftp>

The FTP connection should fail due to the implicit deny

Step 8 Display your access list again and note that the hit count has incremented

access-list ACLOUT; 1 elements

access-list ACLOUT line 1 permit tcp any any eq www (hitcnt=1)

Step 9 Remove the access-group command:

pixP(config)# no access-group ACLOUT in interface inside

Step 10 Add an additional command to the ACL to deny outbound FTP access to host

192.168.P.2:

pixP(config)# access-list ACLOUT deny tcp 10.0.P.0 255.255.255.0 host 192.168.P.2

eq ftp

Step 11 Add another access -list command statement to permit all other outbound IP

traffic

pixP(config)# access-list ACLOUT permit ip any any

Step 12 Bind the ACL to an interface by creating an access group:

pixP(config)# access-group ACLOUT in interface inside

Step 13 View your access list again:

access-list ACLOUT; 3 elements access-list ACLOUT line 1 permit tcp any any eq www (hitcnt=1) access-list ACLOUT line 2 deny tcp 10.0.P.0 255.255.255.0 host 192.168.P.2 eq ftp (hitcnt=0)

access-list ACLOUT line 3 permit ip any any (hitcnt=0)

Trang 7

Task 3—Test and Verify the Outbound ACL

Perform the following steps to test your outbound ACL:

Step 1 Test web access to the outside server by completing the following sub-steps:

http://192.168.P.2

Start>Run> ftp 192.168.P.2

ftp: connect :Connection refused

ftp>

You should be unable to access the outside server via FTP

Step 3 Test FTP access to the DMZ server:

On your inside client, attempt to access the DMZ server:

Start>Run> ftp 172.16.1.50

User: administrator Password: (no password, just hit Enter)

User administrator logged in

You should be able to access the dmz server via FTP

Task 4—Configure an Inbound ACL

Configure ACLs on the PIX Firewall that will satisfy the following:

■ Allow inbound web traffic from the outside network to your bastion host

■ Allow inbound FTP traffic from the outside network to your bastion host

■ Allow inbound ICMP traffic to your inside host

■ Deny all other inbound traffic

Step 1 View any conduits you created in previous exercises:

pixP(config)# show conduit

conduit permit icmp any any echo-reply (hitcnt=24)

Trang 8

Step 2 Remove any conduits you configured in previous exercises:

pixP(config)# no conduit permit icmp any any echo-reply

Step 3 Verify that the conduits have been removed:

pixP(config)# show conduit pixP(config)#

Step 4 Add a static mapping for your bastion host:

pixP(config)# static (dmz, outside) 192.168.P.10 172.16.1.50

Step 5 Add a static mapping for your inside client:

pixP(config)# static (inside, outside) 192.168.P.11 10.0.P.2

Step 6 Verify the statics are correct:

pixP(config)# show static

static (dmz,outside) 192.168.P.10 172.16.1.50 netmask 255.255.255.255 0 0

static (inside,outside) 192.168.P.11 10.0.P.2 netmask 255.255.255.255 0 0

Step 7 Test outside web access to the bastion host by completing the following steps:

1 Open a web browser on the outside server PC

2 Use the web browser to access the bastion host by entering: http://192.168.P.10

You should be unable to access the IP address of the static mapped to the

bastion host This is because the static simply maps an “outside” to DMZ address It does not allow any traffic to flow

Step 8 Test FTP access to the bastion host by completing the following steps:

1 On your outside server, attempt to access the bastion host:

Start>Run> ftp 192.168.P.10

You should be unable to access your bastion host via FTP

Step 9 Test ICMP access to the inside client by completing the following steps:

1 On your outside server, attempt to ping the inside client:

Start>Run> ping 192.168.P.11

You should be unable to ping the inside client

Step 10 Create an ACL to permit inbound web and FTP access to the bastion host

Trang 9

Step 12 Bind the ACL to the outside interface

pixP(config)# access-group ACLIN in interface outside

Step 13 Display the access list and observe the hit counts

access-list ACLOUT line 3 permit ip any any (hitcnt=0) access-list ACLIN; 3 elements

access-list ACLIN line 1 permit tcp any host 192.168.P.10 eq www (hitcnt=0) access-list ACLIN line 2 permit tcp any host 192.168.P.10 eq ftp (hitcnt=0) access-list ACLIN line 3 permit icmp any host 192.168.P.11 echo (hitcnt=0)

Task 5—Test and Verify the Inbound ACL

Perform the following steps to test your inbound ACL:

Step 1 Test web access to the bastion host by completing the following steps:

1 Open a web browser on the outside server

2 Use the web browser to access the bastion host by entering: http://192.168.P.10

You should now be able to access the IP address of the static mapped to the

bastion host

Step 2 Test FTP access to the bastion host by completing the following steps:

1 On your outside server, attempt to access the bastion host :

Start>Run> ftp 192.168.P.10

You should now be able to access your bastion host via FTP

Step 3 Test ICMP echo access to the inside client by completing the following steps:

1 On your outside server, attempt to access the inside client:

Start>Run> ping 192.168.P.11

You should now be able to ping your inside client

Step 4 Display the access lists again and observe the hit counts

Trang 10

access-list ACLOUT line 3 permit ip any any (hitcnt=4) access-list ACLIN; 3 elements

access-list ACLIN line 1 permit tcp any host 192.168.P.10 eq www (hitcnt=2) access-list ACLIN line 2 permit tcp any host 192.168.P.10 eq ftp (hitcnt=1) access-list ACLIN line 3 permit icmp any host 192.168.P.11 echo (hitcnt=4)

Task 6—Filter Malicious Active Code

Perform the following lab steps to configure ActiveX and filter Java You will not

be able to test this task

Step 1 Enter the filter activex command to block ActiveX from any local host and for

connections to any foreign host on port 80:

pixP(config)# filter activex 80 0 0 0 0

Step 2 Enter the filter java command to block Java applets:

pixP(config)# filter java 80 0 0 0 0

Step 3 Use the following command to display the filters currently configured:

pixP(config)# show filter

filter activex 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 filter java 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0

Task 7—Configure the PIX Firewall to Work with a URL-Filtering Server

Perform the following steps to configure the PIX Firewall to work with a URL-filtering server:

Step 1 Enter the url-server command to designate the URL-filtering server:

pixP(config)# url-server (dmz) vendor n2h2 host 172.16.1.50 timeout 5 protocol

Trang 11

Step 3 Enter the filter url http command to prevent outbound users from accessing

WWW URLs that are designated with the filtering application:

pixP(config)# filter url http 0 0 0 0 allow

Step 4 Use the following command to display the filters currently configured:

pixP(config)# show filter url

filter activex 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 filter java 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow

Step 5 A URL filtering server has been set up to allow traffic to your outside server, but

not allow access to the DMZ server

http://192.168.P.2 You should be able to access the outside server

Step 7 Test web access to the DMZ server by completing the following steps:

2 Use the web browser to access the DMZ server by entering:

http://172.16.1.50

You should be unable to access the DMZ server You should see a message

in the browser window that says that you are not authorized to view the page

Note If you are able to connect to the DMZ server, it is probably because the page is cached in the browser Click on the Refresh button of go to View>Refresh to reload the page

Step 8 Save your configuration:

pixP (config)# write memory

Định dạng
Số trang	11
Dung lượng	275,05 KB