Lab 6
Lab 6
Rich Macfarlane
2.2 Details
Aim: The aim of this lab is to introduce Firewall concepts, using Cisco Static Packet Filters to
apply basic security measures to Network devices. This will lay a foundation for more
complex Firewall architectures.
2.3 Activities
1.2.1 Setup GNS, or Physical Router, Topology
Run the GNS network simulator (as administrator).
Configure GNS3 Preferences, and Images if necessary, as described in previous labs. Configure
the interfaces, and test connectivity. Once the GNS3 topology shown below is created,
configure the router (the configuration in Appendix A can be pasted into the router console as
a shortcut).
Add 2 routers and configure slots to include at least 3 Ethernet interfaces on each router, as
shown below. Add virtual switches to the topology, and cable all network devices together, as
shown below. Labels can also be added by clicking the interface names button, then double
clicking the labels and add the IP Addresses. Add your host machine or VM to the topology, as
described previously.
The Adding VMs to GNS3 guide is available in the following document:
www.dcs.napier.ac.uk/~cs342/CSN11111/GNSAddVM.pdf
Starting Topology
Configure the router interfaces as specified in the figure above. The router starting
configurations in Appendix A can be used as a shortcut (cut and paste), or as a guide to
configuring the interfaces. Remember to enable the interfaces with the no shut command.
Run the task manager (and keep it running), and check CPU usage. Recalculate the idlepc
value for the router type, until the CPU usage decreases.
Test connectivity, from each router, to each local router interface, and each of the other
routers interfaces, as shown below.
From R2:
From R1:
etc
Questions
Check the routing table on each router using the show ip route command. This should
To test connectivity from the four networks attached to the routers, such as the 192.168.50.0
and 192.168.60.0 networks we can use the extended ping command. The source address can
be entered, thus spoofing where the packets are being sent from. For example, from the R2
router:
R2# ping
Protocol [ip]:
Target IP address: 192.168.2.5
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 192.168.50.5
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.5, timeout is 2 seconds:
Packet sent with a source address of 192.168.50.5
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/116/192 ms
R2#
192.168.50.5 to 192.168.10.5
192.168.50.5 to 192.168.2.5
192.168.60.5 to 192.168.10.5
Network Security Access Control Rich Macfarlane 3
192.168.60.5 to 192.168.2.5
Questions
1.2.2 Basic Static Packet Filtering using Cisco Access Control Lists (ACL)s
Cisco Access Control Lists (ACL) provide static packet filtering on the Cisco network devices. ACLs are
also the basis of creating stateful packet filtering firewalls, both on routers, and on Cisco firewall
hardware appliances (PIX/ASA). Packet filtering is done at Layers 3 and 4 of the TCP/IP network
model as shown below.
7. Application
5. Session
2. Data Link
Ethernet, ATM Network Access
1. Physical
An Access Control List is a packet filtering ruleset, consisting of a list of packet filtering rules, which
are entered into the router Command Line Interface (CLI). Each rule consists of the Access List Id,
which can be a number or name, an Action - Permit or Deny, and the filtering rule itself.
Each rule in the ruleset is compared to the contents of the Layer 3 and Layer 4 packet header
information of each packet in the traffic being filtered.
An implicit deny all rule is automatically added to the end of the ruleset, so the ruleset has a closed
security stance by default. An explicit deny all and log rule can be added so that packets which
dont match any of the rules in the ruleset are logged.
Standard ACLs
Standard ACLs can filter traffic based on source IP address only, so only filter at L3. The
destination IP Address and (Layer 4) TCP information is ignored, so only basic filtering can be
performed.
For each rule in a Standard Named ACL gives the same options as the standard numberd:
Router(config-std-nacl)# {permit | deny} {source [source-wildcard] |
any}
Router 1
fa1/0
Trusted, Internal
Network
The ACL will be applied inbound on the R1 f1/0 interface. Every ACL ruleset has an implicit
deny any as the last rule in the rule set, which causes all traffic that has not matched a rule
in the ACL to be blocked. For this reason, add the permit any statement to the end of the
ACL.
There are 2 steps to an ACL 1. ACL filtering rules are are created, 2. ACL is applied to an
interface, in either an inward or outward direction:
1. Create a Standard Named ACL:
On Router1 create a standard ACL using the following commands:
R1# config t
R1(config)# ip access-list standard BLOCK_50_NET
We enter standard ACL configuration mode (note the router prompt change). Add a rule to
the ACL that uses the deny action to drop any packets from the source the 192.168.50.0/24
network, and logs to the console for each matched packet.
R1(config-std-nacl)# deny 192.168.50.0 0.0.0.255 log
Add a 3rd rule to Explicit deny all other traffic (for good practice only).
R1(config-std-nacl)# deny any
The optional log parameter was used, so if the deny rule matches a packet, as well as
dropping the packet, it should log the packet information and the action taken, locally or to a
logging server.
Check the ACL was created, and applied to the interface correctly, by viewing R1s running
configuration.
Questions
Q: Did R1 console display any log information? If so what was the message logged?
In the R1 router console you should see the log of the packets being dropped, as shown below:
From Router 2, you should get something similar to the following, where the ping from the R2
router to the 192.168.10.5 is successful, but a ping from the 192.168.50.0 network gets no
response as it is being blocked.
Extended ACLs
Extended ACLs filter packets based on (Layer 3) Source and Destination IP Addresses, (Layer
4) Source and Destination TCP and UDP Ports , and Protocol (IP, ICMP, TCP, UDP). The
example below allows all traffic from Bobs subnet to any destination web server, out on the
Internet (TCP Protocol & Port=80).
Command Syntax:
The extended ACL rule command allows more parameters for each rule:
Router(config-ext-nacl)# {permit | deny} protocol source-address
[source-wildcard] [operator operand] destination-address [destination-
wildcard] [operator operand] [established]
Example:
Router(config)# ip access-list extended INBOUND_FROM_INTERNET
Router(config-ext-nacl)# remark Block Invalid Source Addresses From Internet
Router(config-ext-nacl)# deny ip 127.0.0.0 0.255.255.255 any log
Router(config-ext-nacl)# deny ip 0.0.0.0 0.255.255.255 any log
Router(config-ext-nacl)# deny ip 172.16.0.0 0.15.255.255 any log
Router(config-ext-nacl)# permit ip any 146.1.1.0 0.0.0.255
Router(config-ext-nacl)# deny any any log
Router(config-ext-nacl)# exit
Router(config)#
s0
146.1.1.2
Bob
Router(config)# interface s0
Router(config-if)# ip access-group INBOUND_FROM_INTERNET in
146.1.1.1
Figure 1 Named ACL Created and Applied to Boundary Router, to filter inbound traffic
Network Security Access Control Rich Macfarlane 8
Configure an Extended ACL
The following ACL is to enforce a policy that users on the 192.168.10.5 network are not
allowed access to the Servers on the 192.168.60.5 network. This requires an extended ACL as
source and destination addresses and specific services in the traffic are to be filtered.
1. Create an Extended Named ACL on Router2:
R2# config t
R2(config)# ip access-list extended BLOCK_10_60
We enter standard ACL configuration mode. Add a rule to the ACL that uses the deny action to
drop any packets from the source network of the 192.168.10.0/24 network destined for the
192.168.60.0/24 network, and log to the console for each matched packet.
R2(config-ext-nacl)# deny ip 192.168.10.0 0.0.0.255 192.168.60.0
0.0.0.255 log
Permit all other traffic. Note: the protocol, source and destination networks have to be
specified for the extended ACL rule.
R2(config-ext-nacl)# permit ip any any
Explicit deny all other traffic (Cisco ACLs always have an implicit deny, so it is good practice to
make it explicit for clarity).
R2(config-ext-nacl)# deny ip any any
Check the ACL was created, and applied to the interface correctly, by viewing R2s running
configuration.
The interfaces and ACL ruleset should be displayed like the following:
On R2 use the following to check that no packets have matched the ACL rules yet, using the
following command:
R2# show ip access-lists
Extended IP access list BLOCK_10_60
10 deny ip 192.168.10.0 0.0.0.255 192.168.60.0 0.0.0.255 log
20 permit ip any any
30 deny ip any any
R2#
From R1, test the ACL by pinging the 192.168.60.0 network directly from the router. Then
using an extended ping from the 192.168.2.5 to 192.168.60.5, and then from 192.168.10.5 to
192.168.60.5.
Q: Which ping succeeded?
In the R2 router console you should see the log of the packets being dropped, as shown below.
This is just like any firewall log, and can be configured to be written to a central logging server.
You should get something similar to the following, the router to the 192.168.60.0 network is
fine, but the extended ping from the unauthorised 192.168.10.5 network correctly is blocked.
On R2 use the following to show how many packets have matched the ACL rules, and been
dropped or passed by which rules:
System
Administrator
Router(config)# ip access-list standard REMOTE_ACCESS
Router(config-std-nacl)# remark SysAdmin Remote Access
Router(config-std-nacl)# permit host 192.168.2.2
Router(config-std-nacl)# deny any log
192.168.2.2
s0
e0
e4 Eve
192.16810.1 e0
e2
e1 vty 0-4
Bob
192.168.10.2
From the R2 router, using its using Telnet Client, test the Telnet access to the R1 Telnet server:
Test the telnet access using Putty, from the host (or VM) machine on the 192.168.2.0 network.
We enter standard ACL configuration mode. Add a rule to the ACL that uses the permit action
to allow any packets from the source host 192.168.2.2, and logs to the console for each
matched packet.
R1(config-std-nacl)# remark SysAdmin Remote Access
R1(config-std-nacl)# permit 192.168.2.2 0.0.0.0 log
Check the ACL was created, and applied to the interfaces correctly, by viewing R1s running
configuration. See below:
Test the telnet access using Putty, from the host (or VM) machine on the 192.168.2.0 network.
Q: Was the Telnet connection successful?
From R2:
Why do connections from other networks fail, even though they are not listed in the ACL?
Change the BLOCK_10_60 ACL, to also block traffic from the 192.168.2.0 network. First copy
the ACL, from the R2 routers running config. Paste it into a text editor. Then remove the ACL
from the interface on R2.
R2(config)# interface f0/0
R2(config-if)# no ip access-group BLOCK_10_60 in
R2(config-if)# exit
Add a rule to the ACL to block access from the 192.168.2.0 network, and change the name of
the ACL to BLOCK_ALL_60.
Create the new rule by pasting the text from the editor into the command line:
R2# config t
R2(config)# ip access-list extended BLOCK_ALL_60
...
Test connectivity from the router to the new virtual server, as shown below.
Test that other traffic from 192.168.10.0 network and 10.1.1.0 network cannot get to the
server.
R1
!
upgrade fpd auto
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
no aaa new-model
ip source-route
ip cef
!
no ipv6 cef
!
multilink bundle-name authenticated
!
!
archive
log config
hidekeys
!
interface FastEthernet0/0
description to the 192.168.10.0/24 network
ip address 192.168.10.5 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
description int to the 192.168.2.0/24 network
ip address 192.168.2.5 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 10.1.1.1 255.255.255.252
duplex auto
speed auto
!
interface FastEthernet1/1
no ip address
shutdown
duplex auto
speed auto
Network Security Access Control Rich Macfarlane 20
!
router rip
network 0.0.0.0
no auto-summary
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
control-plane
!
!
!
mgcp fax t38 ecm
mgcp behavior g729-variants static-pt
!
gatekeeper
shutdown
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
!
End
R2
!
upgrade fpd auto
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
no aaa new-model
ip source-route
ip cef
!
!
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
archive
log config
hidekeys
!
!
!
interface FastEthernet0/0
ip address 10.1.1.2 255.255.255.252
duplex auto
speed auto
Network Security Access Control Rich Macfarlane 21
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 192.168.50.5 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/1
ip address 192.168.60.5 255.255.255.0
duplex auto
speed auto
!
router rip
network 0.0.0.0
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
control-plane
!
!
mgcp fax t38 ecm
mgcp behavior g729-variants static-pt
!
gatekeeper
shutdown
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
!
end
R1
!
upgrade fpd auto
R2
!
upgrade fpd auto
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
no aaa new-model
ip source-route
ip cef
!
!
no ipv6 cef
!
multilink bundle-name authenticated
!
!
archive
log config
hidekeys
!
!
interface FastEthernet0/0
ip address 10.1.1.2 255.255.255.252
ip access-group BLOCK_10_60 in
duplex auto
speed auto
!
interface FastEthernet0/1
Network Security Access Control Rich Macfarlane 24
no ip address
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 192.168.50.5 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/1
ip address 192.168.60.5 255.255.255.0
duplex auto
speed auto
!
router rip
network 0.0.0.0
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip access-list extended BLOCK_10_60
deny ip 192.168.10.0 0.0.0.255 192.168.60.0 0.0.0.255 log
permit ip any any
deny ip any any
!
!
control-plane
!
mgcp fax t38 ecm
mgcp behavior g729-variants static-pt
!
!
gatekeeper
shutdown
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
!
end