Lab Exercise – Configure the PIX Firewall and a Cisco Router



Lab Exercise – Introduction to configuring Access Lists via Cisco Router SDM

Objectives

In this lab exercise you will complete the following task:

• Use Cisco SDM to configure access lists for the network consisting of three PCs.

Visual Objective

[pic]

Introduction

Access lists (ACLs) permit or deny network traffic over an interface based on source IP address, destination IP address, or/and protocol/service. Access lists are configured as standard or extended. A standard access list either permits or denies passage of packets from a designated source. An extended access list allows designation of both the destination and the source, and it allows designation of individual protocols to be permitted or denied passage. An access list is a series of commands with a common tag to bind them together. The tag is either a number or a name.

ACL can be considered the base of packet filtering firewall, and in this lab we will configure few of them too see how it works. ACL is always applied towards chosen Ethernet interface; this allows to filter information, which passes through the interface.

In this lab we would use GNU interface, known as Cisco Router and Security Device Manager (SDM) to configure ACL

Lab Assignment – Configure ACL via Cisco Router SDM

In our lab environment we have network of three PCs, two of which (x5zero and Metra) are located in on 201.205.84.0 network, while the third one (Joker) is located on 192.168.1.0 network. In present setup we have no ACL configured, and information can travel unrestricted between PCs. By looking on visual objective and at IP address of PCs on your network, you should be able to determine who is who. (See setupnotes.doc for additional info)

Step 1: Try pinging Joker from x5zero and Metra PCs (take screenshots and add them to report later) Next, try to telnet from either Metra or x5zero to Joker ( to do so (in case you do not know how) , go to either PCs and click on start, choose run, type cmd, then type telnet 192.168.1.3

Username: telnet

Password: metrab

Important Information: As you saw in step 1, you can easily ping and telnet to Joker from both PCs. The goal of our lab exercise is allowing only x5zero to ping Joker, while allowing only Metra to telnet to Joker. We will achieve this by creating three ACLs. First one would allow x5zero to ping Joker, by allowing ICMP packets to pass from FE1 to FE0. Second one would allow Metra to telnet to Joker, by allowing TCP telnet packets from FE1 to FE0. Finally, third one would deny any traffic that comes from FE1 to FE0. You make get confused by thinking how would other two operate if third ACL denies all traffic. Well, it is pretty simple, the thing to know is that when packet is being filtered through ACL, router checks ACL in order they were created, one by one, and if match is found, checking process is stopped, and packet can go through. In this way, all traffic denied ACL would come in play, only if two other ACL were not matched beforehand.

Step 2: Before we can create first ACL we need to start SDM. Click on SDM’s shortcut on the desktop of Configurator PC. SDM launcher would appear; type 10.10.10.1 and click launch button. In case if you are interested what is 10.10.10.1, it is IP address of VLAN1, which is virtual interface to which you connect through switch Ethernet port, which is integrated into Cisco 1800 router, we are using for our ACLs.

[pic]

As you press launch button, web browser would open and you would be prompted for login and password (both of them are sra221) (if IE would load it may ask you to put IP address in again, and you will be asked for login/password twice)

Main Window of SDM should appear. Click on Configure Tab to continue.

[pic]

Now Click on Firewall and ACL tab located on the left (1) Now, Click on Edit Firewall Policy/ACL tab (2). Make sure that in Select Direction menu you have “ from FastEthernet1” and “to FastEthernet0”. Next, click on Add tab and choose Add New.

[pic]

Step 3: Rule Entry Window would open, and now it is time to configure first ACL, which would allow x5zero to ping Joker. Configure ACL as shows on the picture below and press ok button.

[pic]

Step 4: As you press ok, you would get back to Edit Firewall Policy/ACL menu.

Once again, click on Add tab and Add Now, we need to configure second ACL that would allow Metra to telnet to Joker. Configure ACL, as shown below and press OK button.

[pic]

Step 5: As you press ok, you would get back to Edit Firewall Policy/ACL menu.

Once again, click on Add tab and choose Add After, but make sure that you are adding this final rule after your second rule, not first!

Now, we need to configure last, third ACL that would deny all traffic to Joker. Configure ACL, as shown below and press OK button.

[pic]

If configure everything correctly that how your Edit Firewall Policy/ACL would look like

[pic]

Step 6: Click to Apply Changes button located at the bottom of the window, so configuration will be saved to router config-file.

Step 7: At last, we need to test our ACL configuration. If you configured everything correctly, you should be able to ping only from x5zero to Joker and use telnet only from Metra to Joker.

At that moment you have finished the lab.

Here the one question you need to answer with for this Lab report in addition to the usual screenshots.

Provide example of three possible ACLs with Source/Destination IP addresses and services included. (you cannot use ACLs you have used for practical part of the lab)

Report Writing Requirements

• The report must include a cover page. Among other things, the name of each group member must be put on the cover page.

• The contribution of each group member must be summarized in the report. That is, the report should report “who did what” in a clear way.

• The report must include a series of screen shots showing how the group conducts the lab step by step. Two or more screen shots may need to be associated with one step of the lab.

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download