CBAC LAB

CBAC LAB Nmap

Port scanner Nmap: the beef, Zenmap: GUI frontend

Findings before CBAC firewallc. What services are running and available on

R1 from the perspective of PC-C? Telnet and HTTP

d. In the Nmap scan output, refer to the TRACEROUTE information. How many hops are between PC-C and R1 and through what IP addresses? Three hops. The scan went from PC-C to the R3 Fa0/1 default gateway (192.168.3.1) to R2 S0/0/1 (10.2.2.2) and then to R1 S0/0/0 (10.1.1.1).

CBAC LAB

In Part 2 of this lab you configured a CBAC firewall on R1 and then used Nmap again to test access from external host PC-C to R1.

You used the AutoSecure IOS feature to enable CBAC.A sort of a dialog mode, automatically do

things like disabling servicesConfigure CBAC Firewall feature? [yes/no]:

yes

CBAC LAB

Automatically generated configuration requires fine tuning

The AutoSecure CBAC firewall on R1 does not permit EIGRP hellos and neighbor associations to occur permit eigrp any any permit udp any any eq bootpc

CBAC LAB

After CBAC config the result of the port scan When the R1 CBAC firewall is in place, what

services are available on R1 and what is the status of R1 from the perspective of external PC-C? No services are detected. Nmap, run from PC-C, reports the status of host R1 10.1.1.1 as down.

CBAC LAB

c. Which protocols did AutoSecure configure to be inspected as they leave the S0/0/0 interface? Cuseeme, FTP, HTTP, RCMD, Realaudio, SMTP, TFTP, UDP AND TCP.

d. To which interface is the ACL autosec_firewall_acl applied and in which direction? S0/0/0 inbound.

e. What is the purpose of the ACL autosec_firewall_acl? It allows bootp traffic to enter the S0/0/0 interface and blocks all other non-established connections from outside R1.

CBAC LAB

Step 2: From PC-A, ping the R2 external WAN interface.

a. From PC-A, ping the R2 interface S0/0/0 at IP address 10.1.1.2.

C:\>ping 10.1.1.2

b. Were the pings successful? Why or why not? No. The ICMP protocol was not included in the autosec_inspect list, so the pings that PC-A sends are blocked from returning.

Step 3: Add ICMP to the autosec_inspect list.

R1(config)#ip inspect name autosec_inspect icmp timeout 5

Step 4: From PC-A, ping the R2 external WAN interface.

a. From PC-A, ping the R2 interface S0/0/0 at IP address 10.1.1.2.

C:\>ping 10.1.1.2

b. Were the pings successful? Why or why not? Yes, ICMP is now included in the autosec_inspect list, so the ICMP replies for ICMP requests originating from within the R1 LAN are allowed to return.