172 Chapter 5 Context-Based Access Control Configuration

Hands-On Labs

The labs in this chapter will have you configure CBAC on a Cisco router. You will perform the following tasks:

The labs in this chapter are based on the corporate network example you’ve used for configuring the NAS and perimeter router throughout this book. (See the graphic in the “Introduction to CBAC Configuration” section.)

Lab 5.1: Configure Logging and Audit Trails

To configure logging and audit trails, complete the following steps:

1.Log in to your router and enter global configuration mode.

2.On your router, enable logging to the console and the Syslog server:

Lab_B(config)#logging on

Lab_B(config)#logging 192.168.254.251

3.Enable the audit trail on your router:

Lab_B(config)#ip inspect audit-trail

4.Save your configuration:

Lab_B(config)#^Z (Ctrl+Z)

Lab_B#copy run start

Lab 5.2: Define and Apply Inspection Rules and ACLs

To define and apply inspection rules and ACLs, complete the following steps:

1.Log in to your router and enter global configuration mode.

2.On your router, define a CBAC rule to inspect all TCP and FTP traffic:

Lab_B(config)#ip inspect name MYRULE tcp timeout 300

Lab_B(config)#ip inspect name MYRULE ftp timeout 300

3.Define the ACLs to allow outbound ICMP traffic and CBAC traffic (FTP and WWW). Block all other inside-initiated traffic:

Lab_B(config)#access-list 101 permit icmp any any

Lab_B(config)#access-list 101 permit tcp 172.16.1.0 0.0.0.255 any eq ftp

Lab_B(config)#access-list 101 permit tcp 172.16.1.0 0.0.0.255 any eq www

Lab_B(config)#access-list 101 deny ip any any

Hands-On Labs 173

4.Define ACLs to allow inbound ICMP traffic and CBAC traffic (FTP and WWW) to the inside web server or FTP server. Block all other outside-initiated traffic:

Lab_B(config)#access-list 102 permit eigrp any any

Lab_B(config)#access-list 102 permit icmp any any

Lab_B(config)#access-list 102 permit tcp any host 172.16.1.2 eq ftp

Lab_B(config)#access-list 102 permit tcp any host 172.16.1.3 eq www

Lab_B(config)#access-list 102 deny ip any any

5.Apply the inspection rule and ACL to the inside interface:

Lab_B(config)#interface FastEthernet0/0

Lab_B(config-if)#ip inspect MYRULE in

Lab_B(config-if)#ip access-group 101 in

6.Apply the ACL to the outside interface:

Lab_B(config-if)#interface serial0

Lab_B(config-if)#ip access-group 102 in

7.Save your configuration:

Lab_B(config-if)#^Z

Lab_B#copy running-config startup-config

Lab 5.3: Test and Verify CBAC

To test and verify CBAC on your router, take the following steps:

1.Log in to your router and enter privileged mode.

2.Check the ACLs configured on your router:

Lab_B#show access-lists

3.On your router, use the following show commands to verify CBAC operation:

Lab_B#show ip inspect name MYRULE

Lab_B#show ip inspect config

Lab_B#show ip inspect interfaces

Lab_B#show ip inspect sessions

Lab_B#show ip inspect sessions detail

Lab_B#show ip inspect all