172 Chapter 5 Context-Based Access Control Configuration
Hands-On Labs
The labs in this chapter will have you configure CBAC on a Cisco router. You will perform the following tasks:
Lab 5.1: Configure Logging and Audit Trails
Lab 5.2: Define and Apply Inspection Rules and ACLs
Lab 5.3: Test and Verify CBAC
The labs in this chapter are based on the corporate network example you’ve used for configuring the NAS and perimeter router throughout this book. (See the graphic in the “Introduction to CBAC Configuration” section.)
Lab 5.1: Configure Logging and Audit Trails
To configure logging and audit trails, complete the following steps:
1.Log in to your router and enter global configuration mode.
2.On your router, enable logging to the console and the Syslog server:
Lab_B(config)#logging on
Lab_B(config)#logging 192.168.254.251
3.Enable the audit trail on your router:
Lab_B(config)#ip inspect audit-trail
4.Save your configuration:
Lab_B(config)#^Z (Ctrl+Z)
Lab_B#copy run start
Lab 5.2: Define and Apply Inspection Rules and ACLs
To define and apply inspection rules and ACLs, complete the following steps:
1.Log in to your router and enter global configuration mode.
2.On your router, define a CBAC rule to inspect all TCP and FTP traffic:
Lab_B(config)#ip inspect name MYRULE tcp timeout 300
Lab_B(config)#ip inspect name MYRULE ftp timeout 300
3.Define the ACLs to allow outbound ICMP traffic and CBAC traffic (FTP and WWW). Block all other inside-initiated traffic:
Lab_B(config)#access-list 101 permit icmp any any
Lab_B(config)#access-list 101 permit tcp 172.16.1.0 0.0.0.255 any eq ftp
Lab_B(config)#access-list 101 permit tcp 172.16.1.0 0.0.0.255 any eq www
Lab_B(config)#access-list 101 deny ip any any
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
Hands-On Labs 173
4.Define ACLs to allow inbound ICMP traffic and CBAC traffic (FTP and WWW) to the inside web server or FTP server. Block all other outside-initiated traffic:
Lab_B(config)#access-list 102 permit eigrp any any
Lab_B(config)#access-list 102 permit icmp any any
Lab_B(config)#access-list 102 permit tcp any host 172.16.1.2 eq ftp
Lab_B(config)#access-list 102 permit tcp any host 172.16.1.3 eq www
Lab_B(config)#access-list 102 deny ip any any
5.Apply the inspection rule and ACL to the inside interface:
Lab_B(config)#interface FastEthernet0/0
Lab_B(config-if)#ip inspect MYRULE in
Lab_B(config-if)#ip access-group 101 in
6.Apply the ACL to the outside interface:
Lab_B(config-if)#interface serial0
Lab_B(config-if)#ip access-group 102 in
7.Save your configuration:
Lab_B(config-if)#^Z
Lab_B#copy running-config startup-config
Lab 5.3: Test and Verify CBAC
To test and verify CBAC on your router, take the following steps:
1.Log in to your router and enter privileged mode.
2.Check the ACLs configured on your router:
Lab_B#show access-lists
3.On your router, use the following show commands to verify CBAC operation:
Lab_B#show ip inspect name MYRULE
Lab_B#show ip inspect config
Lab_B#show ip inspect interfaces
Lab_B#show ip inspect sessions
Lab_B#show ip inspect sessions detail
Lab_B#show ip inspect all
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |