Cisco Lab Practices: SNPA_Lab 04: Configuring Access Through the Security Appliance

SNPA_Lab 04: Configuring Access Through the Security Appliance

[12:53 AM | 0 comments ]

Activity Objective:

Configure the security appliance to allow users on the inside interface to access the bastion host
Establishh a connection from the inside host to the backbone router.

Fist step you assign PAT and allow access Internet through RBB router:
- Enable the NAT configuration requirement:
PIX(config)# nat-control
- Assign one pool of NIC-registered IP addresses for use by outbound connections:
PIX(config)# global (outside) 1 10.10.10.4 netmask 255.255.255.0
- Configure the security appliance to allow inside hosts to use NAT for outbound access:
PIX(config)# nat (inside) 1 192.168.3.0 255.255.255.0
- Assign a default route.
PIX(config)# route outside 0.0.0.0 0.0.0.0 10.10.10.1 1

Task 1: Configure the Security Appliance to Allow Users on the Inside Interface to Access the Bastion Host.

Assign one pool of IP address for hosts on the public DMZ (here need only to assign one IP address – PIX firewall will detect and use PAT.)
PIX(config)#global (dmz) 1 192.168.4.4 netmask 255.255.255.0

Testing successfully.

Task 2: Establish a Telnet Connection to Backbone Router
NOTE: Default PIX firewall không cho phép PING đến các interface OUTSIDE, DMZ.

Telnet from user.

Observe the translation table:
Show xlate
Clear xlate
Show arp
Show conn

Observe the local host table:
Show local-host insidehost (insidehost is a name which it is assigned IP address)

pixfirewall# show xlate
19 in use, 22 most used
PAT Global 10.10.10.4(1200) Local insidehost(22352)
PAT Global 10.10.10.4(1199) Local insidehost(22350)
PAT Global 10.10.10.4(1198) Local insidehost(22348)
PAT Global 10.10.10.4(1197) Local insidehost(22346)
PAT Global 10.10.10.4(1196) Local insidehost(22344)
PAT Global 10.10.10.4(1195) Local insidehost(22343)
PAT Global 10.10.10.4(1194) Local insidehost(22341)
PAT Global 10.10.10.4(1193) Local insidehost(22339)
PAT Global 10.10.10.4(1192) Local insidehost(22337)
PAT Global 10.10.10.4(1191) Local insidehost(22335)
PAT Global 10.10.10.4(1190) Local insidehost(22333)
PAT Global 10.10.10.4(1189) Local insidehost(22331)
PAT Global 10.10.10.4(1188) Local insidehost(22329)
PAT Global 10.10.10.4(1187) Local insidehost(22328)
PAT Global 10.10.10.4(1186) Local insidehost(22326)
PAT Global 10.10.10.4(1185) Local insidehost(22324)

pixfirewall# show local-host insidehost
Interface dmz: 1 active, 1 maximum active, 0 denied
Interface inside: 1 active, 1 maximum active, 0 denied
local host: ,
TCP flow count/limit = 7/unlimited
TCP embryonic count to host = 0
TCP intercept watermark = unlimited
UDP flow count/limit = 0/unlimited

Xlate:
PAT Global 10.10.10.4(1209) Local insidehost(22373)
PAT Global 10.10.10.4(1208) Local insidehost(22370)
PAT Global 10.10.10.4(1207) Local insidehost(22368)
PAT Global 10.10.10.4(1206) Local insidehost(22365)
PAT Global 10.10.10.4(1205) Local insidehost(22362)
PAT Global 10.10.10.4(1204) Local insidehost(22360)
PAT Global 10.10.10.4(1203) Local insidehost(22358)
PAT Global 10.10.10.4(1202) Local insidehost(22357)
PAT Global 10.10.10.4(1201) Local insidehost(22354)
PAT Global 10.10.10.4(1200) Local insidehost(22352)
PAT Global 10.10.10.4(1199) Local insidehost(22350)
PAT Global 10.10.10.4(1198) Local insidehost(22348)
PAT Global 10.10.10.4(1197) Local insidehost(22346)
PAT Global 10.10.10.4(1167) Local insidehost(22278)
PAT Global 192.168.4.4(1026) Local insidehost(22185)
Conn:
TCP out 9.17.136.12:1533 in insidehost:22373 idle 0:00:03 bytes 0 flags saA
TCP out 9.190.234.111:1352 in insidehost:22370 idle 0:00:11 bytes 0 flags saA
TCP out 9.190.234.111:1352 in insidehost:22368 idle 0:00:15 bytes 0 flags saA
TCP out 9.190.234.111:1352 in insidehost:22365 idle 0:00:19 bytes 0 flags saA
TCP out 9.190.234.111:1352 in insidehost:22362 idle 0:00:23 bytes 0 flags saA
TCP out 10.10.10.1:23 in insidehost:22278 idle 0:03:13 bytes 178 flags UIO
TCP out bastionhost:22 in insidehost:22185 idle 0:06:29 bytes 7247 flags UIO Interface outside: 3 active, 8 maximum active, 0 denied

Summary:
1. ACL essentials:
+ Remember security levels (ASA rules).
+ Interface ACL denies or permits initial Inbound packet on the interface.
+ If no ACL in interface then outbound packets are permited by default, Inbound denied.

+ With higher to lower security level: unuse ACL to restrict outbound packets - ACL source address is actual untranslated address of host/network.

+ When configuring ACL from lower to higher security level: ACL will enable inbound traffic and further restrict inbound protocols.

+ Also, the ACL destination address will be the translated global IP address.
+ ACL's are always processed before PIX does any translation activities.
2. Basic configuration.
3. Generating syslogs.
4. Turbo ACL's
5. ACL scenarios.

0 comments

Post a Comment

Introduce myself

Chat Box

Google Maps

Visitor Locations

Lunar Calendar

Followers

Link URL

Link List