Introduction to Firewalls using Cisco ACL’s The goal of this lab is to implement a hardware firewall solution using the access control lists on a Cisco 2500 series router. You will need to turn in a hard copy of your running-config file FOR EACH SCENARIO for this assignment. NOTE: The scenarios will require some router configurations that were presented in the Cisco IOS presentation, so please download it and review it if you have any questions. Google is still your friend! While not required, it helps if you draw a topology diagram for the assignment scenarios so you can visualize the network. Preparing the Router The two most popular methods that network engineers use to connect to a Cisco router are via the Console Port and via Telnet. 1. Connecting locally via the Console Port requires an RJ-45 rollover cable and an RJ-45 to DB9 serial adapter. Due to the lack of availability of rollover cables from the Systems Group, we cannot use this method of connection. 2. Connecting remotely via Telnet requires that the router be set up to receive Telnet connections, as it does not do so out of the box. There will be one rollover cable that we will use to set up each router to receive Telnet connections. To set up the Cisco router to receive connections you must: a. Connect the RJ-45 end of the rollover cable to the CONSOLE port on the Cisco router and connect the DB9 end to the serial port on your Windows machine. b. Plug the AUI into eth0 and assign an IP to eth0. You may now bring up the interface. i. The command ip address 10.0.0.1 255.255.255.0 when in interface-configuration mode will assign the IP address 10.0.0.1 with a 255.255.255.0 subnet to the interface. ii. The command no shutdown when in interface-configuration mode will bring up an interface. c. Assign a password to vty connections 0 through 4 and require password verification at login (choose your own password). This will activate Telnet on the router. d. Assign eth0 of your Windows machine an IP address on the same subnet as eth0 of the Cisco router. Make sure that the default gateway of the Windows machine is the IP address of eth0 on the Cisco router. e. Plug one end of the crossover CAT5e cable into the AUI and plug the other end into your Windows machine’s eth0. f. Test your Telnet connection. If Telnet is insecure, why does Cisco still support Telnet as its default remote console protocol? Describe a network topology that would secure the Telnet session as much as possible if one had to Telnet to the router from within the LAN. What about if one had to Telnet to the router from over a WAN? What about if one had to Telnet to the router from over the Internet? Basic Cisco Router Setup and LockdownNow you will be setting up the remaining router parameters and locking down the Cisco router (this is to get you used to the IOS interface). 1. Make the router’s hostname your team name. 2. Set the console password to one of your choosing. 3. Set the enable password to one of your choosing. 4. Set the enable secret password to one of your choosing. 5. Prevent log on from line aux 0. 6. Save the running-config to the startup-config, restart the router and make sure your router does all that it should. Cisco ACL Examples Recall from lecture that for IP there are two forms of access lists, standard and extended. Since the extended ACL’s are far more versatile, you will only have to write extended ACL’s. Because the format of extended ACL’s is different for each protocol, here are some examples (Recall that you must be in Global Configuration mode to write the ACL’s, and then you must apply the ACL to a specific interface). To create an ACL with a number of 101 that will deny telnet traffic originating from network 192.168.10.0 and destined for network 192.168.11.0: access-list 101 deny tcp 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255 eq telnet To create an ACL with a number of 102 that will allow SSH traffic originating from a single host 192.168.10.11 and destined for network 192.168.11.0: access-list 101 permit tcp host 192.168.10.11 192.168.11.0 0.0.0.255 eq 22 Notice that in both examples, only the destination port is blocked. While you could also block via the source port, it is possible to change the source port of a service, so an ACL could be circumvented. If you specified a source port range of 0-65535, this would be the same as omitting the source port altogether, as it will be applied to all source ports, thus the router would only effectively enforce the destination port. REMEMBER THAT AT ANY TIME WHEN BUILDING ACCESS LISTS YOU MAY ADD THE ? WILD CARD AND THE IOS WILL TELL YOU WHICH OPTIONS YOU MAY USE AT THAT LOCATION. IMPORTANT NOTE!!! DO NOT GLANCE OVER THIS!!! REMEMBER THAT YOU WILL BE WORKING VIA TELNET SESSION OVER ETHERNET 0. IF YOU MAKE CHANGES TO THE IP ADDRESS OF E0, YOU MUST CHANGE THE IP ADDRESS OF YOUR WINDOWS MACHINE SO IT REMAINS ON THE SAME SUBNET AS E0!!! Assignment Scenarios 1. You are setting up a router in Miami that will be connected via leased line (T-1) on serial 0 to a router in New York. Both New York and Miami only have a single LAN (yours is connected via eth1). The Miami router is the DCE and the New York is the DTE. The IP configuration is as follows:a. New York S0 is 172.16.1.1 255.255.255.252, Miami S0 is 172.16.1.2 255.255.255.252. b. New York LAN is 172.16.2.0 255.255.255.0, Miami LAN is 172.16.3.0 255.255.255.0. c. Network traffic should be controlled as follows: i. Permit ICMP traffic from New York and Miami. ii. Deny all telnet traffic. iii. Permit ssh traffic to your Unix Server located at 172.16.3.20. iv. Permit file sharing traffic to the Windows servers located at 172.16.3.21, 172.16.3.22, 172.16.2.20, and 172.16.2.21. v. Permit Remote Desktop traffic to the Windows 2003 servers located at 172.16.2.20, 172.16.2.21, 172.16.3.21, and 172.16.3.22. 2. Write the set of firewall rules for each of the routers, in order to implement the specified policies (notice that this is almost identical to the previous lab’s scenario):Visibility Rules: - The machine named “Net monitor” should be visible to no machine, except to a single administrative machine in the general Intranet, on TCP port 8080 - The machine labeled “www server” is the