Pages

Sunday, 26 May 2013

Time-based ACLs




Time-based ACLs are types of control lists that allow for network access based on time or day. Time base access-list works with extended name acccess lsit. Time-based ACLs is implemented by creating a time range that defines specific times of the day and week.
This time range created can be name as to its function. The time range is then call in the extended named access list creating a time-base access list. Then the ACL can be applied just like any other ACL. Time-based ACL give Network Admin a lot of flexibility in what they can deny or permit based on any time of the day!!
e.g Imagine you have this requirement in your organisation that allows users to have access to a web server with an IP 1.1.1.1 at R1 during work hours, and your user are coming from R2 and R3. Let us simulate R2 and R3 loopbacks as the users. User should not have access to this web server outside working hours but all other traffic is allowed.

 ===========================================================
R1
==
conf t
int fast0/0
ip add 192.168.12.1 255.255.255.0
ip ospf 1 area 0
no shut
exit
int loopback0
ip add 1.1.1.1 255.255.255.255
ip ospf 1 area 0
exit
===========================================================
R2
==
conf t
int fast0/0
ip add 192.168.12.2 255.255.255.0
ip ospf 1 area 0
no shut
exit
int fast0/1
ip add 192.168.23.2 255.255.255.0
ip ospf 1 area 0
no shut
exit
int loopback0
ip add 2.2.2.2 255.255.255.255
ip ospf 1 area 0
exit
============================================================
R3
==
conf t
int fast0/0
ip add 192.168.23.3 255.255.255.0
ip ospf 1 area 0
no shut
exit
int loopback0
ip add 3.3.3.3 255.255.255.255
ip ospf 1 area 0
exit

In order to simulate R1 as a web server we configure R1 as follows:

R1(config)#ip http server

Let us verify that R1 is accepting web request.




We first create our time range.
R2(config)#time-range WORK_HOURS
R2(config-time-range)#periodic weekdays 09:00 to 16:59
R2(config-time-range)#exi

We now create our named extended access list and tied it with the time range.
 
R2(config)#ip access-list extended DENY_WEB
R2(config-ext-nacl)#permit tcp any host 1.1.1.1 eq www time-range WORK_HOURS
R2(config-ext-nacl)#deny tcp any host 1.1.1.1 eq www                
R2(config-ext-nacl)#permit ip any any                                  
R2(config-ext-nacl)#exi




We now apply the access list at the interface

R2(config)#int fast0/0
R2(config-if)#ip access-group DENY_WEB in
R2(config-if)#


We set the clock outside the time range and try to access the web server and see.

 
It is seen that when the time at R2 is out of the time range the user at R1 cannot access the webserver
 

 

Let us set the clock at R2 within the time range and see what happen.




 

 From this we can see that when the time range is active then we can access the webserver!!

Posted by at 0 comments
Labels: , ,

Thursday, 23 May 2013

Context-Based Access Control (CBAC

The Context-Based Access Control (CBAC) feature of the Cisco IOS® Firewall Feature Set actively inspects the activity behind a firewall. CBAC specifies what traffic needs to be let in and what traffic needs to be let out by using access lists (in the same way that Cisco IOS uses access lists). However, CBAC access lists include ip inspect statements that allow the inspection of the protocol to make sure that it is not tampered with before the protocol goes to the systems behind the firewall.Similar to reflexive ACLs, CBAC enables dynamic modification of access lists to allow certain incoming flows by first inspecting and recording flows initiated from the protected internal network. However, whereas reflexive ACLs act solely on L2-L4 protocol attributes, CBAC is able to inspect all the way to the application layer, taking into consideration characteristics of a flow on a per-protocol basis (or context). The issue with CBAC is that it takes lot of configurations when you have multipe interfaces this issues is solved by Zone base firewal which we will also discussed.



In this network we are running ospf in all the routers and there is full reachability between all the routers.

Lets verify that R3 has a complete routing table and can reach R loopbac.






Le us say that now we want to allow all traffic from the internal network to the external network but deny all traffic from the opposite direction unless it was a return traffic initiated from the internal network. Our solution is to use CBAC. Le us configure CBA on R2 F0/0.

R2(config)# ip access-list extended BLOCK_ALL
R2(config-ext-nacl)#permit ospf any any
R2(config-ext-nacl)#deny ip any any
R2(config-ext-nacl)#exi
R2(config)#int fastEthernet 0/0
R2(config-if)# ip access-list extended BLOCK_ALL
R2(config-ext-nacl)#
Since we are running OSPF we must allow ospf traffic otherwise our links will be down. With this configuration the internatl network can reach the external network but the return traffic will be block to alleviate this we call in CBAC.

R2(config)#ip inspect name ICMP icmp
R2(config)#int fastEthernet 0/0
R2(config-if)#ip inspect name ICMP icmp

Let us test.




From the above show command it is seen that the trusted host 192.168.23.3 has open an ICMP connection to 1.1.1.1. CBAC will then track the session until it is closed or the configured idle timer is reached.

Audit trail can also be enable to generate syslog messages for the CBAC session.

R2(config)#ip inspect audit-trail
R2(config)#
May 22 12:14:15.367: %FW-6-SESS_AUDIT_TRAIL_START: Start icmp session: initiator (192.168.23.3:8) -- responder (1.1.1.1:0)

Let us visit R2 and see whats happen at its end.


This is due to the fact that traffic originating from the router itself is not by default included in the inspection rule applied to the external interface. To fix this, we can  append the router-traffic argument to our inspection rule or use the local policy configuration.

R2(config)#ip inspect name ICMP icmp router-traffic



Now we can see that R2 can ping R1. We can also fix this issue by using local policy map.

R2(config)#ip access-list extended ALLOW_LOCAL
R2(config-ext-nacl)#permit ip any any
R2(config-ext-nacl)#exi
R2(config)#route-map LOCALTRAFFIC permit 10
R2(config-route-map)#match ip address ALLOW_LOCAL
R2(config-route-map)#set interface loopback 0
R2(config-route-map)#exi
R2(config)#ip local policy route-map LOCALTRAFFIC

With this configuration, local ping  traffic will re-enter the router and hit the outgoing inspection rule, thereby triggering a reflected entry.












Posted by at 0 comments
Labels: , , ,

DHCP Server Configuration





As explained in RFC 2131, Dynamic Host Configuration Protocol, DHCP provides configuration parameters to Internet hosts. DHCP consists of two components: a protocol for delivering host-specific configuration parameters from a DHCP Server to a host and a mechanism for allocating network addresses to hosts. DHCP is built on a client/server model, where designated DHCP Server hosts allocate network addresses and deliver configuration parameters to dynamically configured hosts. By default, Cisco routers running Cisco IOS software include DHCP server and relay agent software.

DHCP supports three mechanisms for IP address allocation:

Automatic allocation—DHCP assigns a permanent IP address to a client.

Dynamic allocation—DHCP assigns an IP address to a client for a limited period of time (or until the client explicitly relinquishes the address).

Manual allocation—The network administrator assigns an IP address to a client and DHCP is used simply to convey the assigned address to the client. 

We are going to configure R1 to provide an IP address, default gateway, DNS server IP etc.

Let us verify that at the moment the DHCP client have no host-specific configuration parameters:

 

Lets now configure the router as a DHCP server.

 R1(config)#ip dhcp excluded-address 192.168.1.1 192.168.1.10
R1(config)#ip dhcp pool MYLAN
R1(dhcp-config)#default-router 192.168.1.1
R1(dhcp-config)#dns-server 192.168.1.2

Since the router and the DHCP have been allocated static IP in this pool then those IPs have to be excluded. We have decided the excluded more just for the sake of future expansion. It is not a requirement to exclude the static IPs as the router has a mechanism of detecting this.

Lets now configure the PC as a dhcp client.
 
Let us verify that the PC is indeed getting its IP and other parameters from the DHCP server.


Lets ping the gateway from the PC.

 
 


Posted by at 0 comments
Labels: ,

Wednesday, 22 May 2013

Redistribution from different routing domain



R1
==
conf t
int fast 0/0
ip add 192.168.12.1 255.255.255.0
no shut
exit
int fast 0/1
ip add 192.168.13.1 255.255.255.0
no shut
exit
int loopback 0
ip add 1.1.1.1 255.255.255.255
exit
int loopback 1
ip add 11.11.11.11 255.255.255.255
exit
router rip
version 2
no auto-summary
network 192.168.12.0
network 1.1.1.1
exit
router eigrp 1
no auto-summary
network 192.168.13.1 0.0.0.0
network 11.11.11.11 0.0.0.0
exit
===============================================
R2
==
conf t
int fast 0/0
ip add 192.168.12.2 255.255.255.0
no shut
exit
int fast 0/1
ip add 192.168.23.2 255.255.255.0
no shut
exit
int loopback 0
ip add 2.2.2.2 255.255.255.255
exit
int loopback 1
ip add 22.22.22.22 255.255.255.255
exit
router rip
version 2
no auto-summary
network 192.168.12.0
network 2.2.2.2
exit
router ospf 1
network 192.168.23.2 0.0.0.0 area 0
network 22.22.22.22 0.0.0.0 area 0
exit
===================================================
R3
==
conf t
int fast 0/0
ip add 192.168.13.3 255.255.255.0
no shut
exit
int fast 0/1
ip add 192.168.23.3 255.255.255.0
no shut
exit
int loopback 0
ip add 3.3.3.3 255.255.255.255
exit
int loopback 1
ip add 33.33.33.33 255.255.255.255
exit
router eigrp 1
no auto-summary
network 192.168.13.3 0.0.0.0
network 33.33.33.33 0.0.0.0
exit
router ospf 1
network 192.168.23.3 0.0.0.0 area 0
network 3.3.3.3 0.0.0.0 area 0
exit
====================================================
Lets redistribute RIP into EIGRP at R1 and then redistribute EIGRP into OSPF at R3. First lets view the routing table of R2. It is seen that R2 prefer R1 through the RIP routing domain which is normal but after the redistribution R2 will also learn R1 loopback from the ospf domain as well as an external route but since R2 now learn the same prefix from ospf and rip it will select the ospf domain resulting to a suboptimal path.

R2#sh ip route | be Gateway
Gateway of last resort is not set

C    192.168.12.0/24 is directly connected, FastEthernet0/0
     1.0.0.0/32 is subnetted, 1 subnets
R       1.1.1.1 [120/1] via 192.168.12.1, 00:00:08, FastEthernet0/0
     2.0.0.0/32 is subnetted, 1 subnets
C       2.2.2.2 is directly connected, Loopback0
     3.0.0.0/32 is subnetted, 1 subnets
O       3.3.3.3 [110/11] via 192.168.23.3, 00:31:20, FastEthernet0/1
     22.0.0.0/32 is subnetted, 1 subnets
C       22.22.22.22 is directly connected, Loopback1
C    192.168.23.0/24 is directly connected, FastEthernet0/1

After Redistribution

R2#sh ip route | be Gateway
Gateway of last resort is not set

C    192.168.12.0/24 is directly connected, FastEthernet0/0
     1.0.0.0/32 is subnetted, 1 subnets
O E2    1.1.1.1 [110/20] via 192.168.23.3, 00:00:49, FastEthernet0/1
O E2 192.168.13.0/24 [110/20] via 192.168.23.3, 00:00:49, FastEthernet0/1
     2.0.0.0/32 is subnetted, 1 subnets
C       2.2.2.2 is directly connected, Loopback0
     33.0.0.0/32 is subnetted, 1 subnets
O E2    33.33.33.33 [110/20] via 192.168.23.3, 00:00:49, FastEthernet0/1
     3.0.0.0/32 is subnetted, 1 subnets
O       3.3.3.3 [110/11] via 192.168.23.3, 00:47:35, FastEthernet0/1
     22.0.0.0/32 is subnetted, 1 subnets
C       22.22.22.22 is directly connected, Loopback1
C    192.168.23.0/24 is directly connected, FastEthernet0/1
     11.0.0.0/32 is subnetted, 1 subnets
O E2    11.11.11.11 [110/20] via 192.168.23.3, 00:00:49, FastEthernet0/1
There are many ways to solve this suboptimal routing issue. We can use distribute list to filter out 1.1.1.1 from R2 routing table. Area filter list can also be used at R2 but the most efficient way is to use administrative distance and make the AD of that route at R2 worse than that of RIP. This will also allow for redundancy.

R2(config)#ip access-list standard NET_1
R2(config-std-nacl)#deny 1.1.1.1
R2(config-std-nacl)#permit any
R2(config-std-nacl)#exit
R2(config)#router ospf 1
R2(config-router)#distribute-list NET_1 in
Let us verify
R2(config-router)#do sh ip route | be Gateway
Gateway of last resort is not set

C    192.168.12.0/24 is directly connected, FastEthernet0/0
     1.0.0.0/32 is subnetted, 1 subnets
R       1.1.1.1 [120/1] via 192.168.12.1, 00:00:16, FastEthernet0/0
O E2 192.168.13.0/24 [110/20] via 192.168.23.3, 00:04:54, FastEthernet0/1
     2.0.0.0/32 is subnetted, 1 subnets
C       2.2.2.2 is directly connected, Loopback0
     33.0.0.0/32 is subnetted, 1 subnets
O E2    33.33.33.33 [110/20] via 192.168.23.3, 00:04:54, FastEthernet0/1
     3.0.0.0/32 is subnetted, 1 subnets
O       3.3.3.3 [110/11] via 192.168.23.3, 00:04:54, FastEthernet0/1
     22.0.0.0/32 is subnetted, 1 subnets
C       22.22.22.22 is directly connected, Loopback1
C    192.168.23.0/24 is directly connected, FastEthernet0/1
     11.0.0.0/32 is subnetted, 1 subnets
O E2    11.11.11.11 [110/20] via 192.168.23.3, 00:04:54, FastEthernet0/1

It has now selected the most optimal path but there is no redundancy.

Lets use prefix-list as well to do the same:

R2(config)#ip prefix-list NET_1 seq 5 deny 1.1.1.1/32
R2(config)# ip prefix-list NET_1 seq 10 permit 0.0.0.0/0 le 32
R2(config)#router ospf 1
R2(config-router)#distribute-list prefix NET_1 in
R2(config-router)#
Let us verify:
R2(config-router)#do sh ip rou | be Gateway
Gateway of last resort is not set

C    192.168.12.0/24 is directly connected, FastEthernet0/0
     1.0.0.0/32 is subnetted, 1 subnets
R       1.1.1.1 [120/1] via 192.168.12.1, 00:00:13, FastEthernet0/0
O E2 192.168.13.0/24 [110/20] via 192.168.23.3, 00:01:26, FastEthernet0/1
     2.0.0.0/32 is subnetted, 1 subnets
C       2.2.2.2 is directly connected, Loopback0
     33.0.0.0/32 is subnetted, 1 subnets
O E2    33.33.33.33 [110/20] via 192.168.23.3, 00:01:26, FastEthernet0/1
     3.0.0.0/32 is subnetted, 1 subnets
O       3.3.3.3 [110/11] via 192.168.23.3, 00:01:26, FastEthernet0/1
     22.0.0.0/32 is subnetted, 1 subnets
C       22.22.22.22 is directly connected, Loopback1
C    192.168.23.0/24 is directly connected, FastEthernet0/1
     11.0.0.0/32 is subnetted, 1 subnets
O E2    11.11.11.11 [110/20] via 192.168.23.3, 00:01:26, FastEthernet0/

Lets use route-map to do the same thing

R2(config)#ip access-list standard NET_1
R2(config-std-nacl)#deny 1.1.1.1
R2(config-std-nacl)#permit any
R2(config-std-nacl)#router ospf 1
R2(config-router)#distribute-list route-map NET_1

Let us verify:
R2(config-router)#do sh ip rou | be Gateway
Gateway of last resort is not set

C    192.168.12.0/24 is directly connected, FastEthernet0/0
     1.0.0.0/32 is subnetted, 1 subnets
R       1.1.1.1 [120/1] via 192.168.12.1, 00:00:03, FastEthernet0/0
O E2 192.168.13.0/24 [110/20] via 192.168.23.3, 00:01:43, FastEthernet0/1
     2.0.0.0/32 is subnetted, 1 subnets
C       2.2.2.2 is directly connected, Loopback0
     33.0.0.0/32 is subnetted, 1 subnets
O E2    33.33.33.33 [110/20] via 192.168.23.3, 00:01:43, FastEthernet0/1
     3.0.0.0/32 is subnetted, 1 subnets
O       3.3.3.3 [110/11] via 192.168.23.3, 00:01:43, FastEthernet0/1
     22.0.0.0/32 is subnetted, 1 subnets
C       22.22.22.22 is directly connected, Loopback1
C    192.168.23.0/24 is directly connected, FastEthernet0/1
     11.0.0.0/32 is subnetted, 1 subnets
O E2    11.11.11.11 [110/20] via 192.168.23.3, 00:01:43, FastEthernet0/1

Another effective method that will allow redundancy is to summarized 1.1.1.1 at the ASBR (R3) before advertising it to R2 with this R1 will learn 1.1.1.1 through R1 with a more specific address.

R3(config-router)#router ospf 1
R3(config-router)#summary-address 1.1.0.0 255.255.0.0
R3(config-router)#
Let us verify:

R2#sh ip route | be Gateway
Gateway of last resort is not set

C    192.168.12.0/24 is directly connected, FastEthernet0/0
     1.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
R       1.1.1.1/32 [120/1] via 192.168.12.1, 00:00:14, FastEthernet0/0
O E2    1.1.0.0/16 [110/20] via 192.168.23.3, 00:03:19, FastEthernet0/1
O E2 192.168.13.0/24 [110/20] via 192.168.23.3, 00:07:53, FastEthernet0/1
     2.0.0.0/32 is subnetted, 1 subnets
C       2.2.2.2 is directly connected, Loopback0
     33.0.0.0/32 is subnetted, 1 subnets
O E2    33.33.33.33 [110/20] via 192.168.23.3, 00:07:53, FastEthernet0/1
     3.0.0.0/32 is subnetted, 1 subnets
O       3.3.3.3 [110/11] via 192.168.23.3, 00:07:53, FastEthernet0/1
     22.0.0.0/32 is subnetted, 1 subnets
C       22.22.22.22 is directly connected, Loopback1
C    192.168.23.0/24 is directly connected, FastEthernet0/1
     11.0.0.0/32 is subnetted, 1 subnets
O E2    11.11.11.11 [110/20] via 192.168.23.3, 00:07:53, FastEthernet0/1

Another effective method is to use administrative distance. The AD of the route 1.1.1.1 learn via ospf can be increased to more than the AD of RIP. Lets increase the AD to 150. To use AD we need the source of the advertising route which we can get by using the show ip ospf database.
R2#sh ip ospf database

            OSPF Router with ID (22.22.22.22) (Process ID 1)

                Router Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum Link count
22.22.22.22     22.22.22.22     1349        0x80000002 0x009571 2
33.33.33.33     33.33.33.33     1350        0x80000002 0x0040B9 2

                Net Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum
192.168.23.3    33.33.33.33     1350        0x80000001 0x00A6AE

                Type-5 AS External Link States

Link ID         ADV Router      Age         Seq#       Checksum Tag
1.1.1.1         33.33.33.33     1392        0x80000001 0x00D740 0
2.2.2.2         33.33.33.33     1392        0x80000001 0x00A96A 0
11.11.11.11     33.33.33.33     1392        0x80000001 0x000AE5 0
33.33.33.33     33.33.33.33     1395        0x80000001 0x001285 0
192.168.12.0    33.33.33.33     505         0x80000001 0x00CFD6 0
192.168.13.0    33.33.33.33     1395        0x80000001 0x00C4E0 0

The source is 33.33.33.33
R2(config)#router ospf 1
R2(config-router)#distance 150 33.33.33.33 0.0.0.0
R2(config-router)#

Let us verify:


R2(config-router)#do sh ip rou | be Gateway
Gateway of last resort is not set

C    192.168.12.0/24 is directly connected, FastEthernet0/0
     1.0.0.0/32 is subnetted, 1 subnets
R       1.1.1.1 [120/1] via 192.168.12.1, 00:00:11, FastEthernet0/0
O E2 192.168.13.0/24 [150/20] via 192.168.23.3, 00:02:35, FastEthernet0/1
     2.0.0.0/32 is subnetted, 1 subnets
C       2.2.2.2 is directly connected, Loopback0
     33.0.0.0/32 is subnetted, 1 subnets
O E2    33.33.33.33 [150/20] via 192.168.23.3, 00:02:35, FastEthernet0/1
     3.0.0.0/32 is subnetted, 1 subnets
O       3.3.3.3 [150/11] via 192.168.23.3, 00:02:35, FastEthernet0/1
     22.0.0.0/32 is subnetted, 1 subnets
C       22.22.22.22 is directly connected, Loopback1
C    192.168.23.0/24 is directly connected, FastEthernet0/1
     11.0.0.0/32 is subnetted, 1 subnets
O E2    11.11.11.11 [150/20] via 192.168.23.3, 00:02:35, FastEthernet0/1

However, this changes all the ospf routes learn from 33.33.33.33 (R3) to an AD of 150. If we want to change only the route 1.1.1.1 then we need to match it with either a standard access-list or extended access-list.

R2(config)#access-list 1 permit 1.1.1.1
R2(config)#router ospf 1
R2(config-router)#distance 150 33.33.33.33 0.0.0.0 1

Lets verify:
R2(config-router)#do sh ip route | be Gateway
Gateway of last resort is not set

C    192.168.12.0/24 is directly connected, FastEthernet0/0
     1.0.0.0/32 is subnetted, 1 subnets
R       1.1.1.1 [120/1] via 192.168.12.1, 00:00:01, FastEthernet0/0
O E2 192.168.13.0/24 [110/20] via 192.168.23.3, 00:02:40, FastEthernet0/1
     2.0.0.0/32 is subnetted, 1 subnets
C       2.2.2.2 is directly connected, Loopback0
     33.0.0.0/32 is subnetted, 1 subnets
O E2    33.33.33.33 [110/20] via 192.168.23.3, 00:02:40, FastEthernet0/1
     3.0.0.0/32 is subnetted, 1 subnets
O       3.3.3.3 [110/11] via 192.168.23.3, 00:02:40, FastEthernet0/1
     22.0.0.0/32 is subnetted, 1 subnets
C       22.22.22.22 is directly connected, Loopback1
C    192.168.23.0/24 is directly connected, FastEthernet0/1
     11.0.0.0/32 is subnetted, 1 subnets
O E2    11.11.11.11 [110/20] via 192.168.23.3, 00:02:40, FastEthernet0/1

With this solution it is only the ospf route of 1.1.1.1 that has an AD of 150 the others maintain their default AD of 110.

Posted by at 1 comments
Labels: , ,
Subscribe to: Posts (Atom)