Lab Setup
- Make the connection as per the topology diagram above.
- Use the IP addressing chart below to assign IP address to the routers.
- All three routers are configured with RIPv2. And can ping each other.
IP Addressing Schema
|
Router |
Interface |
IP Address |
|
R1 |
S0/0 |
100.1.12.1/24 |
|
Loop0 |
1.1.1.1/24 |
|
|
R2 |
S0/0 |
100.1.12.2/24 |
|
|
S0/1 |
100.1.23.2/24 |
|
|
Loop0 |
2.2.2.2/24 |
|
R3 |
S0/0 |
100.1.23.3/24 |
|
|
Loop0 |
3.3.3.3/24 |
Lab Objectives
- Configure R2, that only allows for the following traffic through the S0/1(Outside Network) interface:
- SMTP traffic that originates from the inside networks.
- Only Java applets from network 1.1.1.0 /24 should be down loaded. Ensure that audit trail logging and real time alerts are enabled for this inspection.
- Allows Net-Meeting traffic that originates from the inside networks.
- Allowing routing traffic for RIPv2 and ICMP should function properly.
R2 Configuration
R2(config)#access-list 1 permit 1.1.1.0 0.0.0.255
R2(config)#access-list 100 permit icmp any any
R2(config)#access-list 100 permit udp any any eq rip
R2(config)#ip inspect name FIREWALL http java-list 1 alert on audit-trail on
R2(config)#ip inspect name FIREWALL smtp
R2(config)#ip inspect name FIREWALL h323 (Note: – h323 protocol is used for MS NetMeeting, Intel Video Phone)
R2(config)#int s0/1
R2(config-if)#ip inspect FIREWALL out
R2(config-if)#ip access-group 100 in
Key Points to Remember
- The access-list for the Java applets must be standard.
- If the access-list does not exist, all Java applets from all address will be blocked.
- IOS Firewall does not detect or block encapsulated Java applets such as applets in “.zip” format.
- IOS Firewall does not detect or block applets loaded via FTP, Gopher or HTTP on a non-standard port.
Verification
R2#show ip inspect all
Session audit trail is disabled
Session alert is enabled
one-minute (sampling period) thresholds are max-incomplete sessions thresholds are [unlimited : unlimited] max-incomplete tcp connections per host is unlimited. Block-time 0 minute. tcp synwait-time is 30 sec — tcp finwait-time is 5 sec tcp idle-time is 3600 sec — udp idle-time is 30 sec tcp reassembly queue length 16; timeout 5 sec; memory-limit 1024 kilo bytes dns-timeout is 5 sec Inspection Rule Configuration Inspection name FIREWALL http java-list 1 alert is on audit-trail is on timeout 3600 smtp max-data 20000000 alert is on audit-trail is off timeout 3600 h323 alert is on audit-trail is off timeout 3600 Interface Configuration Interface Serial0/1 Inbound inspection rule is not set Outgoing inspection rule is FIREWALL http java-list 1 alert is on audit-trail is on timeout 3600 smtp max-data 20000000 alert is on audit-trail is off timeout 3600 h323 alert is on audit-trail is off timeout 3600 Inbound access list is 100 Outgoing access list is not set R2#show ip inspect statistics Interfaces configured for inspection 1 Session creations since subsystem startup or last reset 0 Current session counts (estab/half-open/terminating) [0:0:0] Maxever session counts (estab/half-open/terminating) [0:0:0] Last session created never Last statistic reset never Last session creation rate 0 Maxever session creation rate 0 Last half-open session total 0 TCP reassembly statistics received 0 packets out-of-order; dropped 0 peak memory usage 0 KB; current usage: 0 KB peak queue length 0