Lab Exercise—Configure ACLs in the PIX Firewall Complete the following lab exercises to practice what you have learned. Objectives In this lab exercise, you will complete the following tasks: ■ Disable pinging to an interface. ■ Configure inbound and outbound ACLs. ■ Filter malicious active code. ■ Configure the PIX Firewall to work with a URL-filtering application. Visual Objective The following figure displays the topology of the lab environment used in this exercise. © 2001, Cisco Systems, Inc. www.cisco.com CSPFA 2.0—4-32 Lab Visual Objective Lab Visual Objective Inside host Internet server web, FTP, and TFTP server PIX Firewall 192.168.P.0/24 e1 inside .1 .2 10.0.P.0 /24 e0 outside .1 e2 dmz 172.16.1.P Bastion host web and FTP server 192.168.P.2 .50 172.16.1.0/24 Internet 192.168.P.254 To adjacent pod P1-P2 P3-P4 P5-P6 P7-P8 P9-P10 Access and Lab Setup To do this lab exercise, you must be connected to the lab at www.labgear.net. Your instructor will provide the username and password for logging into this site. Once logged on, the lab diagram will be displayed (the picture below is for Pod #1): Copyright  2003, Cisco Systems, Inc. PIX Advanced Road Show Lab 3 -1 To access the PIX Firewall from the main lab diagram, click on the “CONSOLE” icon associated with the PIX Firewall. A window will open to the PIX console. To access the inside or outside clients, click on the appropriate ”PC Desktop” icon. For these devices you must first authenticate at the “VNC Authentication” screen before you can access the PC desktop. Passwords Use the following passwords for this lab: ■ Lab Gear password: Your instructor will provide it. ■ PIX password: Either no password (just press the Enter key) or cisco. ■ PC client or server: The username is administrator and there is no password (just press the Enter key). ■ VNC password: When you connect to the PCs or servers, use a password of cisco at the VNC screen. PIX Advanced Road Show Copyright  2003, Cisco Systems, Inc. Task 1—Disable Pinging to an Interface Perform the following lab steps to configure an ICMP ACL to prevent pinging to your PIX Firewall interfaces: Step 1 On your inside host open a command window to reach the DOS prompt (Start- >Run…->Enter “cmd” as the program to Open) and ping the inside interface of your PIX Firewall: C:\>ping 10.0.P.1 Pinging 10.0.P.1 with 32 bytes of data: Reply from 10.0.P.1: bytes=32 time<10ms TTL=255 Reply from 10.0.P.1: bytes=32 time<10ms TTL=255 Reply from 10.0.P.1: bytes=32 time<10ms TTL=255 Reply from 10.0.P.1: bytes=32 time<10ms TTL=255 (where P = pod number) Step 2 From your inside host, ping the outside interface. By default, pinging through the PIX Firewall to a PIX Firewall interface is not allowed: C:\>ping 192.168.P.1 Pinging 192.168.P.2 with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out. Step 3 Deny all ping requests at the inside interface: pixP(config)# icmp deny any echo-reply inside Step 4 View your ICMP ACL: pixP(config)# show icmp icmp deny any echo-reply inside Step 5 From your inside host, ping the PIX Firewall inside interface. The ICMP ACL causes the ping to fail: C:\>ping 10.0.P.1 Pinging 10.0.P.1 with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out. Step 6 Enable pinging to your PIX Firewall’s inside interface: pixP(config)# clear icmp Copyright  2003, Cisco Systems, Inc. PIX Advanced Road Show Lab 3 -3 Step 7 Verify that you can once again ping the inside interface of your PIX Firewall: C:\>ping 10.0.P.1 Pinging 10.0.P.1 with 32 bytes of data: Reply from 10.0.P.1: bytes=32 time<10ms TTL=255 Reply from 10.0.P.1: bytes=32 time<10ms TTL=255 Reply from 10.0.P.1: bytes=32 time<10ms TTL=255 Reply from 10.0.P.1: bytes=32 time<10ms TTL=255 Step 8 From your inside host, ping the outside host. Notice that by default, ICMP is not allowed inbound. This causes the echo reply to fail. C:\>ping 192.168.P.2 Pinging 10.0.P.2 with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out. Step 9 Enable echo replies from the outside to the inside with the conduit command. pixP(config)# conduit permit icmp any any echo-reply Step 10 From your inside host, ping the outside server: C:\>ping 192.168.P.2 Pinging 192.168.P.2 with 32 bytes of data: Reply from 192.168.P.2: bytes=32 time<10ms TTL=128 Reply from 192.168.P.2: bytes=32 time<10ms TTL=128 Reply from 192.168.P.2: bytes=32 time<10ms TTL=128 Reply from 192.168.P.2: bytes=32 time<10ms TTL=128 Step 11 Save your configuration. pixP(config)# write memory PIX Advanced Road Show Copyright  2003, Cisco Systems, Inc. Task 2—Configure an Outbound ACL Configure ACLs on the PIX Firewall that will satisfy the following: ■ Allow outbound web traffic ■ Deny outbound ftp traffic from your internal network to 192.168.P.2 ■ Allow all other IP traffic Step 1 Test web access to the outside server by completing the following steps: 1. Open a web browser on the inside client PC. 2. Use the web browser to access the outside server by entering: http://192.168.P.2 (where P = pod number) You should be able to access the outside server. Step 2 Test FTP access to the outside server: On your inside client, attempt to access the outside server: Start>Run> ftp 192.168.P.2 User: administrator Password: (no password, just hit Enter) User administrator logged in. You should be able to access the outside server via FTP. Step 3 Enter an access-list command to create an ACL that allows the internal network Internet access: pixP(config)# access-list ACLOUT permit tcp any any eq www Step 4 Enter the access-group command to create an access group that will bind the ACL to an interface: pixP(config)# access-group ACLOUT in interface inside Step 5 Display the access list you configured. Observe the hit count. pixP(config)# show access-list access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096) alert-interval 300 access-list ACLOUT; 1 elements access-list ACLOUT line 1 permit tcp any any eq www (hitcnt=0) Step 6 Test web access to the outside server by completing the following steps: 1. Open a web browser on the inside client PC. 2. Use the web browser to access the outside server by entering: http://192.168.P.2 . You should be able to access the outside server. Copyright  2003, Cisco Systems, Inc. PIX Advanced Road Show Lab 3 -5 Step 7 Test FTP access to the outside server: On your inside client, attempt to access the outside server: Start>Run> ftp 192.168.P.2 ftp: connect :Connection refused ftp> The FTP connection should fail due to the implicit deny. Step 8 Display your access list again and note that the hit count has incremented. pixP(config)# show access-list access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096) alert-interval 300 access-list ACLOUT; 1 elements access-list ACLOUT line 1 permit tcp any any eq www (hitcnt=1) Step 9 Remove the access-group command: pixP(config)# no access-group ACLOUT in interface inside Step 10 Add an additional command to the ACL to deny outbound FTP access to host 192.168.P.2: pixP(config)# access-list ACLOUT deny tcp 10.0.P.0 255.255.255.0 host 192.168.P.2 eq ftp Step 11 Add another access -list command statement to permit all other outbound IP traffic. pixP(config)# access-list ACLOUT permit ip any any Step 12 Bind the ACL to an interface by creating an access group: pixP(config)# access-group ACLOUT in interface inside Step 13 View your access list again: pixP(config)# show access-list access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096) alert-interval 300 access-list ACLOUT; 3 elements access-list ACLOUT line 1 permit tcp any any eq www (hitcnt=1) access-list ACLOUT line 2 deny tcp 10.0.P.0 255.255.255.0 host 192.168.P.2 eq ftp (hitcnt=0) access-list ACLOUT line 3 permit ip any any (hitcnt=0) Step 14 Save your configuration. pixP(config)# write memory PIX Advanced Road Show Copyright  2003, Cisco Systems, Inc. Task 3—Test and Verify the Outbound ACL Perform the following steps to test your outbound ACL: Step 1 Test web access to the outside server by completing the following sub-steps: 1. Open a web browser on the inside client PC. 2. Use the web browser to access the outside server by entering: http://192.168.P.2 (where P = pod number) You should be able to access the outside server. Step 2 Test FTP access to the outside server: On your inside client, attempt to access the outside server: Start>Run> ftp 192.168.P.2 ftp: connect :Connection refused ftp> You should be unable to access the outside server via FTP. Step 3 Test FTP access to the DMZ server: On your inside client, attempt to access the DMZ server: Start>Run> ftp 172.16.1.50 User: administrator Password: (no password, just hit Enter) User administrator logged in. You should be able to access the dmz server via FTP. Task 4—Configure an Inbound ACL Configure ACLs on the PIX Firewall that will satisfy the following: ■ Allow inbound web traffic from the outside network to your bastion host ■ Allow inbound FTP traffic from the outside network to your bastion host ■ Allow inbound ICMP traffic to your inside host ■ Deny all other inbound traffic Step 1 View any conduits you created in previous exercises: pixP(config)# show conduit conduit permit icmp any any echo-reply (hitcnt=24) Copyright  2003, Cisco Systems, Inc. PIX Advanced Road Show Lab 3 -7 Step 2 Remove any conduits you configured in previous exercises: pixP(config)# no conduit permit icmp any any echo-reply Step 3 Verify that the conduits have been removed: pixP(config)# show conduit pixP(config)# Step 4 Add a static mapping for your bastion host: pixP(config)# static (dmz, outside) 192.168.P.10 172.16.1.50 Step 5 Add a static mapping for your inside client: pixP(config)# static (inside, outside) 192.168.P.11 10.0.P.2 Step 6 Verify the statics are correct: pixP(config)# show static static (dmz,outside) 192.168.P.10 172.16.1.50 netmask 255.255.255.255 0 0 static (inside,outside) 192.168.P.11 10.0.P.2 netmask 255.255.255.255 0 0 Step 7 Test outside web access to the bastion host by completing the following steps: 1. Open a web browser on the outside server PC. 2. Use the web browser to access the bastion host by entering: http://192.168.P.10 You should be unable to access the IP address of the static mapped to the bastion host. This is because the static simply maps an “outside” to DMZ address. It does not allow any traffic to flow. Step 8 Test FTP access to the bastion host by completing the following steps: 1. On your outside server, attempt to access the bastion host: Start>Run> ftp 192.168.P.10 You should be unable to access your bastion host via FTP. Step 9 Test ICMP access to the inside client by completing the following steps: 1. On your outside server, attempt to ping the inside client: Start>Run> ping 192.168.P.11 You should be unable to ping the inside client. Step 10 Create an ACL to permit inbound web and FTP access to the bastion host. pixP(config)# access-list ACLIN permit tcp any host 192.168.P.10 eq www pixP(config)# access-list ACLIN permit tcp any host 192.168.P.10 eq ftp Step 11 Add commands to permit inbound ICMP echo traffic to the inside client. All other traffic from the Internet will be denied by the implicit deny. pixP(config)# access-list ACLIN permit icmp any host 192.168.P.11 echo PIX Advanced Road Show Copyright  2003, Cisco Systems, Inc. Step 12 Bind the ACL to the outside interface. pixP(config)# access-group ACLIN in interface outside Step 13 Display the access list and observe the hit counts. pixP(config)# show access-list access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096) alert-interval 300 access-list ACLOUT; 3 elements access-list ACLOUT line 1 permit tcp any any eq www (hitcnt=2) access-list ACLOUT line 2 deny tcp 10.0.P.0 255.255.255.0 host 192.168.P.2 eq ftp (hitcnt=3) access-list ACLOUT line 3 permit ip any any (hitcnt=0) access-list ACLIN; 3 elements access-list ACLIN line 1 permit tcp any host 192.168.P.10 eq www (hitcnt=0) access-list ACLIN line 2 permit tcp any host 192.168.P.10 eq ftp (hitcnt=0) access-list ACLIN line 3 permit icmp any host 192.168.P.11 echo (hitcnt=0) Step 14 Save your configuration. pixP(config)# write memory Task 5—Test and Verify the Inbound ACL Perform the following steps to test your inbound ACL: Step 1 Test web access to the bastion host by completing the following steps: 1. Open a web browser on the outside server. 2. Use the web browser to access the bastion host by entering: http://192.168.P.10 (where P = pod number) You should now be able to access the IP address of the static mapped to the bastion host. Step 2 Test FTP access to the bastion host by completing the following steps: 1. On your outside server, attempt to access the bastion host : Start>Run> ftp 192.168.P.10 You should now be able to access your bastion host via FTP. Step 3 Test ICMP echo access to the inside client by completing the following steps: 1. On your outside server, attempt to access the inside client: Start>Run> ping 192.168.P.11 You should now be able to ping your inside client. Step 4 Display the access lists again and observe the hit counts. Copyright  2003, Cisco Systems, Inc. PIX Advanced Road Show Lab 3 -9 pixP(config)# show access-list access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096) alert-interval 300 access-list ACLOUT; 3 elements access-list ACLOUT line 1 permit tcp any any eq www (hitcnt=2) access-list ACLOUT line 2 deny tcp 10.0.P.0 255.255.255.0 host 192.168.P.2 eq ftp (hitcnt=3) access-list ACLOUT line 3 permit ip any any (hitcnt=4) access-list ACLIN; 3 elements access-list ACLIN line 1 permit tcp any host 192.168.P.10 eq www (hitcnt=2) access-list ACLIN line 2 permit tcp any host 192.168.P.10 eq ftp (hitcnt=1) access-list ACLIN line 3 permit icmp any host 192.168.P.11 echo (hitcnt=4) Task 6—Filter Malicious Active Code Perform the following lab steps to configure ActiveX and filter Java. You will not be able to test this task. Step 1 Enter the filter activex command to block ActiveX from any local host and for connections to any foreign host on port 80: pixP(config)# filter activex 80 0 0 0 0 Step 2 Enter the filter java command to block Java applets: pixP(config)# filter java 80 0 0 0 0 Step 3 Use the following command to display the filters currently configured: pixP(config)# show filter filter activex 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 filter java 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 Step 5 Save your configuration. pixP(config)# write memory Task 7—Configure the PIX Firewall to Work with a URL- Filtering Server Perform the following steps to configure the PIX Firewall to work with a URL-filtering server: Step 1 Enter the url-server command to designate the URL-filtering server: pixP(config)# url-server (dmz) vendor n2h2 host 172.16.1.50 timeout 5 protocol TCP (where P = pod number) Step 2 Show the designated url-server by entering the following command: pixP(config)# show url-server url-server (dmz) vendor n2h2 host 172.16.1.50 port 4005 timeout 5 protocol TCP PIX Advanced Road Show Copyright  2003, Cisco Systems, Inc. [...]... it is probably because the page is cached in the browser Click on the Refresh button of go to View>Refresh to reload the page Step 8 Save your configuration: pixP (config)# write memory Copyright  2003, Cisco Systems, Inc PIX Advanced Road Show Lab 3 -11 ...Step 3 Enter the filter url http command to prevent outbound users from accessing WWW URLs that are designated with the filtering application: pixP(config)# filter url http 0 0 0 0 allow Step 4 Use the following command to display the filters currently configured: pixP(config)# show filter url filter activex 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 filter java 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 filter url http . on, the lab diagram will be displayed (the picture below is for Pod #1): Copyright  2003, Cisco Systems, Inc. PIX Advanced Road Show Lab 3 -1 To access the PIX Firewall. out. Step 6 Enable pinging to your PIX Firewall’s inside interface: pixP(config)# clear icmp Copyright  2003, Cisco Systems, Inc. PIX Advanced Road Show Lab 3 -3 Step 7 Verify that you can. port 4005 timeout 5 protocol TCP PIX Advanced Road Show Copyright  2003, Cisco Systems, Inc. Copyright  2003, Cisco Systems, Inc. PIX Advanced Road Show Lab 3 -11 Step 3 Enter the filter