Lab Exercise—Configure and Test Advanced Protocol Handling and IDS on the Cisco PIX Firewall Objectives In this lab exercise you will complete the following tasks: n Display the fixup protocol configurations. n Change the fixup protocol configurations. n Test the FTP fixup protocol inbound and outbound. n Set the fixup protocols to default. n Configure the use of Cisco IDS information and attack signatures and send Cisco IDS Syslog output to a Syslog server. Visual Objective The following figure displays the topology of the lab environment used in this exercise. © 2001, Cisco Systems, Inc. www.cisco.com CSPFA 2.0—4-32 Lab Visual Objective Lab Visual Objective Inside host Internet server web, FTP, and TFTP server PIX Firewall 192.168.P.0/24 e1 inside .1 .2 10.0.P.0 /24 e0 outside .1 e2 dmz 172.16.1.P Bastion host web and FTP server 192.168.P.2 .50 172.16.1.0/24 Internet 192.168.P.254 To adjacent pod P1-P2 P3-P4 P5-P6 P7-P8 P9-P10 Copyright  2003, Cisco Systems, Inc. PIX Advanced Road Show Lab 4 -1 Access and Lab Setup To do this lab exercise, you must be connected to the lab at www.labgear.net. Your instructor will provide the username and password for logging into this site. Once logged on, the lab diagram will be displayed (the picture below is for Pod #1): To access the PIX Firewall from the main lab diagram, click on the “CONSOLE” icon associated with the PIX Firewall. A window will open to the PIX console. To access the inside or outside clients, click on the appropriate ”PC Desktop” icon. For these devices you must first authenticate at the “VNC Authentication” screen before you can access the PC desktop. Passwords Use the following passwords for this lab: n Lab Gear password: Your instructor will provide it. n PIX password: Either no password (just press the Enter key) or cisco. n PC client or server: The username is administrator and there is no password (just press the Enter key). n VNC password: When you connect to the PCs or servers, use a password of cisco at the VNC screen. PIX Advanced Road Show Copyright  2003, Cisco Systems, Inc. Task 1Display the Fixup Protocol Configurations Perform the following step and enter the command as directed to see the current configurations of your PIX Firewall: Step 1 List the fixup protocols that are running on your PIX Firewall: pixP(config)# show fixup protocol In the spaces provided, write the ports assigned to all the fixup protocols: ftp __________ h323 h225 __________ h323 ras __________ http __________ ils __________ rsh __________ rtsp __________ sip __________ sip udp __________ skinny __________ smtp __________ sqlnet __________ Copyright  2003, Cisco Systems, Inc. PIX Advanced Road Show Lab 4 -3 Task 2Change the Fixup Protocol Configurations If you are using standard services on non-standard ports (like web traffic on port 8080), you can configure the PIX to look at different ports. Perform the following steps and enter the commands as directed to change some of the current configurations of your PIX Firewall: Step 1 Disable the fixup protocols shown below: pixP(config)# no fixup protocol http 80 pixP(config)# no fixup protocol smtp 25 pixP(config)# no fixup protocol h323 1720 pixP(config)# no fixup protocol sqlnet 1521 Step 2 Define a port for RTSP connections: pixP(config)# fixup protocol rtsp 554 Step 3 Define a range of ports for SQL*Net connections: pixP(config)# fixup protocol sqlnet 66-76 Step 4 Verify the fixup protocol settings using the show fixup protocol command, and then fill in the blanks below using the output from this command: pixP(config)# show fixup protocol ftp __________ h323 h225 __________ h323 ras __________ http __________ ils __________ rsh __________ rtsp __________ sip __________ sip udp __________ skinny __________ smtp __________ sqlnet __________ PIX Advanced Road Show Copyright  2003, Cisco Systems, Inc. Task 3Test the Outbound FTP Fixup Protocol Perform the following steps and enter the commands as directed to test the outbound FTP fixup protocol: Step 1 Enable console logging at the debugging level: pixP(config)# logging console debugging pixP(config)# show log Syslog logging: enabled Facility: 20 Timestamp logging: disabled Standby logging: disabled Console logging: Console logging: level debugging, 3 messages logged Monitor logging: disabled Buffer logging: level alerts, 86 messages logged Trap logging: level debugging, 1336725 messages logged Logging to inside 10.0.P.2 History logging: disabled Device ID: disabled Step 2 Earlier, you added an access list that does not allow FTP traffic outbound. For this lab, we must remove it. Remove the access-group command: pixP(config)# no access-group ACLOUT in interface inside Step 3 FTP to the outside server from your inside client using the Windows FTP client: Start>Run> ftp 192.168.P.2 User (192.168.P.2:(none)): administrator Password: (no password) Step 4 Do a directory listing at the FTP prompt: ftp> dir There should be a number of messages that appeared on the PIX console and on the Syslog server. Try to pick out the messages that look like those shown below. These messages (TCP ports 20 and 21) concern the FTP commands you just ran: 302013: Built outbound TCP connection 25 for outside:192.168.P.2/21 (192.168.P.2/21) to inside:10.0.P.2/1238 (192.168.P.11/1238) 302013: Built outbound TCP connection 26 for outside:192.168.P.2/20 (192.168.P.2/20) to inside:10.0.P.2/1239 (192.168.P.11/1239) Step 5 Quit your FTP session: ftp> quit Step 6 Turn off fixup protocol FTP on your PIX Firewall: pixP(config)# no fixup protocol ftp Step 7 Again, FTP to the outside server from the inside client: Start>Run> ftp 192.168.P.2 User (192.168.P.2:(none)): administrator Password: (no password) Copyright  2003, Cisco Systems, Inc. PIX Advanced Road Show Lab 4 -5 Q 1) Were you able to log into the server? Why or why not? A) Yes. Outbound connections are allowed, and only the command channel is set up at this point. Step 8 Do a directory listing at the FTP prompt: ftp> dir Q 2) Were you able to see a file listing? Why or why not? B) No. A dir command causes the FTP server to open a data connection back to the client. Without the FTP fixup, the PIX Firewall does not allow this data connection from the outside. 302013: Built outbound TCP connection 29 for outside:192.168.P.2/21 (192.168.P.2/21) to inside:10.0.P.2/1242 (192.168.P.11/1242) 106023: Deny tcp src outside:192.168.P.2/20 dst inside:192.168.P.11/20 by access- group "ACLIN" Step 9 Quit your FTP session: ftp> quit Note If the FTP client is hung, just close the DOS window. Step 10 Turn off console logging on the PIX Firewall: pixP(config)# no logging console Step 11 Save your configuration: pixP(config)# write memory Task 4Set the Fixup Protocols to Default Perform the following steps and enter the commands as directed to set all fixups back to the factory defaults: Step 1 Set all fixup protocols to the factory defaults: pixP(config)# clear fixup Step 2 Verify the fixup protocol settings: pixP(config)# show fixup protocol fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 PIX Advanced Road Show Copyright  2003, Cisco Systems, Inc. fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 Task 5—Configure the Use of IDS Info Signatures and Send Cisco IDS Syslog Output to a Syslog Server Complete the following steps to configure the use of Cisco IDS Info signatures and to send Cisco IDS Syslog output to a Syslog server: Step 1 Check that the Syslog server on the inside client is still running and accepting messages (all PIX commands you enter should be getting logged to the Syslog server). Refer back to PIX Advanced Lab 2, Configure Syslog Output to a Syslog Host or Server from the PIX Firewall if you need a refresher: Step 2 Verify that you can ping the inside client from the outside server: C:\> ping 192.168.P.11 Pinging 192.168.P.1 with 32 bytes of data: Reply from 192.168.P.11: bytes=32 time<10ms TTL=128 Reply from 192.168.P.11: bytes=32 time<10ms TTL=128 Reply from 192.168.P.11: bytes=32 time<10ms TTL=128 Reply from 192.168.P.11: bytes=32 time<10ms TTL=128 (where P = pod number) Step 3 Specify an info policy (INFOPOLICY) on your PIX Firewall: pixP(config)# ip audit name INFOPOLICY info action alarm reset Step 4 Apply the info policy to the outside interface: pixP(config)# ip audit interface outside INFOPOLICY Step 5 Verify that the info policy exists and is applied: pix1(config)# sho ip audit interface ip audit interface outside INFOPOLICY pix1(config)# show ip audit info ip audit info action alarm pix1(config)# show ip audit name ip audit name INFOPOLICY info action alarm reset pix1(config)# Step 6 Return to your Windows command line on the outside server and attempt to ping your inside client. The ping should fail. This is because of the reset keyword on the end of the ip audit command. Be careful with using reset on this command. C:\> ping 192.168.P.11 Pinging 192.168.P.11 with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out. Go to the Syslog server and view the Syslog messages sent by the PIX Firewall Syslog. The log should be similar to the following: Copyright  2003, Cisco Systems, Inc. PIX Advanced Road Show Lab 4 -7 400014: IDS:2004 ICMP echo request from 192.168.P.2 to 192.168.P.11 on interface outside 400014: IDS:2004 ICMP echo request from 192.168.P.2 to 192.168.P.11 on interface outside 400014: IDS:2004 ICMP echo request from 192.168.P.2 to 192.168.P.11 on interface outside 400014: IDS:2004 ICMP echo request from 192.168.P.2 to 192.168.P.11 on interface outside Step 8 Remove the info policy from the outside interface: pixP(config)# no ip audit interface outside INFOPOLICY Step 9 Remove the audit policy INFOPOLICY: pixP(config)# no ip audit name INFOPOLICY Step 10 Verify that the info policy has been removed from the outside interface, the default informational actions have been restored, and the ip audit name has been removed: pixP(config)# show ip audit interface (Å no output from command) pixP(config)# show ip audit info ip audit info action alarm pixP(config)# show ip audit name Task 6—Configure the Use of IDS Attack Signatures and Send CISCO IDS Syslog Output to a Syslog Server Complete the following steps to configure the use of IDS Attack signatures and send IDS Syslog output to a Syslog server: Step 1 From your outside client command line, ping your inside client with an ICMP packet size of 10,000 bytes. (Large ICMP packets are used in some Denial of Service (DoS) attacks.) C:\> ping -l 10000 192.168.P.11 Pinging 192.168.P.11 with 10000 bytes of data: Reply from 192.168.P.11: bytes=10000 time<10ms TTL=128 Reply from 192.168.P.11: bytes=10000 time<10ms TTL=128 Reply from 192.168.P.11: bytes=10000 time<10ms TTL=128 Reply from 192.168.P.11: bytes=10000 time<10ms TTL=128 (where P = pod number) Step 2 Specify an attack policy: pixP(config)# ip audit name ATTACKPOLICY attack action alarm reset Step 3 Apply the attack policy to the outside interface: pixP(config)# ip audit interface outside ATTACKPOLICY PIX Advanced Road Show Copyright  2003, Cisco Systems, Inc. Copyright  2003, Cisco Systems, Inc. PIX Advanced Road Show Lab 4 -9 Step 4 From your outside client command line, once again ping your inside client with an ICMP packet size of 10,000 bytes. Note that the large packets no longer pass through the PIX Firewall: C:\> ping -l 10000 192.168.P.11 Pinging 192.168.P.11 with 10000 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out. Step 5 Go to the Syslog server on the inside client and examine the Syslog messages sent by the PIX Firewall. The log should be similar to the following: 400025: IDS:2154 ICMP ping of death from 192.168.P.2 to 192.168.P.11 on interface outside 400023: IDS:2150 ICMP fragment from 192.168.P.2 to 192.168.P.11 on interface outside 400023: IDS:2150 ICMP fragment from 192.168.P.2 to 192.168.P.11 on interface outside 400023: IDS:2150 ICMP fragment from 192.168.P.2 to 192.168.P.11 on interface outside 400023: IDS:2150 ICMP fragment from 192.168.P.2 to 192.168.P.11 on interface outside 400023: IDS:2150 ICMP fragment from 192.168.P.2 to 192.168.P.11 on interface outside 400023: IDS:2150 ICMP fragment from 192.168.P.2 to 192.168.P.11 on interface outside 400025: IDS:2154 ICMP ping of death from 192.168.P.2 to 192.168.P.11 on interface outside Step 6 Remove the attack policy from the outside interface: pixP(config)# no ip audit interface outside ATTACKPOLICY Step 7 Remove the audit policy: pixP(config)# no ip audit name ATTACKPOLICY Step 8 Verify that the attack policy has been removed from the outside interface, the default attack actions have been restored, and the ip audit name has been removed: pixP(config)# show ip audit interface pixP(config)# show ip audit attack ip audit attack action alarm pixP(config)# show ip audit name Step 9 Save your configuration: pixP(config)# write memory This completes this lab. . Copyright  2003, Cisco Systems, Inc. PIX Advanced Road Show Lab 4 -1 Access and Lab Setup To do this lab exercise, you must be connected to the lab at www.labgear.net. Your instructor will provide. messages (all PIX commands you enter should be getting logged to the Syslog server). Refer back to PIX Advanced Lab 2, Configure Syslog Output to a Syslog Host or Server from the PIX Firewall. the fixup protocols shown below: pixP(config)# no fixup protocol http 80 pixP(config)# no fixup protocol smtp 25 pixP(config)# no fixup protocol h323 1720 pixP(config)# no fixup protocol sqlnet