09-29-2021 06:43 PM
For a router, IF one interface is connected to a trusted zone and one is connected to an untrusted zone, how would I apply an ACL 110 inbound on an appropriate interface to deny all IP traffic, an ACL 120 to permit TCP port 443 traffic and permit any ICMP traffic and configure an inspection that inspects appropriate packets?
Is this right?
access-list 110 deny ip any any
access-list 120 permit tcp any eq 443 any
access-list 120 permit icmp any any echo
hostname(config)# class-map inspection_default
hostname(config-cmap)# match access-list inspect
09-30-2021 12:34 AM
Hello,
are you talking about a zone based firewall ? If so, don't you access lists and zones together on the same interface.
09-30-2021 01:15 AM
It's a cisco packet tracer lab exercise I'm stuck on. The ACL needs to be configured on Milton. It's fa0/0 interface is connected to a trusted zone and it's s0/0/0 interface is connected to an untrusted zone. ACL 110 is already configured, it just needs to be applied and ACL120 is already applied to an interface.
I'm just confirming if this is right:
What's missing? What needs correction? Is the placement wrong?
Can you confirm?
09-30-2021 02:12 AM
Hello,
can you send the zipped project (.pkt) file ?
09-30-2021 02:34 AM - edited 09-30-2021 02:35 AM
Hello
@sanjayh23 wrote:
it's s0/0/0 interface is connected to an untrusted zone. ACL 110 is already configured, it just needs to be applied and ACL120 is already applied to an interface.
By default, in cisco ASA any interface that has lower security-level CANNOT ping an higher security level interface.
Example
inside interface -= 100
outside = 0
So any device connected to that untrusted interface will have a low level security value if not zero as such it won’t be able to initiate any communication to the FW
09-30-2021 03:27 AM
Hello,
deny ip any any applied to any interface will block any and all traffic through that interface. As stated, it is difficult to figure out what you are running into, as we don't know what your configs looks like (ZBF or not). If you cannot post the project file, at the very least post the full running configs of both routers (sh run)...
09-30-2021 05:08 AM - edited 09-30-2021 05:11 AM
Milton
Island
09-30-2021 05:26 AM
Hello,
post the zipped project (.pkt) file. Your output is difficult to interpret (e.g. you are running RIP on one router but not the other, the other router has no routing at all, and I see access lists that are not applied anywhere, or applied but do not exist)...
You can ZIP the .pkt file and just post it here...
09-30-2021 07:31 AM - edited 10-12-2021 01:29 AM
09-30-2021 10:50 AM
Hello,
sorry for the confusion, but the 'class-map inspection_default' command is an ASA command, you are trying to configure this on a router ?
Do you have the full project specs/requirements ?
09-30-2021 11:37 AM
In this part of the classic firewall network, the Milton fa0/0 connects to a trusted zone.
The Milton s0/0/0 connects to an untrusted zone.
A. On Milton, apply ACL 110 inbound on an appropriate interface to deny all ip traffic (ACL 110 is already configured, just apply it)
B. On Milton, configure an ACL 120 to permit tcp port 443 traffic and also permit any icmp traffic. (ACL 120 is already applied to an interface)
C. On Milton, configure an inspection called TEST_FW that inspects appropriate packets
D. Apply this inspection called TEST_FW inbound on the Milton fa0/0
E. Enable audit messages to provide a record of network access through the firewall,
F. Enable time stamped logging of inspection packets to the local Milton server at 10.1.100.254
G. Check that the time stamped logging occurs for inspection audit.
09-30-2021 10:28 PM
Well?
10-01-2021 01:46 PM
Hello,
a classical CBAC config would look like this, I am not really sure what they are looking for (ACL 110 does not really fit in, the inspect must be outbound):
Current configuration : 1097 bytes
!
version 12.4
service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Hamburg31_test
!
ip cef
no ipv6 cef
!
--> ip inspect audit-trail
--> ip inspect name TEST_FW icmp audit-trail on timeout 10
--> ip inspect name TEST_FW tcp audit-trail on timeout 3600
spanning-tree mode pvst
!
interface Loopback0
ip address 10.1.102.1 255.255.255.0
!
interface FastEthernet0/0
ip address 10.1.100.1 255.255.255.0
--> ip access-group 120 in
--> ip inspect TEST_FW out
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Serial0/0/0
ip address 10.1.101.1 255.255.255.252
!
interface Serial0/0/1
no ip address
clock rate 2000000
!
interface Vlan1
no ip address
shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.101.2
!
ip flow-export version 9
!
--> access-list 120 deny tcp any any eq 443
--> access-list 120 deny icmp any any
!
--> logging 10.1.100.254
line con 0
!
line aux 0
!
line vty 0 4
login
!
end
10-01-2021 07:39 PM - edited 10-01-2021 07:41 PM
Thank you
10-02-2021 02:55 PM
Hello,
here are the IPv6 tunnel configs:
Hamburg3#sh run
Building configuration...
Current configuration : 1385 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Hamburg3
!
logging userinfo
!
ip cef
ipv6 unicast-routing
!
no ipv6 cef
!
ip domain-name gss.com
!
spanning-tree mode pvst
!
interface Tunnel1
no ip address
mtu 1476
ipv6 address 2001:172:16:1::1/64
ipv6 eigrp 2
tunnel source FastEthernet0/0
tunnel destination 142.1.1.2
tunnel mode ipv6ip
!
interface FastEthernet0/0
ip address 142.1.1.1 255.255.255.0
ip ospf 1 area 0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.1.1.1 255.255.255.0
ip ospf 1 area 0
duplex auto
speed auto
ipv6 address 2001:192:1:1::1/64
ipv6 eigrp 2
!
interface Serial0/0/0
ip address 10.1.101.2 255.255.255.252
clock rate 2000000
!
interface Serial0/0/1
no ip address
clock rate 2000000
shutdown
!
interface Vlan1
no ip address
shutdown
!
router ospf 1
log-adjacency-changes
!
router rip
network 142.1.0.0
network 192.1.1.0
!
ipv6 router eigrp 2
no shutdown
!
ip classless
!
ip flow-export version 9
!
ip access-list extended sl_def_acl
deny tcp any any eq telnet
deny tcp any any eq www
deny tcp any any eq 22
permit tcp any any eq 22
!
no cdp run
!
banner motd ^C
Hamburg router
^C
!
line con 0
!
line aux 0
!
line vty 0 1
login local
line vty 2 4
login
!
end
Munich3#sh run
Building configuration...
Current configuration : 1320 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Munich3
!
ip cef
ipv6 unicast-routing
!
no ipv6 cef
!
spanning-tree mode pvst
!
interface Tunnel1
no ip address
mtu 1476
ipv6 address 2001:172:16:1::2/54
ipv6 eigrp 2
tunnel source FastEthernet0/0
tunnel destination 142.1.1.1
tunnel mode ipv6ip
!
!
interface FastEthernet0/0
ip address 142.1.1.2 255.255.255.0
ip ospf 1 area 0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.1.1.1 255.255.255.0
duplex auto
speed auto
ipv6 address 2001:10:1:1::1/64
ipv6 eigrp 2
ipv6 rip 1 enable
!
interface Serial0/0/0
ip address 179.1.1.1 255.255.255.252
ipv6 address 2001:179:1:1::1/64
ipv6 rip 1 enable
clock rate 2000000
!
interface Serial0/0/1
ip address 210.1.1.1 255.255.255.252
clock rate 2000000
!
interface Vlan1
no ip address
shutdown
!
router ospf 1
log-adjacency-changes
!
router rip
network 142.1.0.0
network 179.1.0.0
!
ipv6 router eigrp 2
no shutdown
!
ipv6 router rip 1
!
ip classless
!
ip flow-export version 9
!
no cdp run
!
banner motd ^C
Munich router
^C
!
line con 0
!
line aux 0
!
line vty 0 4
password cisco
no login
line vty 5
password cisco
no login
!
end
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide