Lab 7

Adding stateless firewall functions to Cisco IOS and JunOS routers.

In this lab we will be implementing stateless firewall functions on our routers.

Step one will be to trade back workstations ws1. The switch port eth1 should be made access port for YOUR vlan XX1 which carries your net1 (10.XX.1.0/25). Make sure ws1 gets your network address via DHCP.

The protections we want to implement are: 


	1. Allow SSH (tcp destined to port 22) from 
		10.0.0.0/8
		131.94.132.8/32 (ocelot.aul.fiu.edu)
	   into your entire network (10.XX.0.0/16). 
	   Disallow all other SSH (tcp destined to port 22) to YOUR network.
	   Allow all other traffic inbound to your network.
	   These will be implemented on the border routers.
	   This will apply to traffic that goes through the router. 
           There is already a firewall rule applied to traffic that
	   tries to talk to the router (we put that in in lab2).



	2. Net 3 (10.XX.2.0/24) is our server network, which has our web server on it.
	   Allow connections destined to tcp ports 80 and 443 from any source to 10.XX.2.0/24.
	   Allow DNS server responces (source port tcp/udp port 53) from any source to 10.XX.2.0/24. 
	   Allow ICMP from any source to 10.XX.2.0/24.
	   Allow any data from hosts on your network (10.XX.0.0/16) to 10.XX.2.0/24.
	   Disallow all other traffic destined to Net3.

Part one will be done via firewall rules on the BR and on R2.

Part two should be done via firewall rules on R3.

Grading will be as follows

Proper function: Group grade (20 points)

The "firewall" stanzas of the BR, as well as the interface stanza's needed to implement. And the full config files of R2 and R3. (3 points)

Answers to the questions below: 27 points (9 points each)

Question1:
Design a "firewall filter" which will be applied on br fxp0 outbound and will implement BCP38 and only allow traffic out of your network if it has a source address within your networks /16 or your neighbors /16. You should also allow out traffic that is sourced from the br fxp0 ip address itself. Also show the ip access-list statements you would apply on R2 eth1/2 (the other "border interface" outbound to do the same thing. Also allow your R2's eth1/2 actual address out too, if R2 eth1/2 address is not part of your /16. Show this as the output of a show statement, not the input commands you would use. (9 points)

Question2:
Show the ip access-list extended statements you would use on R2 and on R3 to if you wanted to prevent your workstations (on net1 or net2) from sending mail (connecting to tcp destination port 25) on any host in the world except 131.94.130.107. All other IP traffic is ok. Also show which interface(s) the acl would be applied to, and in which direction. Show this as the output of a show statement, not the input commands you would use. For this you can assume NO other prexisting firewall rules on R2/R3. (9 points)

Question3:
Extend the ACL's from question two to only allow outbound TCP to port 80/443 and outbound UDP to port 53 from nets 1/2. Also allow all ICMP. Deny all other traffic. (9 points)