CCNP(ISCW) Lab – CBAC Configure
ISCW introduce:
Exam Number/Code: 642-825
Exam Name: ISCW – Implementing Secure Converged Wide Area Networks
The Implementing Secure Converged Wide Area Networks (ISCW 642-825) is a qualifying exam for the Cisco Certified Network Professional CCNP®. The ISCW 642-825 exam will certify that the successful candidate has important knowledge and skills necessary to secure and expand the reach of an enterprise network to teleworkers and remote sites with focus on securing remote access and VPN client configuration. The exam covers topics on Cisco hierarchical network model as it pertains to the WAN, teleworker configuration and access, frame mode MPLS, site-to-site IPSEC VPN, Cisco EZVPN, strategies used to mitigate network attacks, Cisco device hardening and IOS firewall features.
LAB: CBAC Configure.
Environment: three routers connected by serial port to connect , the address as shown in Figure
Requirements: CBAC in R2 on access control, allowing only R1 telnet R3 and ping R3, but R3 does not allow access to R1.
Step I: interface connectivity configuration
R1 (config) # int s0
R1 (config-if) # ip add 10.1.1.1 255.255.255.0
R1 (config-if) # clock rate 64000
R1 (config-if) # no shutdown
R1 (config) # ip route 20.1.1.0 255.255.255.0 10.1.1.2 / / enable static routing so that up to R3
R2 is connected as a result of all do not need to configure routing interface
R2 (config) # int s1
R2 (config-if) # ip address 10.1.1.2 255.255.255.0
R2 (config-if) # no shutdown
R2 (config-if) # int s0
R2 (config-if) # ip add 20.1.1.1 255.255.255.0
R2 (config-if) # clock rate 64000
R2 (config-if) # no shutdown
R3 (config) # int s1
R3 (config-if) # ip add 20.1.1.2 255.255.255.0
R3 (config-if) # clock rate 64000
R3 (config-if) # no sh
R3 (config) # ip route 10.1.1.0 255.255.255.0 20.1.1.1 / / enable static routing so that up to R1
Step Two: Testing connectivity
R1 # ping 20.1.1.2 / / R3 interface address
!!!!!
R3 # ping 10.1.1.1 / / R1 interface address
!!!!!
Step Three: Configure R3 to telnet SERVER, and set the privilege password
R3 (config) # username cisco password cisco / / set user name and password
R3 (config) # enable secret cisco / / privilege password, or does not allow remote connections
R3 (config) # line vty 0 4
R3 (config-line) # login local / / remote login using the local database
Step four: test telnet configuration
R1 # telnet 20.1.1.2 / / telnetR3, has been connected to the
Trying 20.1.1.2 … Open
User Access Verification
Username: cisco / / input set user name and password
Password:
R3> en
Password:
R3 #
Step Five: CBAC and access control settings
R2 (config) # access-list 100 permit ip 10.1.1.0 0.0.0.255 any / / allow all traffic within the network
R2 (config) # access-list 101 permit icmp any 10.1.1.0 0.0.0.255 echo-reply
/ / Allow the return ping
R2 (config) # access-list 101 deny ip any any / / refuse to all other traffic
R2 (config) # ip inspect name cbac_telnet tcp / / definition of CBAC to open TCP and UDP
R2 (config) # ip inspect name cbac_telnet udp
R2 (config) # int s1
R2 (config-if) # ip access-group 100 in / / intranet access list to load, but did not increase CBAC
R2 (config) # int s0
R2 (config-if) # ip access-group 101 in / / outside the network to load the list of
Step Six: CBAC did not load test results, and view the access list R2
R1 # telnet 20.1.1.2 / / not successful for remote connections
Trying 20.1.1.2 …
% Connection timed out; remote host not responding
R2 # show ip access-lists / / Show the access list R2
Extended IP access list 100
permit ip 10.1.1.0 0.0.0.255 any (30 matches)
Extended IP access list 101
permit icmp any 10.1.1.0 0.0.0.255 echo-reply (5 matches)
deny ip any any / / did not load any entry
Step Seven: CBAC will be loaded into the interface
R2 (config) # int s1
R2 (config-if) # ip inspect cbac_telnet in / / load the CBAC
Step 8: telnet connection test in the R1 and R2 to view the access list entries
R1 # telnet 20.1.1.2
Trying 20.1.1.2 … Open / / connection successful
User Access Verification
Username: cisco
Password:
R3> en
Password:
R3 #
R2 # show ip access-lists / / view the access list entries
Extended IP access list 100
permit ip 10.1.1.0 0.0.0.255 any (65 matches)
Extended IP access list 101
permit tcp host 20.1.1.2 eq telnet host 10.1.1.1 eq 11005 (27 matches)
/ / Found entry load dynamic, CBAC successful experiment
permit icmp any 10.1.1.0 0.0.0.255 echo-reply (5 matches)
deny ip any any
Step 9: Display the current configuration
R1 # show run
hostname R1
!
interface Serial0
ip address 10.1.1.1 255.255.255.0
clockrate 64000
!
ip route 20.1.1.0 255.255.255.0 10.1.1.2
!
end
R2 # show run
hostname R2
!
ip inspect name cbac_telnet tcp
ip inspect name cbac_telnet udp
!
interface Serial0
ip address 20.1.1.1 255.255.255.0
ip access-group 101 in
!
interface Serial1
ip address 10.1.1.2 255.255.255.0
ip access-group 100 in
ip inspect cbac_telnet in
!
access-list 100 permit ip 10.1.1.0 0.0.0.255 any
access-list 101 permit icmp any 10.1.1.0 0.0.0.255 echo-reply
access-list 101 deny ip any any
!
end
R3 # show run
hostname R3
!
enable secret 5 $ 1 $ 61vK $ zLV502ahdm0EMkg/rhcHW1
!
username cisco password 0 cisco
!
interface Serial1
ip address 20.1.1.2 255.255.255.0
clockrate 64000
!
ip route 10.1.1.0 255.255.255.0 20.1.1.1
!
line vty 0 4
login local
!
end