{"id":644,"date":"2010-04-05T09:18:37","date_gmt":"2010-04-05T08:18:37","guid":{"rendered":"http:\/\/mccltd.net\/blog\/?p=644"},"modified":"2010-04-11T09:30:17","modified_gmt":"2010-04-11T08:30:17","slug":"quick-practice-lab-configure-cbac","status":"publish","type":"post","link":"http:\/\/darenmatthews.com\/blog\/?p=644","title":{"rendered":"Quick Practice Lab: Configure CBAC"},"content":{"rendered":"<p>This quick lab demonstrates how CBAC is configured and applied to interfaces.<\/p>\n<p><!--more--><\/p>\n<p>&#8220;Gateway&#8221; is configured with an ACL on the outside interface, preventing all traffic from entering\u00a0 the network. To allow internal machines to ping and telnet to the external network, &#8220;ip inspect&#8221; commands\u00a0 have been configured to permit established icmp, telnet, and tcp sessions.<\/p>\n<p><strong>Testing CBAC:<\/strong><\/p>\n<ol>\n<li> Ping 10.10.11.1 from External. The ping should fail since the ACL denies it.<\/li>\n<li> Ping 10.20.1.1 from Internal. The ping should succeed because CBAC is configured.<\/li>\n<li> Telnet to 10.20.1.1 from Internal. The telnet should succeed because CBAC is configured.<\/li>\n<\/ol>\n<p><a rel=\"attachment wp-att-645\" href=\"http:\/\/darenmatthews.com\/blog\/?attachment_id=645\"><img loading=\"lazy\" class=\"alignnone size-full wp-image-645\" title=\"CBAC - Practice Lab\" src=\"http:\/\/darenmatthews.com\/blog\/wp-content\/uploads\/2010\/04\/CBAC-Practice-Lab.JPG\" alt=\"CBAC - Practice Lab\" width=\"654\" height=\"364\" srcset=\"http:\/\/darenmatthews.com\/blog\/wp-content\/uploads\/2010\/04\/CBAC-Practice-Lab.JPG 654w, http:\/\/darenmatthews.com\/blog\/wp-content\/uploads\/2010\/04\/CBAC-Practice-Lab-300x166.jpg 300w\" sizes=\"(max-width: 654px) 100vw, 654px\" \/><\/a><\/p>\n<p>Configuration on &#8220;Gateway&#8221;:<\/p>\n<blockquote><p>hostname Gateway<br \/>\n!<br \/>\nusername cisco password 0 cisco<br \/>\n!<br \/>\nip ssh version 1<br \/>\n!<br \/>\nip inspect audit-trail<br \/>\nip inspect name testcbac telnet<br \/>\nip inspect name testcbac tcp<br \/>\nip inspect name testcbac icmp<br \/>\n!<br \/>\ninterface FastEthernet0\/0<br \/>\nip address 10.10.11.2 255.255.255.0<br \/>\nip inspect testcbac in<br \/>\nduplex auto<br \/>\nspeed auto<br \/>\n!<br \/>\ninterface FastEthernet0\/1<br \/>\nip address 10.20.1.2 255.255.255.0<br \/>\nip access-group cbac_acl in<br \/>\nduplex auto<br \/>\nspeed auto<br \/>\n!<br \/>\ninterface Vlan1<br \/>\nno ip address<br \/>\nshutdown<br \/>\n!<br \/>\nip classless<br \/>\nip route 10.10.11.0 255.255.255.0 10.10.11.1<br \/>\nip route 20.20.1.0 255.255.255.0 20.20.1.1<br \/>\n!<br \/>\nip access-list extended cbac_acl<br \/>\ndeny ip any any<br \/>\n!<br \/>\nline con 0<br \/>\nline vty 0 4<br \/>\npassword cisco<br \/>\nlogin<br \/>\n!<br \/>\nend<\/p><\/blockquote>\n<p>Success Criteria:<\/p>\n<blockquote><p>Gateway#sh ip inspect all<br \/>\nSession audit trail is enabled<br \/>\nSession alert is enabled<br \/>\none-minute (sampling period) thresholds are [unlimited : unlimited] connections<br \/>\nmax-incomplete sessions thresholds are [unlimited : unlimited]<br \/>\nmax-incomplete tcp connections per host is unlimited. Block-time 0 minute.<br \/>\ntcp synwait-time is 30 sec &#8212; tcp finwait-time is 5 sec<br \/>\ntcp idle-time is 3600 sec &#8212; udp idle-time is 30 sec<br \/>\ntcp reassembly queue length 16; timeout 5 sec; memory-limit 1024 kilo bytes<br \/>\ndns-timeout is 5 sec<br \/>\nInspection Rule Configuration<br \/>\nInspection name testcbac<br \/>\ntelnet alert is on audit-trail is on timeout 3600<br \/>\ntcp alert is on audit-trail is on timeout 3600<br \/>\nicmp alert is on audit-trail is on timeout 10<\/p>\n<p>Interface Configuration<br \/>\nInterface FastEthernet0\/0<br \/>\nInbound inspection rule is testcbac<br \/>\ntelnet alert is on audit-trail is on timeout 3600<br \/>\ntcp alert is on audit-trail is on timeout 3600<br \/>\nicmp alert is on audit-trail is on timeout 10<br \/>\nOutgoing inspection rule is not set<br \/>\nInbound access list is not set<br \/>\nOutgoing access list is not set<\/p>\n<p>Gateway#<\/p><\/blockquote>\n","protected":false},"excerpt":{"rendered":"<p>This quick lab demonstrates how CBAC is configured and applied to interfaces.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[83,13],"tags":[24],"_links":{"self":[{"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/644"}],"collection":[{"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=644"}],"version-history":[{"count":11,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/644\/revisions"}],"predecessor-version":[{"id":676,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/644\/revisions\/676"}],"wp:attachment":[{"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=644"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=644"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=644"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}