This shows you the differences between two versions of the page.
sred:laborator_1._acl [2020/10/22 19:18] horia.stoenescu [Exercises using ACLs] |
sred:laborator_1._acl [2022/10/14 23:55] (current) horia.stoenescu [Setup] |
||
---|---|---|---|
Line 2: | Line 2: | ||
==== Setup ==== | ==== Setup ==== | ||
- | The topology consists of one Cisco router model 7200 with one networking card module [[https://www.cisco.com/c/en/us/td/docs/interfaces_modules/port_adapters/install_upgrade/ethernet/pa-4e_10baset_install_config/pa_4e/3493over.html|PA-4E]] and two Ubuntu machines which serves as client (L2) and server (L1). | ||
- | Eve-ng virtual machine should be already started for you with both binary image for Cisco router and iso for Ubuntu already added (for more, see the path ///opt/unetlab/addons/dynamips//). | + | === Story === |
+ | In an imaginary scenario, our company is at the beginning and has few money to invest in infrastructure. We have a HQ with 1 Linux machine serving as the web server and 2 branches represented with 1 client per each one. The routing between them is done using a Cisco router and minimum filtering provided by ACLs. | ||
+ | |||
+ | === Local host prerequisites === | ||
+ | If you have a Windows/MacOS machine, you need to install on it [[https://www.realvnc.com/en/connect/download/viewer/windows/|vnc viewer]] to access the Linux/Firewall machines and [[https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html|putty]] for Cisco routers/switches. | ||
+ | You can also check this client side pack from Eve-ng for [[https://www.eve-ng.net/index.php/download/#DL-WIN|Windows]] and [[https://www.eve-ng.net/index.php/download/#DL-OSX|MacOS]]. | ||
+ | |||
+ | For Linux OS, you can use Remmina or Remote Desktop Viewer (both should be already installed). Check this link also: [[https://remmina.org/how-to-install-remmina/|Remmina install]]. | ||
+ | |||
+ | === Lab infra === | ||
+ | After starting the nodes, in order to access the machine you need | ||
+ | |||
+ | The topology consists of one Cisco router model 7200 (with image name **c7200-adventerprisek9-mz.124-11.T1.image** - see this [[http://31.22.89.2/cisco-ios/7200/|link]] for other 7200 images) with one networking card module [[https://www.cisco.com/c/en/us/td/docs/interfaces_modules/port_adapters/install_upgrade/ethernet/pa-4e_10baset_install_config/pa_4e/3493over.html|PA-4E]] and 3 Ubuntu machines which serves as server and clients (client1 and client2). | ||
+ | |||
+ | To simulate this, we are using an eve-ng virtual machine that should be already started for you with both binary image for Cisco router and iso for Ubuntu already added (for more, see the path ///opt/unetlab/addons/dynamips//). | ||
+ | |||
+ | <note> | ||
+ | For Cisco router node we are using idle value: 0x6149f77c (as this is the one has the highest count value). This way, we make sure that dynamips process is not in high cpu load. | ||
+ | </note> | ||
You have to do the following: | You have to do the following: | ||
- | - add IPs for network between the server and the network equipment (use range 10.10.10.0/24) | + | - add IPs for network between the server and the network equipment (use range 1.1.1.0/24) |
- | - add IPs for network between the client and the network equipment (use range 10.20.20.0/24) | + | - add IPs for network between the clients and the network equipment (use ranges 2.2.2.0/24 and 3.3.3.0/24) |
First IP is allocated for router and the second one for Linux machine | First IP is allocated for router and the second one for Linux machine | ||
- add routes to make sure the endpoints can ping each other | - add routes to make sure the endpoints can ping each other | ||
- | ==== Exercises using ACLs ==== | + | <note tip> |
+ | In case you want reminders for syntax, you might find the following links useful: [[https://ocw.cs.pub.ro/courses/sred/setup_lab#cisco_routers|Cisco]] and [[https://ocw.cs.pub.ro/courses/sred/setup_lab#linux_machines_ubuntuvm_kalivm_and_internetvm|Linux]] | ||
+ | </note> | ||
+ | |||
+ | **Topology**: | ||
+ | |||
+ | {{:sred:lab1_topology.png?800|}} | ||
+ | |||
+ | <note> | ||
+ | Credentials webui eve-ng: user: **admin**; password: **eve** | ||
+ | |||
+ | Credentials ubuntu machines: user: **eve**; password: **eve** | ||
+ | |||
+ | No enable password is set for router! | ||
+ | </note> | ||
+ | |||
+ | ==== Tutorial exercises using ACLs ==== | ||
1. **Standard ACL - basic filtering**: | 1. **Standard ACL - basic filtering**: | ||
Line 263: | Line 296: | ||
permit icmp host 1.1.1.2 host 2.2.2.2 (29 matches) (time left 247) | permit icmp host 1.1.1.2 host 2.2.2.2 (29 matches) (time left 247) | ||
</code> | </code> | ||
- | |||
- | |||
- | **Exercise**: do the same thing for HTTP traffic on port 8080. Permit traffic again from 2.2.2.2 to any (or 1.1.1.2) with reflect to a new ACL name. Send the GET request and check quickly the entries in the dynamic acl as it will last for few secs (due to finished session client-server). | ||
<note> | <note> | ||
Line 302: | Line 332: | ||
10 permit icmp host 2.2.2.2 any time-range PERIODIC (active) reflect ICMP_OUT_CLIENT # see the active between () | 10 permit icmp host 2.2.2.2 any time-range PERIODIC (active) reflect ICMP_OUT_CLIENT # see the active between () | ||
| | ||
- | # apply again ONLY_CLIENT1 to in and ICMP_OUT_CLIENT to out on e1/1 | + | # apply again ONLY_CLIENT1 to in and TO_CLIENT_LAN (that is evaluating ICMP_OUT_CLIENT) to out on e1/1 |
</code> | </code> | ||
Line 318: | Line 348: | ||
</code> | </code> | ||
- | **Exercise**: add another time-range (router time should be out of it - like 'outside working hours'), remove entry 10 and create a new one for ping to 1.1.1.2. Keep in mind the match number (7 above) before removing the old entry. | + | <note> |
- | Send again icmp-requests from client1, traffic should be filtered and also the match value should remain the same and after the timeout, the dynamic acl ICMP_OUT_CLIENT entry will disappear completely. | + | If the current time is out of range, then the acl entry is marked as **inactive**: |
+ | <code> | ||
+ | cisco_7200(config-if)#do sh ip access ONLY_CLIENT1 | ||
+ | Extended IP access list ONLY_CLIENT1 | ||
+ | 10 permit icmp host 2.2.2.2 any time-range PERIODIC (inactive) reflect ICMP_OUT_CLIENT (15 matches) | ||
+ | |||
+ | # see the time | ||
+ | Router(config-if)#do sh clock | ||
+ | *00:00:24.148 UTC Tue Oct 5 2021 | ||
+ | Router(config-if)# | ||
+ | Router(config-if)#do sh time-range PERIODIC | ||
+ | time-range entry: PERIODIC (inactive) | ||
+ | periodic weekdays 13:00 to 23:59 | ||
+ | used in: IP ACL entry | ||
+ | </code> | ||
+ | </note> | ||
b. using **lock-and-key**: | b. using **lock-and-key**: | ||
Line 364: | Line 409: | ||
From 2.2.2.1 icmp_seq=3 Packet filtered | From 2.2.2.1 icmp_seq=3 Packet filtered | ||
[...] | [...] | ||
+ | root@client1:~# telnet 2.2.2.1 | ||
+ | Trying 2.2.2.1... | ||
+ | Connected to 2.2.2.1. | ||
+ | Escape character is '^]'. | ||
+ | |||
+ | User Access Verification | ||
+ | |||
+ | Username: student | ||
+ | Password: Connection closed by foreign host. | ||
+ | root@client1:~# ping -c 3 1.1.1.2 | ||
+ | PING 1.1.1.2 (1.1.1.2) 56(84) bytes of data. | ||
+ | 64 bytes from 1.1.1.2: icmp_seq=1 ttl=63 time=19.2 ms | ||
+ | 64 bytes from 1.1.1.2: icmp_seq=2 ttl=63 time=16.0 ms | ||
+ | 64 bytes from 1.1.1.2: icmp_seq=3 ttl=63 time=13.1 ms | ||
+ | [...] | ||
+ | |||
+ | # on router | ||
+ | Extended IP access list HOST_ONLY | ||
+ | 10 Dynamic HOST_ICMP permit icmp any any | ||
+ | permit icmp host 2.2.2.2 any (3 matches) (time left 40) | ||
+ | 15 permit tcp any any eq telnet (93 matches) | ||
+ | 20 deny ip any any (12 matches) | ||
+ | # see how the denies before auth to router | ||
+ | |||
+ | # also, the return traffic is let now as user is auth | ||
+ | Extended IP access list TO_LOCAL_LAN | ||
+ | 10 Dynamic HOST_ICMP_IN permit icmp any any | ||
+ | permit icmp any host 2.2.2.2 (3 matches) (time left 39) | ||
</code> | </code> | ||
+ | ==== Exercises ==== | ||
+ | |||
+ | 1. **Reflexive ACLs** [5p]: | ||
+ | |||
+ | Do the same thing for HTTP traffic on port 8080. Permit traffic again from 2.2.2.2 to any (or 1.1.1.2) with reflect to a new RACL name. Send the GET request and check quickly the entries in the dynamic ACL as it will last for few secs (due to finished session client-server). | ||
+ | |||
+ | You can add a new entry in ONLY_CLIENT1 extended acl or create 2 new ones for inbound and outbound directions. | ||
+ | |||
+ | 2. **Temporary access control** [5p]: | ||
+ | |||
+ | Add another time-range (router time should be out of it - like 'outside working hours'). | ||
+ | |||
+ | Send some icmp echo requests from client1 to server and check again the RACL ICMP_OUT_CLIENT - it should contain an entry that expires in 300 seconds (default value) or less with a number of matches (we have for example, 7 above). | ||
+ | |||
+ | Remove entry 10 from ONLY_CLIENT1 and create a new one for 'outside working hours' time-range, ping to 1.1.1.2 with the same RACL ICMP_OUT_CLIENT. | ||
+ | |||
+ | Send again icmp echo requests from client1, traffic should be filtered and also the match value should remain the same and after the timeout, the dynamic acl ICMP_OUT_CLIENT entry will disappear completely. |