一、题目环境

实验拓扑

地址规划

实验要点

· Verify connectivity among devices before firewall configuration.
·在配置防火墙之前，检查设备之间的连接。
· Configure an IOS firewall with CBAC on router R3
·在路由器R3上配置带有CBAC的IOS防火墙
· Verify CBAC functionality using ping, Telnet, and HTTP.
·使用ping、Telnet和HTTP验证CBAC功能。

二、配置过程

1.Configure a named IP ACL on R3 to block all traffic originating from the outside network.
//在R3上配置一个命名的IP ACL来阻止所有来自外部网络的流量。
Apply the ACL to interface Serial 0/0/1.
//将ACL应用于接口0/0/1。

R3(config)#ip access-list extended OUT-IN
R3(config-ext-nacl)#deny ip any any
R3(config)#interface serial 0/0/1
R3(config-if)#ip access-group OUT-IN in

2. Create an inspection rule to inspect ICMP, Telnet, and HTTP traffic.
//创建一个检查规则来检查ICMP、Telnet和HTTP流量。

R3(config)#ip inspect name IN-OUT-IN icmp
R3(config)#ip inspect name IN-OUT-IN telnet 
R3(config)#ip inspect name IN-OUT-IN http

3. Use the ip inspect audit-trail command to turn on CBAC audit messages to provide a record of network access through the firewall, including illegitimate access attempts.
//使用ip inspect audit-trail命令打开CBAC审计消息，提供通过防火墙的网络访问记录，包括非法的访问尝试。
Enable logging to the syslog server, 192.168.1.3, with the logging command.
//使用日志命令启用对syslog服务器的日志记录，192.168.1.3。
Apply the inspection rule to egress traffic on interface S0/0/1.
//将检验规则应用于S0/0/1的出口。

R3(config)#ip inspect audit-trail 
R3(config)#service timestamps debug datetime msec
R3(config)#logging host 192.168.1.3
R3(config)#interface serial 0/0/1
R3(config-if)#ip inspect IN-OUT-IN out

三、验证

1.验证R3上配置的ACL,OUT-IN应用
Server ping PC显示目标不可达

2.验证CBAC配置
PC可以正常ping通SERVER 访问http，R3日志信息记录在SERVER的syslog中

3.查看inspect sessions，CBAC下的现有会话

R3#show  ip inspect sessions 
Established Sessions
 Session 225141432 (192.168.3.3:8)=>(192.168.1.3:43) icmp SIS_OPEN
 Session 225147552 (192.168.3.3:1027)=>(192.168.1.3:23) telnet SIS_OPENING

实验完整配置文档

R3 running-config
Building configuration…

Current configuration : 1183 bytes
!
version 12.4
no service timestamps log datetime msec
service timestamps debug datetime msec
no service password-encryption
!
hostname R3
!
!
!
enable secret 5 $1$mERr$TfFTxE.mmb5O5BVC56ndL0
!
!
!
!
!
!
ip cef
no ipv6 cef
!
!
!
!
!
!
!
!
!
!
ip ssh version 1
ip name-server 0.0.0.0
!
!
ip inspect audit-trail
ip inspect name IN-OUT-IN icmp timeout 10
ip inspect name IN-OUT-IN telnet timeout 3600
ip inspect name IN-OUT-IN http timeout 3600
spanning-tree mode pvst
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
shutdown
!
interface FastEthernet0/1
ip address 192.168.3.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
clock rate 2000000
shutdown
!
interface Serial0/0/1
ip address 10.2.2.1 255.255.255.252
ip access-group OUT-IN in
ip inspect IN-OUT-IN out
!
interface Vlan1
no ip address
shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.2.2.2
!
ip flow-export version 9
!
!
ip access-list extended OUT-IN
deny ip any any
!
!
!
!
!
logging trap debugging
logging 192.168.1.3
line con 0
password ciscoconpa55
login
!
line aux 0
!
line vty 0 4
password ciscovtypa55
login
!
!
ntp update-calendar
!
end