Case Study Configuration
Now that I have defined the policies for this network, I can explain the configuration for the three routers. I start with a basic configuration on each router and then explain, proposal by proposal, the rest of the configuration.
Basic Configuration
Before I begin with the configuration of the security features on the three routers, I first show you the base configuration of the routers. Example 21-1 shows RouterA's configuration.
Example 21-1. RouterA's Initial Configuration
Router(config)# hostname RouterA RouterA(config)# interface ethernet0/0 RouterA(config-if)# description Internet Connection RouterA(config-if)# ip address 192.1.1.1 255.255.255.0 RouterA(config-if)# exit RouterA(config)# interface ethernet0/1 RouterA(config-if)# description WebSense Filtering Server RouterA(config-if)# ip address 172.16.6.1 255.255.255.0 RouterA(config-if)# exit RouterA(config)# interface fastethernet1/0 RouterA(config-if)# description DMZ Segment RouterA(config-if)# ip address 172.16.1.1 255.255.255.0 RouterA(config-if)# exit RouterA(config)# interface fastethernet1/1 RouterA(config-if)# description Internal Network RouterA(config-if)# ip address 172.16.2.1 255.255.255.0 RouterA(config-if)# exit
NOTE
The DDR configuration for RouterA is not shown here, but it is necessary for a backup connection between RouterA and RouterC. Routing information is added in the "Routing" section, discussed later in this chapter.
Example 21-2 shows RouterB's configuration.
Example 21-2. RouterB's Initial Configuration
Router(config)# hostname RouterB RouterB(config)# interface fastethernet0/0 RouterB(config-if)# description Server Farm RouterB(config-if)# ip address 172.16.3.254 255.255.255.0 RouterB(config-if)# exit RouterB(config)# interface fastethernet0/1 RouterB(config-if)# description To the Perimeter Router RouterB(config-if)# ip address 172.16.2.254 255.255.255.0 RouterB(config-if)# exit RouterB(config)# interface fastethernet1/0 RouterB(config-if)# description Accounting Users RouterB(config-if)# ip address 172.16.5.254 255.255.255.0 RouterB(config-if)# exit RouterB(config)# interface fastethernet1/1 RouterB(config-if)# description General Users RouterB(config-if)# ip address 172.16.4.254 255.255.255.0 RouterB(config-if)# exit
Example 21-3 shows RouterC's configuration.
Example 21-3. RouterC's Initial Configuration
Router(config)# hostname RouterC RouterC(config)# interface ethernet0 RouterC(config-if)# description Internet Connection RouterC(config-if)# ip address 200.1.1.1 255.255.255.0 RouterC(config-if)# exit RouterC(config)# interface fastethernet0 RouterC(config-if)# description Internal Segment RouterC(config-if)# ip address 172.16.100.1 255.255.255.0 RouterC(config-if)# exit
Unnecessary Services and SSH
Example 21-4 displays the configuration done on RouterA to disable all unnecessary services and to enable SSH. Note that, for the most part, the same configuration has been applied to RouterB and RouterC.
Example 21-4. Disabling Services on RouterA
RouterA(config)# no cdp run (1) RouterA(config)# no service tcp-small-servers RouterA(config)# no service udp-small-servers RouterA(config)# no ip finger RouterA(config)# no ip identd RouterA(config)# no service finger RouterA(config)# no ip source-route RouterA(config)# no ftp-server enable RouterA(config)# no ip http server RouterA(config)# no ip http secure-server RouterA(config)# no snmp-server community public RO RouterA(config)# no snmp-server community private RW RouterA(config)# no snmp-server enable traps RouterA(config)# no snmp-server system-shutdown RouterA(config)# no snmp-server trap-auth RouterA(config)# no snmp-server RouterA(config)# no ip domain-lookup RouterA(config)# no ip bootp server RouterA(config)# no service dhcp RouterA(config)# no service pad RouterA(config)# no boot network RouterA(config)# no service config RouterA(config)# banner motd $ (2) THIS QuizWare COMPUTING SYSTEM IS FOR AUTHORIZED OFFICIAL USE ONLY. Unauthorized use or use for other than official THE DEAL GROUP, INC. business is a violation of State and Federal LAW Individuals using this computing system are subject to having all of their activities on this system monitored and recorded without further notice. Auditing of users may include keystroke monitoring. Any individual who uses this system expressly consents to such monitoring and is advised that information about their use of the system may be provided to State and Federal law enforcement or other authorities if evidence of criminal or other unauthorized activity is found. $ RouterA(config)# interface ethernet0/0 (3) RouterA(config-if)# no ip directed-broadcast RouterA(config-if)# no ip unreachable RouterA(config-if)# no ip redirect RouterA(config-if)# no ip mask-reply RouterA(config-if)# exit RouterA(config)# interface ethernet0/1 RouterA(config-if)# no ip directed-broadcast RouterA(config-if)# no ip unreachable RouterA(config-if)# no ip redirect RouterA(config-if)# no ip mask-reply RouterA(config-if)# exit RouterA(config)# interface fastethernet1/0 RouterA(config-if)# no ip directed-broadcast RouterA(config-if)# no ip unreachable RouterA(config-if)# no ip redirect RouterA(config-if)# no ip mask-reply RouterA(config-if)# exit RouterA(config)# interface fastethernet1/1 RouterA(config-if)# no ip directed-broadcast RouterA(config-if)# no ip unreachable RouterA(config-if)# no ip redirect RouterA(config-if)# no ip mask-reply RouterA(config-if)# exit RouterA(config)# service tcp-keepalives-in (4) RouterA(config)# service tcp-keepalives-out RouterA(config)# ip domain-name quizware.com (5) RouterA(config)# crypto key generate rsa RouterA(config)# access-list 1 permit 172.16.4.12 0.0.0.3 (6) RouterA(config)# access-list 1 deny any RouterA(config)# line vty 0 4 (7) RouterA(config-line)# login RouterA(config-line)# access-class 1 in RouterA(config-line)# transport input ssh RouterA(config-line)# transport output ssh
The following is a brief explanation of Example 21-4, with reference to the numbering on the right side:
The first part of this configuration disables all unnecessary services, such as TCP and UDP small servers, finger, source routing, SNMP, and others.
This part of the configuration assigns a login banner to the router, explaining the valid usage of the router.
This section disables unnecessary services on the router's interfaces, such as proxy ARP, ICMP unreachables and redirects, and others. Typically, this is necessary only on the perimeter router's external interface, but by doing this on other interfaces, you are providing a more secure router?especially if attacks are occurring from inside your network. Note that proxy ARP is not disabled on any of the router's interface because devices of the other interfaces might need to send traffic to the remote access VPN users and the Internet users need to access the internal devices represented, statically and dynamically, by global addresses.
With these two commands, the router monitors network TCP connections, such as SSH, to and from the router by generating keepalives. The advantage that these commands provide is that, if an SSH connection, for instance, is aborted abnormally, the keepalive function detect this and immediately removes the bad connection, freeing up the router's VTY line.
These two commands (as well as the hostname command from the last section) allow SSH access by generating the public and private keys used for encryption.
This standard numbered ACL is used to restrict access to the VTYs, which are the management stations. Notice that this ACL is activated in the line vty configuration below.
This configuration applies to the VTYs. The management ACL is activated, and only SSH access is allowed in or out of the router through the VTYs.
The configuration for RouterB and RouterC is basically the same as that for RouterA.
TIP
If your router is running a Cisco IOS that supports the AutoSecure feature, discussed in Chapter 4, "Disabling Unnecessary Services," I recommend using this feature instead of manually disabling unnecessary services. In particular, the manual approach requires you to disable many things, and you might forget to disable an item or two.
AAA
Next up is the configuration of AAA to secure access to the three routers. A Cisco Secure ACS server (172.16.3.7) is used to centralize AAA functions, found on the server farm segment. All user accounts are defined here, but a back door is set up for console access, just in case there is a reachability problem to the AAA server.
Example 21-5 shows the AAA configuration for RouterA.
Example 21-5. Setting up AAA on RouterA
RouterA(config)# aaa new-model (1) RouterA(config)# tacacs-server host 172.16.3.7 single-connection key AAA_QuizWare RouterA(config)# username backdoor secret QuizWareAccess (2) RouterA(config)# aaa authentication login console_access (3) group tacacs+ local RouterA(config)# aaa authentication login default group tacacs+ RouterA(config)# aaa authentication enable default (4) group tacacs+ local RouterA(config)# aaa authentication username-prompt "Password:" (5) RouterA(config)# aaa authentication password-prompt "Password:" RouterA(config)# aaa authentication fail-message ## Invalid authentication, please reenter #_ RouterA(config)# aaa authentication attempts login 1 (6) RouterA(config)# line console 0 (7) RouterA(config-line)# login authentication console_access
The following is an explanation of RouterA's configuration in Example 21-5, with reference to the numbering on the right side:
AAA is enabled, and the TACACS+ protocol and server are specified.
A back-door account is set up, in case the AAA server is not reachable.
The first aaa authentication login command specifies two authentication methods. TACACS+ and the local username database are associated with the console_access list name. This then is referenced on the console line. The second aaa authentication login command specifies the default method of authentication for lines that do not specify a specific method, such as the VTYs or auxiliary lines.
The aaa authentication enable command specifies authentication for privileged EXEC access.
The first two commands set both the username and the password prompt to Password:, which is used to trick someone not familiar with the router's login process. The third command specifies the fail message that should be displayed upon an authentication failure. Notice that it's blank because I don't want a hacker to know that I'm using the username and password description trick.
The number of authentication login attempts is set to 1. If a user cannot authenticate on the first try, the connection is disabled and that user must re-establish the connection to try again.
The console line is associated with the aaa authentication login command with the name console_access, which allows both the TACACS+ and the local username database authentication methods.
The configuration for RouterB and RouterC is the same as that for RouterA. However, there is one issue with the branch-office router. When RouterC contacts the AAA server, its source address is E0, the public interface and the destination is the AAA server. In this case, the AAA server has a private address. You can solve this problem in two ways.
The first (and less preferable) solution is to set up a NAT translation on RouterA for the AAA server, giving the AAA server a public address. The main problem with this solution is that you need to open a small hole in RouterA's ACL on its public interface, and all TACACS+ traffic is sent across the Internet in the clear. Of course, TACACS+ encrypts the payload of the packet, but someone sniffing on the wire will know about the TACACS+ connection and might try to use this information to break into your network.
The second (and more preferable solution) is to use a VPN. However, there is still a problem: The source address of the TACACS+ packets is E0 (the public interface); unfortunately, this cannot be secured with a VPN because this is a termination point for the VPN connection. To get around this problem, you can set up a generic routing encapsulation tunnel between RouterC and either RouterA or RouterB. By using the GRE tunnel, the source of the TACACS+ transmission will be the tunnel interface, which can be protected by the tunnel.
In this example, I assume that the GRE tunnel is between RouterC and RouterA, where all traffic at the branch office will use the GRE tunnel. Example 21-6 shows RouterC's configuration.
Example 21-6. Setting up a GRE Tunnel on RouterC
RouterC(config)# interface tunnel0 RouterC(config-if)# ip address 172.16.99.2 255.255.255.0 RouterC(config-if)# tunnel source Ethernet0 RouterC(config-if)# tunnel destination 192.1.1.1 RouterC(config-if)# exit
The GRE tunnel is necessary to protect the AAA traffic between RouterC and the corporate site. I also have decided to use the GRE connection for all traffic between these two sites, which simplifies the VPN setup.
NOTE
The GRE tunnel is also necessary to have the traffic sent to the corporate site and then out to the Internet. If this was not necessary, a better solution would be to have RouterC source the TACACS+ transmissions from FastEthernet0 with the ip tacacs source-interface (or ip radius source-interface) command. Then you could ensure that this IP address was included in the IPSec crypto ACL to protect this traffic.
Example 21-7 shows RouterA's configuration (the internal router).
Example 21-7. Setting up a GRE Tunnel on RouterA
RouterA(config)# interface tunnel0 RouterA(config-if)# ip address 172.16.99.1 255.255.255.0 RouterA(config-if)# tunnel source Ethernet0/0 RouterA(config-if)# tunnel destination 200.1.1.1
Routing will be set up in the "Routing" section later in the chapter. I show you how to protect this traffic with a VPN in the "Site-to-Site VPN" section.
NOTE
For a small number of users, I probably would not use an AAA server. However, some features, such as authentication proxy, require it. In this example, you might want to add authentication proxy to authenticate remote-access VPN users, so you would need an AAA server. However, this topic is not covered in this case study.
In this example, you need to set up the Cisco Secure ACS server, including the three routers, as network devices; create a group for the network administrators; and then create your administrator accounts. When you are done, make sure that you test connectivity between the routers and the AAA server, especially for accounting. Use the debug commands discussed in Chapter 5, "Authentication, Authorization, and Accounting," to help troubleshoot any connectivity problems.
Access Control Lists
This section discusses the ACLs that you will use to filter traffic. I start with the most complex configuration: RouterA. With the perimeter router, I primarily am concerned about the kind of traffic coming into it from the Internet. Example 21-8 shows a sample configuration of this ACL.
Example 21-8. Setting up an ACL on RouterA to Filter Internet Traffic
RouterA(config)# ip access-list extended ingress-filter RouterA(config-ext-nacl)# remark Unassigned IANA addresses RouterA(config-ext-nacl)# deny ip 1.0.0.0 0.255.255.255 any RouterA(config-ext-nacl)# deny ip 2.0.0.0 0.255.255.255 any RouterA(config-ext-nacl)# deny ip 5.0.0.0 0.255.255.255 any RouterA(config-ext-nacl)# deny ip 7.0.0.0 0.255.255.255 any RouterA(config-ext-nacl)# deny ip 23.0.0.0 0.255.255.255 any RouterA(config-ext-nacl)# deny ip 27.0.0.0 0.255.255.255 any RouterA(config-ext-nacl)# deny ip 31.0.0.0 0.255.255.255 any RouterA(config-ext-nacl)# deny ip 36.0.0.0 0.255.255.255 any RouterA(config-ext-nacl)# deny ip 37.0.0.0 0.255.255.255 any RouterA(config-ext-nacl)# deny ip 39.0.0.0 0.255.255.255 any RouterA(config-ext-nacl)# deny ip 41.0.0.0 0.255.255.255 any RouterA(config-ext-nacl)# deny ip 42.0.0.0 0.255.255.255 any RouterA(config-ext-nacl)# deny ip 49.0.0.0 0.255.255.255 any RouterA(config-ext-nacl)# deny ip 50.0.0.0 0.255.255.255 any RouterA(config-ext-nacl)# deny ip 58.0.0.0 0.255.255.255 any RouterA(config-ext-nacl)# deny ip 59.0.0.0 0.255.255.255 any RouterA(config-ext-nacl)# deny ip 60.0.0.0 0.255.255.255 any RouterA(config-ext-nacl)# deny ip 70.0.0.0 0.255.255.255 any RouterA(config-ext-nacl)# deny ip 71.0.0.0 0.255.255.255 any RouterA(config-ext-nacl)# deny ip 72.0.0.0 0.255.255.255 any RouterA(config-ext-nacl)# deny ip 73.0.0.0 0.255.255.255 any RouterA(config-ext-nacl)# deny ip 74.0.0.0 0.255.255.255 any RouterA(config-ext-nacl)# deny ip 75.0.0.0 0.255.255.255 any RouterA(config-ext-nacl)# deny ip 76.0.0.0 0.255.255.255 any RouterA(config-ext-nacl)# deny ip 77.0.0.0 0.255.255.255 any RouterA(config-ext-nacl)# deny ip 78.0.0.0 0.255.255.255 any RouterA(config-ext-nacl)# deny ip 79.0.0.0 0.255.255.255 any RouterA(config-ext-nacl)# deny ip 83.0.0.0 0.255.255.255 any RouterA(config-ext-nacl)# deny ip 84.0.0.0 0.255.255.255 any RouterA(config-ext-nacl)# deny ip 85.0.0.0 0.255.255.255 any RouterA(config-ext-nacl)# deny ip 86.0.0.0 0.255.255.255 any RouterA(config-ext-nacl)# deny ip 87.0.0.0 0.255.255.255 any RouterA(config-ext-nacl)# deny ip 88.0.0.0 0.255.255.255 any RouterA(config-ext-nacl)# deny ip 89.0.0.0 0.255.255.255 any RouterA(config-ext-nacl)# deny ip 90.0.0.0 0.255.255.255 any RouterA(config-ext-nacl)# deny ip 91.0.0.0 0.255.255.255 any RouterA(config-ext-nacl)# deny ip 92.0.0.0 0.255.255.255 any RouterA(config-ext-nacl)# deny ip 93.0.0.0 0.255.255.255 any RouterA(config-ext-nacl)# deny ip 94.0.0.0 0.255.255.255 any RouterA(config-ext-nacl)# deny ip 95.0.0.0 0.255.255.255 any RouterA(config-ext-nacl)# deny ip 96.0.0.0 0.255.255.255 any RouterA(config-ext-nacl)# deny ip 97.0.0.0 0.255.255.255 any RouterA(config-ext-nacl)# deny ip 98.0.0.0 0.255.255.255 any RouterA(config-ext-nacl)# deny ip 99.0.0.0 0.255.255.255 any RouterA(config-ext-nacl)# deny ip 100.0.0.0 0.255.255.255 any RouterA(config-ext-nacl)# deny ip 101.0.0.0 0.255.255.255 any RouterA(config-ext-nacl)# deny ip 102.0.0.0 0.255.255.255 any RouterA(config-ext-nacl)# deny ip 103.0.0.0 0.255.255.255 any RouterA(config-ext-nacl)# deny ip 104.0.0.0 0.255.255.255 any RouterA(config-ext-nacl)# deny ip 105.0.0.0 0.255.255.255 any RouterA(config-ext-nacl)# deny ip 106.0.0.0 0.255.255.255 any RouterA(config-ext-nacl)# deny ip 107.0.0.0 0.255.255.255 any RouterA(config-ext-nacl)# deny ip 108.0.0.0 0.255.255.255 any RouterA(config-ext-nacl)# deny ip 109.0.0.0 0.255.255.255 any RouterA(config-ext-nacl)# deny ip 110.0.0.0 0.255.255.255 any RouterA(config-ext-nacl)# deny ip 111.0.0.0 0.255.255.255 any RouterA(config-ext-nacl)# deny ip 112.0.0.0 0.255.255.255 any RouterA(config-ext-nacl)# deny ip 113.0.0.0 0.255.255.255 any RouterA(config-ext-nacl)# deny ip 114.0.0.0 0.255.255.255 any RouterA(config-ext-nacl)# deny ip 115.0.0.0 0.255.255.255 any RouterA(config-ext-nacl)# deny ip 116.0.0.0 0.255.255.255 any RouterA(config-ext-nacl)# deny ip 117.0.0.0 0.255.255.255 any RouterA(config-ext-nacl)# deny ip 118.0.0.0 0.255.255.255 any RouterA(config-ext-nacl)# deny ip 119.0.0.0 0.255.255.255 any RouterA(config-ext-nacl)# deny ip 120.0.0.0 0.255.255.255 any RouterA(config-ext-nacl)# deny ip 121.0.0.0 0.255.255.255 any RouterA(config-ext-nacl)# deny ip 122.0.0.0 0.255.255.255 any RouterA(config-ext-nacl)# deny ip 123.0.0.0 0.255.255.255 any RouterA(config-ext-nacl)# deny ip 124.0.0.0 0.255.255.255 any RouterA(config-ext-nacl)# deny ip 125.0.0.0 0.255.255.255 any RouterA(config-ext-nacl)# deny ip 126.0.0.0 0.255.255.255 any RouterA(config-ext-nacl)# deny ip 197.0.0.0 0.255.255.255 any RouterA(config-ext-nacl)# deny ip 201.0.0.0 0.255.255.255 any RouterA(config-ext-nacl)# remark RFC 1918 private addresses RouterA(config-ext-nacl)# deny ip 10.0.0.0 0.255.255.255 any RouterA(config-ext-nacl)# deny ip 172.16.0.0 0.15.255.255 any RouterA(config-ext-nacl)# deny ip 192.168.0.0 0.0.255.255 any RouterA(config-ext-nacl)# remark Other bogons RouterA(config-ext-nacl)# deny ip 224.0.0.0 15.255.255.255 any RouterA(config-ext-nacl)# deny ip 240.0.0.0 15.255.255.255 any RouterA(config-ext-nacl)# deny ip 0.0.0.0 0.255.255.255 any RouterA(config-ext-nacl)# deny ip 169.254.0.0 0.0.255.255 any RouterA(config-ext-nacl)# deny ip 192.0.2.0 0.0.0.255 any RouterA(config-ext-nacl)# deny ip 127.0.0.0 0.255.255.255 any RouterA(config-ext-nacl)# remark Allow IPSec access for site-to-site connections RouterA(config-ext-nacl)# permit udp any host 192.1.1.1 eq isakmp RouterA(config-ext-nacl)# permit esp any host 192.1.1.1 RouterA(config-ext-nacl)# permit udp any host 192.1.1.1 eq 4500 RouterA(config-ext-nacl)# permit gre host 200.1.1.1 host 192.1.1.1 RouterA(config-ext-nacl)# remark Allow access to DMZ servers RouterA(config-ext-nacl)# permit tcp any host 192.1.1.2 eq 25 RouterA(config-ext-nacl)# permit udp any host 192.1.1.3 eq 53 RouterA(config-ext-nacl)# permit tcp any host 192.1.1.4 eq 80 RouterA(config-ext-nacl)# remark Deny all other traffic RouterA(config-ext-nacl)# deny ip any any RouterA(config-ext-nacl)# exit RouterA(config)# interface ethernet0/0 RouterA(config-if)# ip access-group ingress-filter in
As you can see from Example 21-8, this is very similar to Example 7-22, shown previously in Chapter 7, "Basic Access Lists." The main difference here is that IPSec access is allowed (discussed later in the "Site-to-Site VPN" and "Remote-Access VPNs" sections), as is access to the specific services on the servers in the DMZ section. One thing that I want to point out about this configuration is that the previous ACL needs to allow NAT-T traffic (UDP 4500) for some remote-access users who are connecting to the perimeter router through an address-translation device. The GRE tunnel between RouterA and RouterC also needs to be permitted, even though this traffic is encrypted. This is because the ACL is processed twice: before and after the traffic is unencrypted. The next section discusses the use of CBAC to allow returning traffic through this router to internal devices.
I also have added one additional ACL to restrict access from internal users to the DMZ segment, as displayed in Example 21-9.
Example 21-9. Restricting Traffic to the DMZ Segment on RouterA
RouterA(config)# ip access-list extended DMZ-filter RouterA(config-ext-nacl)# remark Allow access to DMZ servers RouterA(config-ext-nacl)# permit tcp any host 172.16.1.2 eq 25 RouterA(config-ext-nacl)# permit udp any host 172.16.1.3 eq 53 RouterA(config-ext-nacl)# permit tcp any host 172.16.1.4 eq 80 RouterA(config-ext-nacl)# remark Deny all other traffic RouterA(config-ext-nacl)# deny ip any any RouterA(config-ext-nacl)# exit RouterA(config)# interface FastEthernet1/0 RouterA(config-if)# ip access-group DMZ-filter out
This ACL applies to any traffic exiting the DMZ interface, including internal and Internet traffic, even though these same statements already are included in the public interface's ingress filter. This ACL is necessary to restrict any type of traffic from exiting this interface. Also notice that I am using the local addresses in the filter because this is what is assigned on the devices on the DMZ.
The configuration of RouterB is shorter, but its policy implementation is much different. Example 21-10 shows RouterB's configuration.
Example 21-10. Configuring RouterB's Filtering Policies
RouterB(config)# ip access-list extended server-farm-filter RouterB(config-ext-nacl)# remark Restrict access to the email server RouterB(config-ext-nacl)# permit tcp 172.16.0.0 0.0.255.255 host 172.16.3.1 eq 25 RouterB(config-ext-nacl)# remark Restrict access to the DNS server RouterB(config-ext-nacl)# permit udp 172.16.0.0 0.0.255.255 host 172.16.3.2 eq 53 RouterB(config-ext-nacl)# remark Restrict access to the application server RouterB(config-ext-nacl)# permit tcp 172.16.0.0 0.0.255.255 host 172.16.3.3 eq 443 RouterB(config-ext-nacl)# remark Deny access to the database server RouterB(config-ext-nacl)# deny ip any host 172.16.3.4 RouterB(config-ext-nacl)# remark Protect the accounting server RouterB(config-ext-nacl)# permit tcp 172.16.5.0 0.0.0.255 host 172.16.3.5 eq 2501 RouterB(config-ext-nacl)# permit tcp 172.16.253.0 0.0.0.255 host 172.16.3.5 eq 2501 RouterB(config-ext-nacl)# deny ip any host 172.16.3.5 RouterB(config-ext-nacl)# remark Protect the SCP server service RouterB(config-ext-nacl)# permit tcp host 172.16.3.254 host 172.16.3.6 eq 22 RouterB(config-ext-nacl)# permit tcp host 172.16.2.1 host 172.16.3.6 eq 22 RouterB(config-ext-nacl)# permit tcp host 172.16.99.2 host 172.16.3.6 eq 22 RouterB(config-ext-nacl)# remark Protect the syslog server service RouterB(config-ext-nacl)# permit udp host 172.16.3.254 host 172.16.3.6 eq 514 RouterB(config-ext-nacl)# permit udp host 172.16.2.1 host 172.16.3.6 eq 514 RouterB(config-ext-nacl)# permit udp host 172.16.99.2 host 172.16.3.6 eq 514 RouterB(config-ext-nacl)# remark Protect the NTP server service RouterB(config-ext-nacl)# permit tcp any host 172.16.3.6 eq 123 RouterB(config-ext-nacl)# remark Deny all other traffic to the Syslog/SCP/NTP server RouterB(config-ext-nacl)# deny ip any host 172.16.3.6 RouterB(config-ext-nacl)# exit RouterB(config)# interface FastEthernet0/0 RouterB(config-if)# ip access-group server-farm-filter out RouterB(config-if)# exit RouterB(config)# ip access-list extended user-filter RouterB(config-ext-nacl)# remark Restrict access to the accounting segment, but allow everything else RouterB(config-ext-nacl)# deny ip any 172.16.5.0 0.0.0.255 RouterB(config-ext-nacl)# permit ip any any RouterB(config-ext-nacl)# exit RouterB(config)# interface FastEthernet1/1 RouterB(config-if)# ip access-group user-filter in RouterB(config-if)# exit RouterB(config)# ip access-list extended other-filter RouterB(config-ext-nacl)# remark Deny all traffic--CBAC will allow returning traffic RouterB(config-ext-nacl)# permit tcp host 172.16.1.2 host 172.16.3.1 eq 25 RouterB(config-ext-nacl)# permit ip host 172.16.99.2 172.16.3.6 0.0.0.254 RouterB(config-ext-nacl)# permit ip host 172.16.2.1 172.16.3.6 0.0.0.254 RouterB(config-ext-nacl)# permit ip 172.16.99.0 0.0.0.255 172.16.3.0 0.0.0.255 RouterB(config-ext-nacl)# permit ip 172.16.100.0 0.0.0.255 172.16.3.0 0.0.0.255 RouterB(config-ext-nacl)# permit ip 172.16.252.0 0.0.0.255 172.16.3.0 0.0.0.255 RouterB(config-ext-nacl)# permit ip 172.16.253.0 0.0.0.255 172.16.3.0 0.0.0.255 RouterB(config-ext-nacl)# permit ip 172.16.254.0 0.0.0.255 172.16.3.0 0.0.0.255 RouterB(config-ext-nacl)# deny ip any any RouterB(config-ext-nacl)# exit RouterB(config)# interface FastEthernet0/1 RouterB(config-if)# ip access-group other-filter in RouterB(config-if)# exit
This configuration has three ACLs. The server-farm-filter ACL filters traffic as it exits the server-farm interface and is destined to the servers. One interesting item to point out is the syslog and SCP section for RouterC. Notice that the source address is the GRE tunnel interface for RouterC. To ensure that RouterC uses the tunnel interface, the code example for RouterC has the necessary static route. As I mentioned in the last section for AAA, this is necessary to protect RouterC's traffic with the site-to-site VPN.
The user-filter ACL is used to ensure that traffic from the user segment is blocked from the accounting segment. The other-filter ACL, by default, blocks all traffic coming from the perimeter router except for e-mail traffic from the e-mail server, remote access and the site-to-site VPN traffic (which is allowed to the server-farm segment), and management traffic from RouterA and RouterC. CBAC permits returning traffic, originally sent from the internal devices, as shown in the next section.
Of the three routers, RouterC's configuration is the simplest. Example 21-11 shows RouterC's configuration.
Example 21-11. Configuring RouterC's Filter
RouterC(config)# ip route 172.16.3.6 255.255.255.255 tunnel0 RouterC(config)# ip access-list extended ingress-filter RouterC(config-ext-nacl)# remark Allow Site-to-Site IPSec access RouterC(config-ext-nacl)# permit udp host 192.1.1.1 host 200.1.1.1 eq 500 RouterC(config-ext-nacl)# permit esp host 192.1.1.1 host 200.1.1.1 RouterC(config-ext-nacl)# permit gre host 192.1.1.1 host 200.1.1.1 RouterC(config-ext-nacl)# remark Deny all other traffic RouterC(config-ext-nacl)# deny ip any any RouterC(config-ext-nacl)# exit RouterC(config)# interface Ethernet0 RouterC(config-if)# ip access-group ingress-filter in
As I mentioned previously, the static route is used to allow management traffic from RouterC to be protected by the site-to-site VPN connection through the GRE tunnel to RouterB. The ACL allows only IPSec traffic between RouterA and RouterC; all other traffic is denied. Remember that all of the branch office's traffic must use the site-to-site VPN connection to the corporate office; therefore, the ACL allows only IPSec traffic. Also, the GRE tunnel is required to allow RouterA to perform address translation on the branch office's traffic as it comes out the GRE tunnel and before it is sent out to the Internet.
CBAC and Web Filtering
The Cisco IOS Firewall feature set is installed on RouterA and RouterB. With RouterC, this is not necessary because all of the branch-office traffic is sent through the IPSec tunnel to RouterA. RouterC needs only a Cisco IOS that includes IPSec.
As you recall, CBAC was discussed in Chapter 9, "Context-Based Access Control." This section covers only the stateful filtering configuration of CBAC, as well as filtering with Websense. Other CBAC commands are discussed later. I start with RouterA's CBAC configuration, as displayed in Example 21-12.
Example 21-12. Configuring CBAC on RouterA
RouterA(config)# ip access-list extended ICMP-filter (1) RouterA(config-ext-nacl)# remark Allow management ICMP, deny others RouterA(config-ext-nacl)# permit icmp 172.16.4.12 0.0.0.3 any RouterA(config-ext-nacl)# deny icmp any any RouterA(config-ext-nacl)# permit ip any any RouterA(config)# ip inspect name CBAC-A1 smtp (2) RouterA(config)# ip inspect name CBAC-A1 ftp RouterA(config)# ip inspect name CBAC-A1 tcp RouterA(config)# ip inspect name CBAC-A1 udp RouterA(config)# ip inspect name CBAC-A1 icmp RouterA(config)# ip inspect name CBAC-A1 http urlfilter (3) RouterA(config)# ip inspect tcp synwait-time 15 (4) RouterA(config)# ip inspect tcp idle-time 300 RouterA(config)# ip inspect udp idle-time 20 RouterA(config)# ip urlfilter server vendor Websense 172.16.6.2 (5) RouterA(config)# ip urlfilter cache 7000 RouterA(config)# ip urlfilter max-request 1500 RouterA(config)# ip urlfilter max-resp-pack 350 RouterA(config)# ip urlfilter alert RouterA(config)# interface Ethernet0/0 (6) RouterA(config-if)# ip access-group ICMP-filter out RouterA(config-if)# ip inspect CBAC-A1 out RouterA(config-if)# exit RouterA(config)# ip inspect name CBAC-A2 smtp (7) RouterA(config)# ip inspect name CBAC-A2 ftp RouterA(config)# ip inspect name CBAC-A2 tcp RouterA(config)# interface FastEthernet1/0 RouterA(config-if)# ip inspect CBAC-A2 in
The following is an explanation of the configuration in Example 21-12, with reference to the numbering on the right:
In this example, an ACL is configured to restrict outbound traffic. Basically, only the management devices are allowed to send out ICMP traffic. However, all other types of traffic are permitted.
A CBAC inspection rule called CBAC-A1 is created, which inspects SMTP, FTP, HTTP, TCP, UDP, and ICMP traffic as it exits the public interface (the only traffic denied outbound is ICMP traffic from nonmanagement devices).
This CBAC inspection rule allows for URL filtering of HTTP traffic by the Websense server.
Some of the timeout parameters are changed for inspection. The longest that CBAC will wait for TCP sessions to be established is 15 seconds. The idle timeout for TCP and UDP sessions also is changed to 300 seconds and 20 seconds, respectively.
This is the Websense configuration. The ip urlfilter cache statement increases the default URL cache size from 5000 to 7000. The ip urlfilter max-request statement increases the maximum number of requests from 1000 to 1500. This controls the number of pending requests that the Cisco IOS holds while waiting for responses from the Websense server. The ip urlfilter max-resp-pack statement increases the maximum number of responses from the public web server from 200 to 350 packets.
The outbound ICMP filter is applied on the public interface as well as CBAC inspection (inspecting traffic as it leaves the router).
This second CBAC rule grouping allows traffic from the DMZ segment to be returned to these servers.
Example 21-13 shows the internal router's CBAC configuration.
Example 21-13. Configuring CBAC on RouterB
RouterB(config)# ip inspect name CBAC-B smtp RouterB(config)# ip inspect name CBAC-B ftp RouterB(config)# ip inspect name CBAC-B http RouterB(config)# ip inspect name CBAC-B tcp RouterB(config)# ip inspect name CBAC-B udp RouterB(config)# ip inspect name CBAC-B icmp RouterB(config)# ip inspect tcp synwait-time 15 RouterB(config)# ip inspect tcp idle-time 180 RouterB(config)# ip inspect udp idle-time 20 RouterB(config)# interface FastEthernet0/1 RouterB(config-if)# ip inspect CBAC-B out
The inspection rule for CBAC on RouterB is CBAC-B. This is the basically the same CBAC configuration as used on RouterA, with the exception of the ICMP filter and Websense. In this example, anyone can use ICMP traffic within the internal network, but RouterA allows only management users to use ICMP to access the Internet.
NOTE
If you are concerned about cost, you might want to implement reflexive ACLs on the internal router instead of using CBAC. However, remember that CBAC provides application inspection, such as inspection of e-mail commands, whereas reflexive ACLs cannot (session layer only). With the perimeter router, you must use CBAC because this company needs to have Websense inspect URLs.
Address Translation
As you can see from this case study, the network is using a private Class B network: 172.16.0.0. Therefore, address translation is needed to allow internal devices to access the Internet. Two types of address translation are required: static, for the public DMZ servers; and dynamic, for the users. In this network, RouterA performs address translation. Example 21-14 shows the necessary address-translation configuration for RouterA.
Example 21-14. Setting up Address Translation on RouterA
RouterA(config)# ip nat inside source static 172.16.1.2 192.1.1.2 (1) RouterA(config)# ip nat inside source static 172.16.1.3 192.1.1.3 RouterA(config)# ip nat inside source static 172.16.1.4 192.1.1.4 RouterA(config)# ip nat inside source list dynamic-pat-addresses (2) pool dynamic-nat-pool overload RouterA(config)# ip access-list extended dynamic-pat-addresses (3) RouterA(config-ext-nacl)# deny ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255 RouterA(config-ext-nacl)# permit ip 172.16.0.0 any RouterA(config-ext-nacl)# exit RouterA(config)# ip nat pool dynamic-pat-pool 192.1.1.250 (4) 192.1.1.253 netmask 255.255.255.0 RouterA(config)# interface fastethernet1/0 (5) RouterA(config-if)# ip nat inside RouterA(config-if)# exit RouterA(config)# interface fastethernet1/1 RouterA(config-if)# ip nat inside RouterA(config-if)# exit RouterA(config)# interface ethernet0/1 RouterA(config-if)# ip nat inside RouterA(config-if)# exit RouterA(config)# interface tunnel0 RouterA(config-if)# ip nat inside RouterA(config-if)# exit RouterA(config)# interface ethernet0/0 RouterA(config-if)# ip nat outside
The following is an explanation of the code listing in Example 21-14, with reference to the numbering on the right side:
These three static NAT commands perform address translation for the three DMZ servers.
The ip nat inside source list command defines dynamic PAT.
The ip nat inside source list command references this ACL to define when dynamic PATH should be performed. In this example, PAT is performed for all addresses except for connections between company devices (172.16.0.0/16). This is necessary for access from the corporate site to the remote-access VPN devices, as well as for access to the two networks (172.16.99.0/24 and 172.16.100.0/24) at the branch office.
The ip nat pool command defines the global addresses used by PAT for address translation.
Interface ethernet0/0 is defined as "outside" for NAT and the other three interfaces (ethernet0/1, fastethernet0/0, and fastethernet0/1), as well as the GRE tunnel, are designated as "inside." The Websense server connection is included because this company bought a subscription from Websense for automatic updates, which this server polls for on a weekly basis, so address translation is necessary. You also can use a static translation, if you want.
The previous configuration has one problem as it relates to VPN connections. The configuration specifies when to disable address translation for dynamic PAT; however, there are three static NAT configurations, and these are performed before the crypto map is applied. Therefore, the global IP addresses are used when sent to devices at the end of the VPN connections. In this situation, I want all internal devices to use their private addresses when communicating with each other. As an example, assume that the public web server (172.16.1.4 to 192.1.1.4) needs to send traffic to a remote-access user, such as 172.16.252.1. In this situation, the perimeter router changes the source address of the web server from 172.16.1.4 to 192.1.1.4 because the static NAT translation command specifies this translation.
To get around this problem, you can set up a configuration trick. As you recall from Chapter 12, "Address Translation Issues," address translation is enabled with the interface command ip nat inside and ip nat outside. When traffic comes into an inside interface and immediately exits an outside interface, the address-translation policies that you have defined take effect. This trick requires you to introduce a third interface into the configuration, which is a loopback interface. I use a simple example to explain how this works. For example, assume that the public web server sends traffic to 172.16.252.1. The perimeter router receives the traffic on an interface designated as inside for NAT (interface fa0/0). Policy routing states that this traffic is forwarded to the loopback interface, which has no NAT configuration, so NAT is not performed. The router then determines that, from the loopback interface, the traffic must use the VPN connection on the public interface to reach the remote-access user. In this example, the loopback interface lacks any NAT configuration, and the external interface is designated as outside for NAT. Because the loopback interface is not designated as inside, no static address translation is performed.
Example 21-15 shows the configuration that you need to add to RouterA to implement this address-translation policy.
Example 21-15. Bypassing NAT on RouterA When Sending Traffic to Remote-Access Users
RouterA(config)# ip access-list extended no-static-NAT (1) RouterA(config-ext-nacl)# remark From the email server to the VPN devices RouterA(config-ext-nacl)# permit ip host 172.16.1.2 172.16.252.0 0.255.255.255 RouterA(config-ext-nacl)# permit ip host 172.16.1.2 172.16.253.0 0.255.255.255 RouterA(config-ext-nacl)# permit ip host 172.16.1.2 172.16.254.0 0.255.255.255 RouterA(config-ext-nacl)# remark From the DNS server to the VPN devices RouterA(config-ext-nacl)# permit ip host 172.16.1.3 172.16.252.0 0.255.255.255 RouterA(config-ext-nacl)# permit ip host 172.16.1.3 172.16.253.0 0.255.255.255 RouterA(config-ext-nacl)# permit ip host 172.16.1.3 172.16.254.0 0.255.255.255 RouterA(config-ext-nacl)# remark From the web server to the VPN devices RouterA(config-ext-nacl)# permit ip host 172.16.1.4 172.16.252.0 0.255.255.255 RouterA(config-ext-nacl)# permit ip host 172.16.1.4 172.16.253.0 0.255.255.255 RouterA(config-ext-nacl)# permit ip host 172.16.1.4 172.16.254.0 0.255.255.255 RouterA(config-ext-nacl)# exit RouterA(config)# interface loopback0 (2) RouterA(config-if)# ip address 172.16.98.1 255.255.255.0 RouterA(config-if)# exit RouterA(config)# route-map no-NAT permit 10 (3) RouterA(config-route-map)# match ip address no-static-NAT RouterA(config-router-map)# set interface loopback0 RouterA(config-router-map)# exit RouterA(config)# route-map no-NAT permit 20 RouterA(config-router-map)# exit RouterA(config)# interface fastethernet1/0 (4) RouterA(config-if)# ip policy route-map no-NAT
The following is an explanation of the configuration in Example 21-15, with reference to the numbering on the right side:
This ACL defines matches for traffic from any of the DMZ servers to any of the company's VPN devices' remote-access internal addresses. Note that I did not include the branch office, even though it is also using a VPN connection to reach the corporate site. Because the GRE tunnel on interface tunnel0 is defined as inside for NAT, NAT translation does not take place between the corporate site and the branch office.
A loopback interface is created for the temporary hop between the DMZ servers and the VPN devices.
The route map specifies the ACL in Step 1, which causes the Cisco IOS to forward traffic from the DMZ servers to the loopback interface before being forwarded to the VPN devices. If there is no match in the ACL, the DMZ traffic is routed normally.
The route map is activated on the DMZ interface.
NOTE
The configuration in Example 21-15 is necessary only if you have static address-translation commands and you want to disable the translation on a connection-by-connection basis, as with VPNs. In addition, switching packets through source routing like this causes every packet that matches the route map to be process-switched, which is far more CPU intensive than other switching methods supported by the router. Take care to list only the exact packets that need this function and to do this only if absolutely necessary.
Routing
This section covers the routing and routing protection configuration used on these routers. First, because this network is small, static routes are used for connectivity. Example 21-16 shows an example of RouterA's static route configuration.
Example 21-16. Setting up Routing on RouterA
RouterA(config)# ip route 0.0.0.0 0.0.0.0 192.1.1.254 RouterA(config)# ip route 172.16.3.0 255.255.255.0 172.16.2.254 RouterA(config)#
