Scribd Logo
Upload

Welcome to Scribd!

  • 59 views

    Report - Chapter 6: Firewall

    Uploaded by

    Daniel Pons
    The document is a report on configuring and testing firewall rules on a Cisco ASA 5505 appliance. It discusses the default configuration, making changes to interfaces, adding network and host objects, configuring access and NAT rules, and monitoring traffic. Tests were performed to verify that internal computers could access an external FTP server as well as ping external devices, while traffic from outside was restricted by the firewall rules. The report demonstrates how firewalls can control inbound and outbound traffic between internal and external networks through configuration of interfaces, security policies, and network address translation.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd

    Report - Chapter 6: Firewall

    Uploaded by

    Daniel Pons
    59 views11 pages
    The document is a report on configuring and testing firewall rules on a Cisco ASA 5505 appliance. It discusses the default configuration, making changes to interfaces, adding network and host objects, configuring access and NAT rules, and monitoring traffic. Tests were performed to verify that internal computers could access an external FTP server as well as ping external devices, while traffic from outside was restricted by the firewall rules. The report demonstrates how firewalls can control inbound and outbound traffic between internal and external networks through configuration of interfaces, security policies, and network address translation.

    Original Title

    REPORT_C6_163276_173742_165916.pdf

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    The document is a report on configuring and testing firewall rules on a Cisco ASA 5505 appliance. It discusses the default configuration, making changes to interfaces, adding network and host objects, configuring access and NAT rules, and monitoring traffic. Tests were performed to verify that internal computers could access an external FTP server as well as ping external devices, while traffic from outside was restricted by the firewall rules. The report demonstrates how firewalls can control inbound and outbound traffic between internal and external networks through configuration of interfaces, security policies, and network address translation.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    59 views11 pages

    Report - Chapter 6: Firewall

    Uploaded by

    Daniel Pons
    The document is a report on configuring and testing firewall rules on a Cisco ASA 5505 appliance. It discusses the default configuration, making changes to interfaces, adding network and host objects, configuring access and NAT rules, and monitoring traffic. Tests were performed to verify that internal computers could access an external FTP server as well as ping external devices, while traffic from outside was restricted by the firewall rules. The report demonstrates how firewalls can control inbound and outbound traffic between internal and external networks through configuration of interfaces, security policies, and network address translation.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    of 11

    REPORT CHAPTER 6

    Firewall

    NETWORKS AND SERVICES LABORATORY


    9 June 2015
    Vctor Rojo
    173742
    Esteban Martn 165916
    Daniel Pons
    163276

    NETWORKS AND SERVICES LABORATORY


    CHAPTER 6
    Firewall

    6.3 Adaptive Security Device Manager (ASDM)

    With de default configuration of the firewall, does the ping command succeed? Why?

    The pings between the two internals computers works because the CISCO ASA firewalls
    assign the internal security level as 100, it means the interface is 100% trusted and a PC
    from the internal network can have connection with the pcs from the same network and
    go to an outside network, but the connections from the outside networks are not allowed.

    6.4 Default Configuration of the ASA 5505

    Observe and explain the different aspects that can be configured using the icons on the
    left hand side of the screen.
    The icons on the left hand side of the screen allow you configure:
    o
    o
    o
    o
    o
    o
    o
    o

    The interface that are connected in the firewall.


    The security policy with which can impose different parameters of security(for
    example, connections).
    NAT configurations, that allows connections with elements outside the private
    network.
    VPN configuration, that allows configure a security channel for our connections.
    CSD Manager,
    Routing configure, that allow configure the statics routes in the networks.
    Global objects,
    Properties, where we observe a different parameters that our network.

    What is the default configuration of Ethernet 0/0 (outside)?


    The default configuration is:
    o
    o
    o
    o
    o
    o

    Enabled: Yes
    Security level: 0
    IP Address: (DHCP)
    VLAN: VLAN 2
    Management Only: No
    MTU: 1500
    2

    NETWORKS AND SERVICES LABORATORY


    CHAPTER 6
    Firewall

    Explain in a few sentences the default configuration of the firewall and explain why you
    think it is configured this way.
    The default configuration in the firewall allows connections in the internal network, but
    not permit the connections with external networks because the security policy not allow
    connections with this. This default configuration is this way because firewall assumes that
    outside networks are dangerous, and you decide what network are considered trusted.

    After change our outside interface to 204.69.103.1, can you ping from the outside PC to an
    inside PC? Why?
    We cannot do ping because security policy don't allow connections with outside networks.

    What is the difference compared to the previous case? Include the screenshot of the
    Syslog and/or firewall configuration.
    In the previous case, we can do ping because the ping was between internal PCs, and the
    firewall allow this connection. But, in this case, the connection are with external PC, and
    firewall don't allow this. These constrains are due to the security levels that firewall
    impose to the local network access.

    6.5 Firewall

    What other protocols/programs are allowed from the Device Access menu?

    From the Device Access menu are allowed different protocols/programs:


    -

    AAA Access:
    AAA is an architectural framework for configuring a set of three independent security
    functions: Authentication, Authorization and Accounting.

    HTTPS/ASDM:
    Is a communication protocol for secure communication over a computer networks. In
    this section we need to enable the HTTPS server and allow HTTPS connections to the
    security appliance.

    NETWORKS AND SERVICES LABORATORY


    CHAPTER 6
    Firewall
    -

    Secure Shell:
    Is a network protocol for initiating text-based shell sessions on remote machines in a
    secure way. This allows a user to run commands on a machine's command prompt
    without them being physically present near the machine.

    Telnet:
    The Telnet protocol enables you to set up TCP/IP connections to a host. Telnet allows a
    user at one site to establish a TCP connection to a login server at another site. Telnet
    can accept either an IP address or a domain name as the remote device address.

    Virtual Access:
    Is a virtual interface that is created, configured dynamically, used, and then
    freed when no longer needed.

    Explain the information that the previous command provide.


    #show interface:
    This command shows us the different interfaces and vlans that are available in the firewall
    and specify some characteristics like BW, MAC address, IP address, MTU, packets and other
    traffic statics.

    NETWORKS AND SERVICES LABORATORY


    CHAPTER 6
    Firewall
    #show traffic:
    We can see a summary of the interfaces and vlans traffic. Specifying the packets and the
    bytes received and transmitted.

    Discuss the security implications of the connecting using Telnet of the console.
    Telnet does not encrypt any data sent over the connection, it makes that anyone who have
    access to the router, switch or hub located in the network between the two hosts where
    Telnet is being used can intercept the packets passing by and obtain the login and
    password. For these reasons nowadays we use Secure Shell (SSH), which provides us much
    of the functionality of telnet, with the addition of strong encryption.

    6.6 The Hosts/Networks Table

    Add two internal computers by selection Add > Network Objects. The network mask is
    255.255.255.255. Add also a corresponding object for the external computer.

    NETWORKS AND SERVICES LABORATORY


    CHAPTER 6
    Firewall

    6.7 Access Rules

    The last rule is any to any deny. Why?

    With the last rules we are discarded all the connections we have not setting. The rules are
    examined sequentially so if we execute the last rules it means that none of the rules before
    are allowed to access.

    Is it possible to access the FTP server from the internal computers?

    From the internal computers is allowed to connect with the server in the outside network. It is
    possible because the internal computers can connect to the networks with lower security level.
    The inside security level is 100, so the internal pcs have access to external networks.

    Include in your report the configuration of the firewall.

    In this capture we show that the internal pcs 2 dont have access to an outside ftp connection.

    NETWORKS AND SERVICES LABORATORY


    CHAPTER 6
    Firewall

    Report the screenshot of the Syslog showing you successfully configured the firewall.

    6.8 Translation Rules

    How does this configuration affect outgoing traffic?


    By default, the firewall have Dynamic NAT rule. From any network, it allows the connection
    between inside and outside but keeping the original address of the petition. So, this
    configuration doesnt affect the outgoing traffic because it will cross the two interfaces.

    What is the IP address used after the packets traverse the firewall?
    With this default configuration, the IP address will be the same after traverse the firewall.

    NETWORKS AND SERVICES LABORATORY


    CHAPTER 6
    Firewall

    6.9 Monitoring

    Include in your report a brief summary of your observations.


    We have assigned the lowest log level for each operation, so, it will supervise all the
    events.
    Keeping the proper configuration of the Firewall allowing FTP traffic, we have start a
    transfer while we were monitoring the packet flow. This is the result.

    With a single transfer, CPU usage wasnt significant.

    NETWORKS AND SERVICES LABORATORY


    CHAPTER 6
    Firewall

    6.10 Case Study

    Explain the changes that we have made and the test performed to verify the correctness of
    the configuration.
    Now, the roles are different. We must install the FTP server in a computer being behind
    the firewall (inside) listening for incoming petitions allowing it from the outside.
    It could be a domestic situation: We could have a service in our private network at home
    listening for incoming petitions (FTP server, testing web server, game). Our typical
    procedure is mapping the port to a specific address in our ISP router. When we do it, we
    are configuring the NAT rules but we dont realize it.
    To perform it on ASA 5505 we must add some ACL rules to allow this incoming traffic and,
    following the restrictions, allow Ping (ICMP) from inside to external devices but not the
    other way around.
    In the outside section we have add a rule allowing the traffic ICMP from the internal
    network to the outside network. So, if we place it at the top followed by any network to
    any network denying IP traffic we drop the rest of petitions.
    Now its time to configure our NAT rules. The case requires that the FTP server is listening
    in 192.168.1.2 but it must be accessible by 204.69.103.4 from outside. So, our NAT must
    collects the petition, check the source and the destination. If this rule exists, the firewall
    have to translate the destination address to our internal computer waiting for FTP
    connections. This is a one-to-one address translation.
    Before it, we have add a new object: ConFTP with the IP 204.69.103.2/32

    NETWORKS AND SERVICES LABORATORY


    CHAPTER 6
    Firewall
    New static NAT rule:

    ACLs allowing the FTP outside traffic to this new object (204.69.103.4):

    Finally, our success FTP connection:

    10

    NETWORKS AND SERVICES LABORATORY


    CHAPTER 6
    Firewall
    From inside we obtain a success ping to the external device.

    Now, trying a ping from 204.69.103.2 to 192.168.1.2:

    Firewall is dropping packets applying the ALCs.

    11

    You might also like