Razni mrežni problemi

CBAC inspection, firewall

tooniinaa sri 20.3.2013 12:18

ljudi, molim za objasnjenje. toplogija je prikazana na slici. na routerima je napravljena standardna konfiguracija (ip add, eigrp), i sve je funkcioniralo (pingovi su prolazili, svaki router je imao routing tablicu sa svim subnetovima). na R1 sam sa auto secure-om napravila cbac firewall. 

r1:

Current configuration : 3008 bytes

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname R1

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 10 log

security passwords min-length 6

logging buffered 4096 debugging

logging console critical

enable secret 5 $1$Z0kJ$3mNXMP.WyM9LbIIRcv6Lm.

enable password 7 13061E010803557878

!      

aaa new-model

!

!

aaa authentication login local_auth local

!

aaa session-id common

!

resource policy

!

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

ip subnet-zero

no ip source-route

no ip gratuitous-arps

ip cef

!

!

no ip dhcp use vrf connected

!

!

no ip bootp server

no ip domain lookup

ip inspect audit-trail

ip inspect udp idle-time 1800

ip inspect dns-timeout 7

ip inspect tcp idle-time 14400

ip inspect name autosec_inspect cuseeme timeout 3600

ip inspect name autosec_inspect ftp timeout 3600

ip inspect name autosec_inspect http timeout 3600

ip inspect name autosec_inspect rcmd timeout 3600

ip inspect name autosec_inspect realaudio timeout 3600

ip inspect name autosec_inspect smtp timeout 3600

ip inspect name autosec_inspect tftp timeout 30

ip inspect name autosec_inspect udp timeout 15

ip inspect name autosec_inspect tcp timeout 3600

ip inspect name autosec_inspect telnet timeout 10

ip inspect name autosec_inspect icmp timeout 10

no ip ips deny-action ips-interface

login block-for 60 attempts 2 within 3

!

!

!

!

!      

!

!

!

!

!

!

!

!

!

!

username tonina password 7 14141B180F0B7B7977

archive

 log config

  logging enable

!

!

!

!

!

interface FastEthernet0/0

 ip address 10.1.1.1 255.255.255.252

 ip access-group autosec_firewall_acl in

 ip verify unicast source reachable-via rx allow-default 100

 no ip redirects

 no ip proxy-arp

 ip inspect autosec_inspect out

 duplex auto

 speed auto

 no mop enabled

!

interface FastEthernet0/1

 ip address 192.168.1.1 255.255.255.0

 no ip redirects

 no ip proxy-arp

 duplex auto

 speed auto

 no mop enabled

!

router eigrp 101

 network 10.1.1.0 0.0.0.3

 network 192.168.1.0

 no auto-summary

!

ip classless

!      

!

no ip http server

no ip http secure-server

!

ip access-list extended autosec_firewall_acl

 permit udp any any eq bootpc

 permit tcp any any eq telnet

 permit eigrp any any

 deny   ip any any

!

logging trap debugging

logging facility local2

access-list 100 permit udp any any eq bootpc

no cdp run

!

!

!

!

control-plane

!

!

!

!      

!

!

!

!

banner motd ^CUNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.^C

alias exec c copy run start

!

line con 0

 exec-timeout 5 0

 privilege level 15

 logging synchronous

 login authentication local_auth

 transport output telnet

line aux 0

 exec-timeout 15 0

 login authentication local_auth

 transport output telnet

line vty 0 4

 exec-timeout 300 0

 privilege level 15

 logging synchronous

 login authentication local_auth

 transport input telnet

!

end

na switch 1 je pc sa kojeg prolazi ping i telnet na sve dijelove mreze.

dal mi netko moze objasnit zasto sa r1 ne prolazi ni ping ni telnet prema r2?

koliko sam shvatila firewall utječe na podatke koji prolaze kroz router, a ja u ovom slucaju imam ping i telnet koji su generirani s R1, sto znaci da se firewall ne bi trebao odnosti na to, ali ni ping ni telnet ne prolaze. ne vidim di je problem i sta tocno ogranicava ovu komunikaciju?

hvala

xxxmitar pet 22.3.2013 14:03

CBAC ti je u out smjeru, sto znaci da router originated promet nije podlozan inspekciji. Medjutm trik je u tome da upravo zbog toga (kada koristis CBAC u out smjeru) se ne kreira dinamicki entry u access-listi za povratni promet (autosec_firewall_acl) koju imas u inbound smjeru na interfaceu prema R2, i tvoj router tada odbacjue paket.
Provjeru da li ti access-ista blokira povratni promet mozes napraviti na sljedeci nacin:
ip access-list extended autosec_firewall_acl
promjeni zadnju liniju u:
deny ip any any log
Iniciraj promet i tada ces u logu vidjeti da li ti  ta access-lista zaista blokira povratni promet.
Rjesenje problema:
Posto ti sa R1 iniciras promet na R2, linije koje match-iraju povratni promet sa R2 na R1 za ping i telnet su:
permit tcp an eq telnet any
permit icmp any eq echo-reply any
Drugi nacin je da ukljucis router originated promet u cbac:
ip inspect name autosec_inspect icmp router-traffic
ip inspect name autosec_inspect tcp router-traffic
pozz
PS ovo je sada na brzinu odokativno, mozda nisam sve dobro proucio, na poslu mi je guzva. Javi da li si rijesila problem pa se javim kad uhvatim cajta.

Nova tema

Nova poruka u temi

Novi komentar na sadržaj

Odgovor na poruku

Uređivanje poruke

    Dodaj slike (max 5MB)