Firewall Access Control Lists
Lab Overview. This introduce you to a hardware firewall
and the basic commands that are required to establish access control
lists. The lab is broken down into four sections. The first
section will list the resources that are required to complete this lab,
ask preliminary questions, and describe the lab in detail. The
second section lists the technical details that you will use to complete
the lab. The third section covers establishing a Telnet and FTP
session. The final section covers the format the lab report should
be in. This lab is used in
IS2820/TELECOM2813 Security Management.
PIX 501 Firewall (PIX 1)
3 Windows 2000 PC (PC1,
2 WS 2940 Workgroup
switches (SW1, SW3)
Cables and patch cords
1. What is the difference between Network Address Translation (NAT) and
Port Address Translation (PAT)?
2. To test your configuration you might want to use the ping command,
however this command relies on ICMP protocol based messages. Unless you
allow these messages to go through the firewall you cannot use ping to
a. How does a PIX firewall handle ICMP messages by default?
b. How do you allow ICMP messages to go through the firewall?
If you enable ping during the testing/debugging phase of your
configuration process make sure that you take out any configuration
changes that allowed ping (ICMP) traffic to go through the firewall
before turning in your results.
Tutorial Objective. The network structure for this lab is shown in figure 1. All computers
shown have the IP addresses displayed in the figure and are configured
as FTP1 and Telnet servers.
You must restrict the traffic between the Company X’s private (inside)
network and the public (outside) network according to the following
1. Permit FTP access from the public network to PC1 in the private
network, no private IP addresses should be exposed in the process.
2. Telnet access
from the public network to PC1 is not to be allowed
3. FTP and Telnet from the public network to PC2 is not to be allowed
4. FTP and Telnet access from the private network PCs to the public
network PCs is allowed.
5. The true IP addresses of the computers on the private network should
not be seen in the public network.
6. Use the address pools that are mentioned in section IV
Compliance criteria for Part A.
1. Users from the public network should be able to FTP to PC1 but not to
PC2. Users FTP to PC1 without directly using one of Company X’s private
2. Traffic from the private network that goes into the public network
must not reveal the private network’s IP addresses.
3. Telnet access from the public network to PCs in the private network
should not work
4. Telnet and FTP access from the private network PCs to the public
network’s PCs works.
1. Modify the configuration of Part A to deny FTP and Telnet access from
private network PCs to the public network
2. FTP service is not started automatically when you log in. You’ll have
to activate it by following the procedures mentioned later in this
Compliance criteria for Part B.
1. Satisfy compliance criteria 1, 2 and 3 of part A
2. Telnet and FTP access from the private network PCs to the public
network’s PCs does not work.