CONTENTS

Firewall Access Control Lists

Lab Overview.  This introduce you to a hardware firewall and the basic commands that are required to establish access control lists.  The lab is broken down into four sections.  The first section will list the resources that are required to complete this lab, ask preliminary questions, and describe the lab in detail.  The second section lists the technical details that you will use to complete the lab.  The third section covers establishing a Telnet and FTP session.  The final section covers the format the lab report should be in.  This lab is used in IS2820/TELECOM2813 Security Management

Resources. 

  • PIX 501 Firewall (PIX 1)
  • 3 Windows 2000 PC (PC1, PC2, PC3)
  • 2 WS 2940 Workgroup switches (SW1, SW3)
  • Cables and patch cords

Preliminary Questions. 

1.  What is the difference between Network Address Translation (NAT) and Port Address Translation (PAT)?

2.  To test your configuration you might want to use the ping command, however this command relies on ICMP protocol based messages. Unless you allow these messages to go through the firewall you cannot use ping to test reachability.

a. How does a PIX firewall handle ICMP messages by default?
b. How do you allow ICMP messages to go through the firewall?

 If you enable ping during the testing/debugging phase of your configuration process make sure that you take out any configuration changes that allowed ping (ICMP) traffic to go through the firewall before turning in your results.

Tutorial Objective.  The network structure for this lab is shown in figure 1. All computers shown have the IP addresses displayed in the figure and are configured as FTP1 and Telnet servers.


Figure 1

You must restrict the traffic between the Company X’s private (inside) network and the public (outside) network according to the following requirements:

Part A. 

1.  Permit FTP access from the public network to PC1 in the private network, no private IP addresses should be exposed in the process.

2.  Telnet access from the public network to PC1 is not to be allowed

3.  FTP and Telnet from the public network to PC2 is not to be allowed

4.  FTP and Telnet access from the private network PCs to the public network PCs is allowed.

5.  The true IP addresses of the computers on the private network should not be seen in the public network.

6.  Use the address pools that are mentioned in section IV

Compliance criteria for Part A.

1.  Users from the public network should be able to FTP to PC1 but not to PC2. Users FTP to PC1 without directly using one of Company X’s private IP addresses.

2.  Traffic from the private network that goes into the public network must not reveal the private network’s IP addresses.

3.  Telnet access from the public network to PCs in the private network should not work

4.  Telnet and FTP access from the private network PCs to the public network’s PCs works.

Part B. 

1.  Modify the configuration of Part A to deny FTP and Telnet access from private network PCs to the public network

2.  FTP service is not started automatically when you log in. You’ll have to activate it by following the procedures mentioned later in this document

Compliance criteria for Part B. 

1.  Satisfy compliance criteria 1, 2 and 3 of part A

2.  Telnet and FTP access from the private network PCs to the public network’s PCs does not work.