Annex A: Validation Lab
A reference SAFE implementation exists to validate the functionality described in this document. This annex details the configurations of the specific devices within each module in addition to the overall guidelines for general device configuration. The following are configuration snapshots from the live devices in the lab. The authors do not recommend applying these configurations directly to a production network.
Overall Guidelines
The configurations presented here correspond in part to the “SAFE Axioms” section presented earlier in this document.
Routers
Here are the basic configuration options present on nearly all routers in the SAFE lab:
! turn off unnecessary services ! no ip domain-lookup no cdp run no ip http server no ip source-route no service finger no ip bootp server no service udp-small-s no service tcp-small-s ! !turn on logging and snmp ! service timestamp log datetime localtime logging 192.168.253.56 logging 192.168.253.51 snmp-server community Txo~QbW3XM ro 98 ! !set passwords and access restrictions ! service password-encryption enable secret %Z<)|z9~zq no enable password|z no access-list 99 access-list 99 permit 192.168.253.0 0.0.0.255 access-list 99 deny any log no access-list 98 access-list 98 permit host 192.168.253.51 access-list 98 deny any log line vty 0 4 access-class 99 in login password 0 X)[^j+#T98 exec-timeout 2 0 line con 0 login password 0 X)[^j+#T98 exec-timeout 2 0 line aux 0 transport input none password 0 X)[^j+#T98 no exec exit banner motd # This is a private system operated for and by Cisco VSEC BU. Authorization from Cisco VSEC management is required to use this system. Use by unauthorized persons is prohibited. # ! !Turn on NTP ! clock timezone PST -8 clock summer-time PST recurring ntp authenticate ntp authentication-key 1 md5 -UN&/6[oh6 ntp trusted-key 1 ntp access-group peer 96 ntp server 192.168.254.57 key 1 access-l 96 permit host 192.168.254.57 access-l 96 deny any log ! !Turn on AAA ! aaa new-model aaa authentication login default tacacs+ aaa authentication login no_tacacs line aaa authorization exec tacacs+ aaa authorization network tacacs+ aaa accounting network start-stop tacacs+ aaa accounting exec start-stop tacacs+ tacacs-server host 192.168.253.54 single tacacs-server key SJj)j~t]6- line con 0 login authentication no_tacacs
The following configuration snapshot defines the Open Shortest Path First (OSPF) authentication and filtering parameters for all OSPF routers within the network. Note the MD5 authentication and the distribute lists ensuring that the OOB network is not advertised.
interface Vlan13 ip address 10.1.13.3 255.255.255.0 ip ospf authentication message-digest ip ospf message-digest-key 1 md5 7 024D105641521F0A7E ip ospf priority 3 ! router ospf 1 area 0 authentication message-digest network 10.1.0.0 0.0.255.255 area 0 distribute-list 1 out distribute-list 1 in ! access-list 1 deny 192.168.0.0 0.0.255.255 access-list 1 permit any
The following configuration snapshot defines the access control present on all of the OOB interfaces throughout the network. Keep in mind that this is in addition to the private VLANs that block access between managed host IP addresses.
interface FastEthernet1/0 ip address 192.168.254.15 255.255.255.0 ip access-group 101 in ip access-group 102 out no cdp enable ! access-list 101 permit icmp any any access-list 101 permit tcp 192.168.253.0 0.0.0.255 host 192.168.254.15 established access-list 101 permit udp 192.168.253.0 0.0.0.255 host 192.168.254.15 gt 1023 access-list 101 permit tcp 192.168.253.0 0.0.0.255 host 192.168.254.15 eq telnet access-list 101 permit udp host 192.168.253.51 host 192.168.254.15 eq snmp access-list 101 permit udp host 192.168.253.53 host 192.168.254.15 eq tftp access-list 101 permit udp host 192.168.254.57 host 192.168.254.15 eq ntp access-list 101 deny ip any any log access-list 102 deny ip any any log
Switches
Here is the base security configuration present on nearly all Cat OS switches in the SAFE lab. IOS switches use a configuration nearly identical to the router configuration.
! !Turn on NTP ! set timezone PST -8 set summertime PST set summertime recurring set ntp authentication enable set ntp key 1 trusted md5 -UN&/6[oh6 set ntp server 192.168.254.57 key 1 set ntp client enable ! ! turn off un-needed services ! set cdp disable set ip http server disable ! !turn on logging and snmp ! set logging server 192.168.253.56 set logging server 192.168.253.51 set logging timestamp enable set snmp community read-only Txo~QbW3XM set ip permit enable snmp set ip permit 192.168.253.51 snmp ! !Turn on AAA ! set tacacs server 192.168.253.54 primary set tacacs key SJj)j~t]6- set authentication login tacacs enable telnet set authentication login local disable telnet set authorization exec enable tacacs+ deny telnet set accounting exec enable start-stop tacacs+ set accounting connect enable start-stop tacacs+ ! !set passwords and access restrictions ! set banner motd <c> This is a private system operated for and by Cisco VSEC BU. Authorization from Cisco VSEC management is required to use this system. Use by unauthorized persons is prohibited. <c> !console password is set by 'set password' !enter old password followed by new password !console password = X)[^j+#T98 ! !enable password is set by 'set enable' !enter old password followed by new password !enable password = %Z<)|z9~zq ! !the following password configuration only works the first time ! set password X)[^j+#T98 X)[^j+#T98 set enable cisco %Z<)|z9~zq %Z<)|z9~zq ! !the above password configuration only works the first time ! set logout 2 set ip permit enable telnet set ip permit 192.168.253.0 255.255.255.0 telnet
Hosts
Hosts were patched with the latest fixes. HIDS was applied, as well. The HIDS application used in the lab is ClickNet's Entercept application. More information is available at www.clicknet.com.
Management Module
Refer to Figure A-5 for a detail of the management module.
Products Used
The products used are as follows:
Cisco Catalyst 3500XL Layer 2 switches (all switching)
Cisco 3640 IOS Router with Firewall Feature Set (eIOS-21)
Cisco 2511 IOS Router (terminal servers)
Cisco Secure Intrusion Detection System (CSIDS) sensor
RSA SecureID OTP Server
Cisco Secure Access Control Server
Works 2000
Cisco Secure Policy Manager
netForensics syslog analysis tool
ClickNet Entercept HIDS
EIOS-21
The following configuration sets the default IOS firewall parameters:
ip inspect audit-trail ip inspect max-incomplete low 150 ip inspect max-incomplete high 250 ip inspect one-minute low 100 ip inspect one-minute high 200 ip inspect udp idle-time 20 ip inspect dns-timeout 3 ip inspect tcp idle-time 1800 ip inspect tcp finwait-time 3 ip inspect tcp synwait-time 15 ip inspect tcp max-incomplete host 40 block-time 0 ip inspect name mgmt_fw tcp timeout 300 ip inspect name mgmt_fw udp ip inspect name mgmt_fw tftp ip inspect name mgmt_fw http ip inspect name mgmt_fw fragment maximum 256 timeout 1 ip audit notify log ip audit po max-events 100
The following configuration sets up the encrypted in-band network management:
crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key A%Xr)7,_) address 172.16.224.24 crypto isakmp key A%Xr)7,_) address 172.16.224.23 ! crypto ipsec transform-set vpn_module_mgmt esp-3des esp-sha-hmac ! crypto map mgmt1 100 ipsec-isakmp set peer 172.16.224.24 set transform-set vpn_module_mgmt match address 111 crypto map mgmt1 200 ipsec-isakmp set peer 172.16.224.23 set transform-set vpn_module_mgmt match address 110 access-list 110 permit ip 192.168.253.0 0.0.0.255 host 172.16.224.23 access-list 110 permit udp 192.168.254.0 0.0.0.255 host 172.16.224.23 access-list 111 permit ip 192.168.253.0 0.0.0.255 host 172.16.224.24 access-list 111 permit udp 192.168.254.0 0.0.0.255 host 172.16.224.24
The following configuration defines inbound access control from the managed host network. Port 45000 is for CSIDS and port 5000 is for ClickNet's HIDS.
access-list 114 permit icmp 192.168.254.0 0.0.0.255 192.168.253.0 0.0.0.255
echo-reply
access-list 114 permit udp 192.168.254.0 0.0.0.255 host 192.168.253.56 eq syslog
access-list 114 permit udp 192.168.254.0 0.0.0.255 host 192.168.253.51 eq syslog
access-list 114 permit udp 192.168.254.0 0.0.0.255 host 192.168.253.50 eq 45000
access-list 114 permit tcp 192.168.254.0 0.0.0.255 host 192.168.253.50 eq 5000
access-list 114 permit udp 192.168.254.0 0.0.0.255 host 192.168.253.53 eq tftp
access-list 114 permit udp 192.168.254.0 0.0.0.255 host 192.168.254.57 eq ntp
access-list 114 permit tcp 192.168.254.0 0.0.0.255 host 192.168.253.54 eq tacacs
access-list 114 permit udp 192.168.254.0 0.0.0.255 host 192.168.253.54 eq 1645
access-list 114 permit udp 192.168.254.0 0.0.0.255 host 192.168.253.52 eq syslog
access-list 114 deny ip any any log
The following configuration defines inbound access control from the management host network:
access-list 113 permit icmp 192.168.253.0 0.0.0.255 192.168.254.0 0.0.0.255
access-list 113 permit icmp 192.168.253.0 0.0.0.255 host 192.168.253.57
access-list 113 permit tcp 192.168.253.0 0.0.0.255 host 192.168.253.57 eq telnet
access-list 113 permit tcp 192.168.253.0 0.0.0.255 192.168.254.0 0.0.0.255 eq
telnet
access-list 113 permit tcp 192.168.253.0 0.0.0.255 192.168.254.0 0.0.0.255 eq 443
access-list 113 permit tcp 192.168.253.0 0.0.0.255 192.168.254.0 0.0.0.255 eq 22
access-list 113 permit udp host 192.168.253.50 192.168.254.0 0.0.0.255 eq 45000
access-list 113 permit tcp host 192.168.253.50 192.168.254.0 0.0.0.255 eq 5000
access-list 113 permit udp host 192.168.253.51 192.168.254.0 0.0.0.255 eq snmp
access-list 113 permit udp host 192.168.253.53 gt 1023 host 192.168.253.57 gt
1023
access-list 113 permit udp 192.168.253.0 0.0.0.255 host 192.168.254.57 eq ntp
access-list 113 permit tcp host 192.168.253.54 eq tacacs host 192.168.253.57 gt
1023
access-list 113 permit icmp 192.168.253.0 0.0.0.255 host 172.16.224.23
access-list 113 permit icmp 192.168.253.0 0.0.0.255 host 172.16.224.24
access-list 113 permit tcp 192.168.253.0 0.0.0.255 host 172.16.224.23 eq telnet
access-list 113 permit tcp 192.168.253.0 0.0.0.255 host 172.16.224.24 eq telnet
access-list 113 permit udp host 192.168.253.51 host 172.16.224.23 eq snmp
access-list 113 permit udp host 192.168.253.51 host 172.16.224.24 eq snmp
access-list 113 deny ip any any log
The following configuration defines inbound access control from the production network. This access allows only encrypted traffic, because that is the only communication allowed into the management module from the production network. The first four lines define access for the encrypted traffic. After decryption, traffic must again pass through the access list to be allowed into the management module.
access-list 112 permit esp host 172.16.224.23 host 10.1.20.57 access-list 112 permit esp host 172.16.224.24 host 10.1.20.57 access-list 112 permit udp host 172.16.224.24 host 10.1.20.57 eq isakmp access-list 112 permit udp host 172.16.224.23 host 10.1.20.57 eq isakmp access-list 112 permit udp host 172.16.224.24 host 192.168.253.56 eq syslog access-list 112 permit udp host 172.16.224.23 host 192.168.253.56 eq syslog access-list 112 permit udp host 172.16.224.24 host 192.168.253.51 eq syslog access-list 112 permit udp host 172.16.224.23 host 192.168.253.51 eq syslog access-list 112 permit udp host 172.16.224.24 host 192.168.253.53 eq tftp access-list 112 permit udp host 172.16.224.23 host 192.168.253.53 eq tftp access-list 112 permit udp host 172.16.224.24 host 192.168.253.57 eq ntp access-list 112 permit udp host 172.16.224.23 host 192.168.253.57 eq ntp access-list 112 permit tcp host 172.16.224.24 host 192.168.253.54 eq tacacs access-list 112 permit tcp host 172.16.224.23 host 192.168.253.54 eq tacacs access-list 112 permit icmp host 172.16.224.24 192.168.253.0 0.0.0.255 echo-reply access-list 112 permit icmp host 172.16.224.23 192.168.253.0 0.0.0.255 echo-reply access-list 112 deny ip any any log
Core Module
Refer to Figure A-7 for a detail of the core module.
Products Used
Cisco Catalyst 6500 Layer 3 switches are used.
Building Distribution Module
Refer to Figure A-8 for a detail of the building distribution module.
Products Used
Cisco Catalyst 6500 Layer 3 switches are used.
EL3SW-5
The following configuration snapshot defines the Layer 3 access control between subnets in this module. VLAN 5 defines the marketing subnet, VLAN 6 defines the R&D subnet, VLAN 7 defines the marketing IP phones, and VLAN 8 defines the R&D IP phones.
interface Vlan5 ip address 10.1.5.5 255.255.255.0 ip access-group 105 in ! interface Vlan6 ip address 10.1.6.5 255.255.255.0 ip access-group 106 in ! interface Vlan7 ip address 10.1.7.5 255.255.255.0 ip access-group 107 in ! interface Vlan8 ip address 10.1.8.5 255.255.255.0 ip access-group 108 in ! access-list 105 deny ip 10.1.5.0 0.0.0.255 10.1.6.0 0.0.0.255 access-list 105 deny ip 10.1.5.0 0.0.0.255 10.1.7.0 0.0.0.255 access-list 105 deny ip 10.1.5.0 0.0.0.255 10.1.8.0 0.0.0.255 access-list 105 deny ip 10.1.5.0 0.0.0.255 10.1.16.0 0.0.0.255 access-list 105 permit ip 10.1.5.0 0.0.0.255 any access-list 105 deny ip any any log access-list 106 deny ip 10.1.6.0 0.0.0.255 10.1.5.0 0.0.0.255 access-list 106 deny ip 10.1.6.0 0.0.0.255 10.1.7.0 0.0.0.255 access-list 106 deny ip 10.1.6.0 0.0.0.255 10.1.8.0 0.0.0.255 access-list 106 deny ip 10.1.6.0 0.0.0.255 10.1.15.0 0.0.0.255 access-list 106 deny ip 10.1.6.0 0.0.0.255 10.1.16.0 0.0.0.255 access-list 106 permit ip 10.1.6.0 0.0.0.255 any access-list 106 deny ip any any log access-list 107 permit ip 10.1.7.0 0.0.0.255 10.1.8.0 0.0.0.255 access-list 107 permit ip 10.1.7.0 0.0.0.255 10.1.16.0 0.0.0.255 access-list 107 permit ip 10.1.7.0 0.0.0.255 host 10.1.11.50 access-list 107 deny ip any any log access-list 108 permit ip 10.1.8.0 0.0.0.255 10.1.7.0 0.0.0.255 access-list 108 permit ip 10.1.8.0 0.0.0.255 10.1.16.0 0.0.0.255 access-list 108 permit ip 10.1.8.0 0.0.0.255 host 10.1.11.50 access-list 108 deny ip any any log
Building Access Module
Refer to Figure A-10 for a detail of the building access module.
Products Used
The following products are used:
Cisco Catalyst 4003 Layer 2 switches
Cisco IP Phone
EL2SW-11 and 12
The following configuration snapshot shows some of the VLAN settings on the Layer 2 switches in this module. Notice that unneeded ports are disabled and set to a nonroutable VLAN. Also, trunking is turned off on all ports except those connecting to IP phones that use trunking for VLAN separation between phone and workstation.
set vlan 5 2/5,2/17 set vlan 6 2/6,2/18 set vlan 99 2/34 set vlan 999 2/1-3,2/7-16,2/19-33 set port disable 2/7-33 set trunk 2/1-34 off set trunk 2/4 on dot1q 1,5-8
Server Module
Refer to Figure A-12 for a detail of the server module.
Products Used
The following products are used:
Cisco Catalyst 6500 Layer 3 switches
Cisco Catalyst 6500 Intrusion Detection Blade
Cisco Call Manager
ClickNet Entercept HIDS
EL3SW-1 and 2
The following configuration sets the private VLAN mappings for several of the ports within the same VLAN. This configuration prevents the internal e-mail server from communicating with the corporate server.
! CAT OS Config ! #private vlans set pvlan 11 437 set pvlan 11 437 3/3-4,3/14 set pvlan mapping 11 437 15/1 ! ! MSFC Config ! interface Vlan11 ip address 10.1.11.1 255.255.255.0 ip access-group 111 in no ip redirects
The following configuration sets the interface filtering on several of the interfaces in this module. This includes RFC 2827 filtering.
interface Vlan11 ip address 10.1.11.1 255.255.255.0 ip access-group 111 in ! interface Vlan15 ip address 10.1.15.1 255.255.255.0 ip access-group 115 in ! interface Vlan16 ip address 10.1.16.1 255.255.255.0 ip access-group 116 in ip access-group 126 out ! access-list 111 permit ip 10.1.11.0 0.0.0.255 any access-list 111 deny ip any any log access-list 115 permit ip 10.1.15.0 0.0.0.255 any access-list 115 deny ip any any log access-list 116 permit ip 10.1.16.0 0.0.0.255 10.1.7.0 0.0.0.255 access-list 116 permit ip 10.1.16.0 0.0.0.255 10.1.8.0 0.0.0.255 access-list 116 permit ip 10.1.16.0 0.0.0.255 10.1.11.0 0.0.0.255 access-list 116 deny ip any any log access-list 126 permit ip 10.1.7.0 0.0.0.255 10.1.16.0 0.0.0.255 access-list 126 permit ip 10.1.8.0 0.0.0.255 10.1.16.0 0.0.0.255 access-list 126 permit ip 10.1.11.0 0.0.0.255 10.1.16.0 0.0.0.255
The following configuration sets up the capture port for the Cat 6000 IDS module:
#module 4 : 2-port Intrusion Detection System set module name 4 set module enable 4 set vlan 1 4/1 set vlan 99 4/2 set port name 4/1 Sniff-4 set port name 4/2 CandC-4 set trunk 4/1 nonegotiate dot1q 1-1005,1025-4094 set security acl capture-ports 4/1
Edge Distribution Module
Refer to Figure A-14 for a detail of the edge distribution module.
Products Used
Cisco Catalyst 6500 Layer 3 switches are used.
Corporate Internet Module
Refer to Figure A-19 for a detail of the corporate Internet module.
Products Used
The following products are used:
Cisco Secure PIX Firewall
Cisco Secure IDS Sensor
Catalyst 3500 Layer 2 switches
Cisco 7100 IOS router
ClickNet Entercept HIDS
Websense URL filtering server
EPIX-31 and 33
This configuration snapshot details the access control in place on the PIX Firewall. The name of the access list denotes the location in which the inbound ACL is placed. The name in is inbound, out is outbound, pss is the public services segment (DMZ), url is the content filtering segment, and mgmt is the OOB interface.
access-list out deny ip any 192.168.254.0 255.255.255.0 access-list out deny ip any 192.168.253.0 255.255.255.0 access-list out permit icmp any any echo-reply access-list out permit tcp any host 172.16.225.52 eq www access-list out permit tcp any host 172.16.225.52 eq ftp access-list out permit tcp any host 172.16.225.50 eq smtp access-list out permit udp any host 172.16.225.51 eq domain access-list out permit esp host 172.16.224.23 host 172.16.224.57 access-list out permit esp host 172.16.224.24 host 172.16.224.57 access-list out permit udp host 172.16.224.23 host 172.16.224.57 eq isakmp access-list out permit udp host 172.16.224.24 host 172.16.224.57 eq isakmp access-list in deny ip any 192.168.254.0 255.255.255.0 access-list in deny ip any 192.168.253.0 255.255.255.0 access-list in permit icmp any any echo access-list in permit udp host 10.1.11.50 host 172.16.225.51 eq domain access-list in permit tcp 10.0.0.0 255.0.0.0 host 172.16.225.52 eq www access-list in permit tcp 10.0.0.0 255.0.0.0 host 10.1.103.50 eq 15871 access-list in permit tcp host 10.1.11.51 host 172.16.225.50 eq smtp access-list in permit tcp host 10.1.11.51 host 172.16.225.50 eq 20389 access-list in permit tcp 10.0.0.0 255.0.0.0 host 172.16.225.52 eq ftp access-list in deny ip any 172.16.225.0 255.255.255.0 access-list in permit ip 10.0.0.0 255.0.0.0 any access-list in permit esp host 10.1.20.57 host 172.16.224.23 access-list in permit esp host 10.1.20.57 host 172.16.224.24 access-list in permit udp host 10.1.20.57 host 172.16.224.23 eq isakmp access-list in permit udp host 10.1.20.57 host 172.16.224.24 eq isakmp access-list pss deny ip any 192.168.254.0 255.255.255.0 access-list pss deny ip any 192.168.253.0 255.255.255.0 access-list pss permit tcp host 172.16.225.50 host 10.1.11.51 eq 20025 access-list pss permit tcp host 172.16.225.50 host 10.1.11.51 eq 20389 access-list pss deny ip 172.16.225.0 255.255.255.0 10.0.0.0 255.0.0.0 access-list pss permit tcp host 172.16.225.50 any eq smtp access-list pss permit udp host 172.16.225.51 any eq domain access-list url permit udp host 10.1.103.50 host 172.16.225.51 eq domain access-list url permit ip any any access-list mgmt permit icmp 192.168.253.0 255.255.255.0 any
EIOS-23 and 24
This configuration snapshot details the Hot Standby Router Protocol (HSRP) commands on many routers that use HSRP for high availability.
interface FastEthernet0/0 ip address 172.16.226.23 255.255.255.0 standby 2 timers 5 15 standby 2 priority 110 preempt delay 2 standby 2 authentication k&>9NG@6 standby 2 ip 172.16.226.100 standby 2 track ATM4/0 50
The following sets up the encrypted in-band network management link to the management module:
crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key A%Xr)7,_) address 172.16.224.57 ! crypto ipsec transform-set vpn_module_mgmt esp-3des esp-sha-hmac ! crypto map mgmt1 100 ipsec-isakmp set peer 172.16.224.57 set transform-set vpn_module_mgmt match address 103 access-list 103 permit ip host 172.16.224.23 192.168.253.0 0.0.0.255 access-list 103 permit udp host 172.16.224.23 192.168.254.0 0.0.0.255
The following ACL sits inbound from the enterprise network:
access-list 112 permit udp host 172.16.224.57 host 172.16.224.23 eq isakmp access-list 112 permit esp host 172.16.224.57 host 172.16.224.23 access-list 112 permit tcp 192.168.253.0 0.0.0.255 host 172.16.224.23 established access-list 112 permit udp 192.168.253.0 0.0.0.255 host 172.16.224.23 gt 1023 access-list 112 permit tcp 192.168.253.0 0.0.0.255 host 172.16.224.23 eq telnet access-list 112 permit udp host 192.168.253.51 host 172.16.224.23 eq snmp access-list 112 permit udp host 192.168.254.57 host 172.16.224.23 eq ntp access-list 112 permit icmp any any access-list 112 deny ip any host 172.16.224.23 log access-list 112 deny ip any host 172.16.226.23 log access-list 112 deny ip any host 172.16.145.23 log access-list 112 permit ip 172.16.224.0 0.0.0.255 any access-list 112 permit ip 172.16.225.0 0.0.0.255 any
The following ACL sits inbound from the ISP. Note that RFC 1918 filtering is not complete because these addresses are used as production addresses in the lab. Actual networks should implement full RFC 1918 filtering.
access-list 150 deny ip 10.0.0.0 0.255.255.255 any access-list 150 deny ip 192.168.0.0 0.0.255.255 any access-list 150 deny ip 172.16.224.0 0.0.7.255 any access-list 150 permit ip any 172.16.224.0 0.0.7.255 access-list 150 permit ip any 172.16.145.0 0.0.0.255 access-list 150 permit esp any 172.16.226.0 0.0.0.255 fragments access-list 150 deny ip any any fragments access-list 150 deny ip any any log
The following filtering exists outbound to the remote-access and VPN module. Note that only IKE and ESP are permitted:
access-list 160 permit esp any host 172.16.226.27 access-list 160 permit esp any host 172.16.226.28 access-list 160 permit esp any host 172.16.226.48 access-list 160 permit udp any host 172.16.226.27 eq isakmp access-list 160 permit udp any host 172.16.226.28 eq isakmp access-list 160 permit udp any host 172.16.226.48 eq isakmp access-list 160 deny ip any any log
Catalyst 3500XL Private VLANs
This configuration snapshot details the configuration for private VLANs on the public services segment:
VPN and Remote-Access Module
Refer to Figure A-22 for a detail of the VPN and remote-access module.
Products Used
The following products are used:
Cisco Secure PIX Firewall
Cisco Secure IDS Sensor
Catalyst 3500 Layer 2 switches
Cisco 7100 IOS router
Cisco VPN 3060 Concentrator
Cisco IOS Access Server
ClickNet Entercept HIDS
Websense URL Filtering Server
EPIX-32 and 34
This configuration snapshot details the access control in place on the PIX Firewall. The name of the access list denotes the location in which the inbound ACL is placed. The name in is inbound, out is the site-to-site VPN, dun is the Public Switched Telephone Network (PSTN) dial-up, ra is the remote-access VPN, and mgmt is the OOB interface.
access-list in deny ip any 192.168.253.0 255.255.255.0
access-list in deny ip any 192.168.254.0 255.255.255.0
access-list in permit icmp any any
access-list in permit tcp 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0 eq smtp
access-list in permit tcp 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0 eq pop3
access-list in permit tcp 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0 eq www
access-list in permit tcp 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0 eq ftp
access-list in permit udp 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0 eq netbios-ns
access-list in permit udp 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0 eq netbios-dgm
access-list in permit udp 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0 eq domain
access-list out deny ip any 192.168.253.0 255.255.255.0
access-list out deny ip any 192.168.254.0 255.255.255.0
access-list out permit icmp any any
access-list out permit tcp 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0 eq smtp
access-list out permit tcp 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0 eq pop3
access-list out permit tcp 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0 eq www
access-list out permit tcp 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0 eq ftp
access-list out permit udp 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0 eq netbios-ns
access-list out permit udp 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0 eq netbios-dgm
access-list out permit udp 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0 eq domain
access-list out permit tcp 10.0.0.0 255.0.0.0 172.16.255.0 255.255.255.0 eq www
access-list out permit tcp 10.0.0.0 255.0.0.0 172.16.255.0 255.255.255.0 eq ftp
access-list ra deny ip any 192.168.253.0 255.255.255.0
access-list ra deny ip any 192.168.254.0 255.255.255.0
access-list ra permit icmp any any
access-list ra permit tcp 10.1.198.0 255.255.254.0 10.0.0.0 255.0.0.0 eq smtp
access-list ra permit tcp 10.1.198.0 255.255.254.0 10.0.0.0 255.0.0.0 eq pop3
access-list ra permit tcp 10.1.198.0 255.255.254.0 10.0.0.0 255.0.0.0 eq www
access-list ra permit tcp 10.1.198.0 255.255.254.0 10.0.0.0 255.0.0.0 eq ftp
access-list ra permit udp 10.1.198.0 255.255.254.0 10.0.0.0 255.0.0.0 eq
netbios-ns
access-list ra permit udp 10.1.198.0 255.255.254.0 10.0.0.0 255.0.0.0 eq
netbios-dgm
access-list ra permit udp 10.1.198.0 255.255.254.0 10.0.0.0 255.0.0.0 eq domain
access-list ra deny ip 10.1.198.0 255.255.254.0 10.0.0.0 255.0.0.0
access-list ra permit tcp 10.1.198.0 255.255.254.0 172.16.225.0 255.255.255.0
eq www
access-list ra permit tcp 10.1.198.0 255.255.254.0 172.16.225.0 255.255.255.0
eq ftp
access-list ra deny ip 10.1.198.0 255.255.254.0 172.16.224.0 255.255.248.0
access-list ra permit ip 10.1.198.0 255.255.254.0 any
access-list dun deny ip any 192.168.253.0 255.255.255.0
access-list dun deny ip any 192.168.254.0 255.255.255.0
access-list dun permit icmp any any
access-list dun permit tcp 10.1.196.0 255.255.254.0 10.0.0.0 255.0.0.0 eq smtp
access-list dun permit tcp 10.1.196.0 255.255.254.0 10.0.0.0 255.0.0.0 eq pop3
access-list dun permit tcp 10.1.196.0 255.255.254.0 10.0.0.0 255.0.0.0 eq www
access-list dun permit tcp 10.1.196.0 255.255.254.0 10.0.0.0 255.0.0.0 eq ftp
access-list dun permit udp 10.1.196.0 255.255.254.0 10.0.0.0 255.0.0.0 eq
netbios-ns
access-list dun permit udp 10.1.196.0 255.255.254.0 10.0.0.0 255.0.0.0 eq
netbios-dgm
access-list dun permit udp 10.1.196.0 255.255.254.0 10.0.0.0 255.0.0.0 eq domain
access-list dun deny ip 10.1.196.0 255.255.254.0 10.0.0.0 255.0.0.0
access-list dun permit tcp 10.1.196.0 255.255.255.0 172.16.225.0 255.255.255.0
eq www
access-list dun permit tcp 10.1.196.0 255.255.255.0 172.16.225.0 255.255.255.0
eq ftp
access-list dun deny ip 10.1.196.0 255.255.254.0 172.16.224.0 255.255.248.0
access-list dun permit ip 10.1.196.0 255.255.254.0 any
access-list mgmt permit icmp 192.168.253.0 255.255.255.0 any
This configuration snapshot details the static NAT translations required to allow VPN traffic to pass back out the corporate internet module to the internet in the clear:
static (inside,ravpn) 128.0.0.0 128.0.0.0 netmask 128.0.0.0 0 0 static (inside,ravpn) 64.0.0.0 64.0.0.0 netmask 192.0.0.0 0 0 static (inside,ravpn) 32.0.0.0 32.0.0.0 netmask 224.0.0.0 0 0 static (inside,ravpn) 16.0.0.0 16.0.0.0 netmask 240.0.0.0 0 0 static (inside,ravpn) 8.0.0.0 8.0.0.0 netmask 248.0.0.0 0 0 static (inside,ravpn) 4.0.0.0 4.0.0.0 netmask 252.0.0.0 0 0 static (inside,ravpn) 2.0.0.0 2.0.0.0 netmask 254.0.0.0 0 0 static (inside,ravpn) 1.0.0.0 1.0.0.0 netmask 255.0.0.0 0 0
EIOS-27 and 28
This configuration snapshot details the crypto configuration for the site-to-site VPN:
! ! Basic Crypto Information ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key 7Q!r$y$+xE address 172.16.132.2 crypto isakmp key 52TH^m&^qu address 172.16.131.2 ! ! crypto ipsec transform-set smbranch esp-3des esp-sha-hmac mode transport ! crypto map secure1 100 ipsec-isakmp set peer 172.16.132.2 set transform-set smbranch match address 105 crypto map secure1 300 ipsec-isakmp set peer 172.16.131.2 set transform-set smbranch match address 107 ! ! ! GRE Tunnel Information ! interface Tunnel0 ip address 10.1.249.27 255.255.255.0 tunnel source 172.16.226.27 tunnel destination 172.16.132.2 crypto map secure1 ! interface Tunnel1 ip address 10.1.247.27 255.255.255.0 tunnel source 172.16.226.27 tunnel destination 172.16.131.2 crypto map secure1 ! ! ! EIGRP Routing to keep links up ! router eigrp 1 redistribute static passive-interface FastEthernet0/1 passive-interface FastEthernet4/0 network 10.0.0.0 distribute-list 2 out distribute-list 2 in ! ! Crypto ACLs ! access-list 105 permit gre host 172.16.226.27 host 172.16.132.2 access-list 107 permit gre host 172.16.226.27 host 172.16.131.2 ! ! Inbound ACLs from Internet ! access-list 110 permit udp 172.16.0.0 0.0.255.255 host 172.16.226.27 eq isakmp access-list 110 permit esp 172.16.0.0 0.0.255.255 host 172.16.226.27 access-list 110 permit gre 172.16.0.0 0.0.255.255 host 172.16.226.27 access-list 110 deny ip any any log
WAN Module
Refer to Figure A-24 for a detail of the VPN and remote-access module.
Products Used
A Cisco 3640 IOS Router is the product used.
EIOS-61
The following configuration details the access control on the routers in the WAN module:
! ! Inbound from the WAN ! access-list 110 deny ip any 192.168.253.0 0.0.0.255 log access-list 110 deny ip any 192.168.254.0 0.0.0.255 log access-list 110 permit ospf any any access-list 110 permit ip 10.2.0.0 0.0.255.255 10.1.0.0 0.0.255.255 access-list 110 permit ip 10.2.0.0 0.0.255.255 10.3.0.0 0.0.255.255 access-list 110 permit ip 10.2.0.0 0.0.255.255 10.4.0.0 0.0.255.255 access-list 110 permit ip 10.2.0.0 0.0.255.255 172.16.224.0 0.0.7.255 access-list 110 deny ip any any log ! ! Inbound from the Campus ! access-list 111 deny ip any 192.168.253.0 0.0.0.255 log access-list 111 deny ip any 192.168.254.0 0.0.0.255 log access-list 111 permit ospf any any access-list 111 permit ip 10.1.0.0 0.0.255.255 10.2.0.0 0.0.255.255 access-list 111 permit ip 10.3.0.0 0.0.255.255 10.2.0.0 0.0.255.255 access-list 111 permit ip 10.4.0.0 0.0.255.255 10.2.0.0 0.0.255.255 access-list 111 permit ip 172.16.224.0 0.0.7.255 10.2.0.0 0.0.255.255 access-list 111 deny ip any any log