CCSP SelfStudy CCSP CSI: Exam Certification Guide, Second Edition [Electronic resources]

Tebyan

نسخه متنی -صفحه : 290/ 216
نمايش فراداده

  • Answers to Scenario 21-1

    1:

    Configure the router so that it reports to the syslog server.

    A1:

    Syslog report is configured as follows:

    FW(config)#logging 10.1.1.100

    2:

    Apply the Cisco IOS Firewall to the inside and outside interfaces using the name "FIREWALL" and only allow inspection for TCP, UDP, FTP, and SMTP services. Enable the logging of session information.

    A2:

    The correct configuration of the Cisco IOS Firewall is as follows:

    FW(config)#ip inspect audit-trail
FW(config)#ip inspect name FIREWALL tcp
FW(config)#ip inspect name FIREWALL udp
FW(config)#ip inspect name FIREWALL ftp
FW(config)#ip inspect name FIREWALL smtp
FW(config)#interface e0/0
FW(config-if)#ip inspect FIREWALL in
FW(config)#interface s0/0
FW(config-if)#ip inspect FIREWALL in

    3:

    Allow only legitimate traffic from the inside network and, at the same time, prevent IP address spoofing.

    A3:

    The correct configuration is as follows:

    FW(config)#access-list 111 permit ip 10.1.1.0 0.0.0.255 any
FW(config)#access-list 111 deny ip any any
FW(config)#interface e0/0
FW(config-if)#ip access-group 111 in

    4:

    Deny all outbound traffic from the inside network. (Remember that the inspection list allows openings in the ACL.)

    A4:

    The correct configuration is as follows:

    FW(config)#access-list 112 deny ip any any
FW(config)#interface e0/0
FW(config-if)#ip access-group 112 out

    5:

    Allow only legitimate traffic from the DMZ segment and, at the same time, prevent IP address spoofing.

    A5:

    The correct configuration is as follows:

    FW(config)#access-list 121 permit ip 10.1.2.0 0.0.0.255 any
FW(config)#access-list 121 deny ip any any
FW(config)#interface e0/1
FW(config-if)#ip access-group 121 in

    6:

    Prevent all traffic on to the DMZ apart from those services that are available from the public server.

    A6:

    The correct configuration is as follows:

    FW(config)#access-list 122 tcp any host 10.1.2.10 eq www
FW(config)#access-list 122 tcp any host 10.1.2.10 eq ftp
FW(config)#access-list 122 udp any host 10.1.2.10 eq domain
FW(config)#access-list 122 tcp any host 10.1.2.10 eq smtp
FW(config)#interface e0/1
FW(config-if)#ip access-group 122 out

    7:

    Apply RFC 1918 filtering to the outside interface.

    A7:

    The correct configuration is as follows:

    FW(config)#access-list 131 deny ip 10.0.0.0 0.255.255.255 any
FW(config)#access-list 131 permit ip 172.31.254.0 0.0.0.3  any
FW(config)#access-list 131 deny ip 172.16.0.0 0.15.255.255 any
FW(config)#access-list 131 deny ip 192.168.0.0 0.0.0.255 any
FW(config)#access-list 131 permit ip any any
FW(config)#interface s0/0
FW(config-if)#ip access-group 131 in