Saturday, July 25, 2015

Configuring CBAC and Zone-Based Firewall

I've implemented and troubleshoot the IOS firewall (CBAC) on Cisco 800 series routers when I was working at an ISP company a few years ago. This technology is suitable for the Small Office Home Office (SOHO) who wanted network security but don't have the IT budget. It's always been a challenge to configure and troubleshoot an IOS firewall since routing and security configurations are on the same device.

I've read some rants from network and security admins (that includes me) that they don't like configuring a firewall on a Cisco IOS router. They would rather spend on a dedicated firewall or a Unified Threat Management (UTM) appliance. Below is the IOS firewall lab I did which includes the legacy CBAC and the new Zone-Based Firewall (ZBF) approach.


R1(config)#no ip domain-lookup
R1(config)#interface fastethernet0/1
R1(config-if)#ip address 192.168.1.1 255.255.255.0
R1(config-if)#no shutdown
*May 31 00:05:12.119: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
R1(config-if)#interface serial 0/0/0
R1(config-if)#ip address 10.1.1.1 255.255.255.252
R1(config-if)#no shutdown
R1(config-if)#
*May 31 00:05:35.291: %LINK-3-UPDOWN: Interface Serial0/0/0, changed state to up
*May 31 00:05:36.291: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/0, changed state to up
R1(config-if)#clock rate 64000


R2(config)#no ip domain-lookup
R2(config)#interface serial0/0/0
R2(config-if)#ip address 10.1.1.2 255.255.255.252
R2(config-if)#no shutdown
R2(config-if)#do ping 10.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/32 ms
R2(config-if)#interface serial0/0/1
R2(config-if)#ip address 10.2.2.2 255.255.255.252
R2(config-if)#no shutdown
R2(config-if)#
*May 31 00:06:35.435: %LINK-3-UPDOWN: Interface Serial0/0/1, changed state to up
*May 31 00:06:36.435: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/1, changed state to up
R2(config-if)#clock rate 64000


R3(config)#no ip domain-lookup
R3(config)#interface fastethernet0/1
R3(config-if)#ip address 192.168.3.1 255.255.255.0
R3(config-if)#no shutdown
R3(config-if)#
*May 31 00:09:59.915: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
R3(config-if)#interface serial0/0/1
R3(config-if)#ip address 10.2.2.1 255.255.255.252
R3(config-if)#no shutdown


R1(config)#router eigrp 101
R1(config-router)#network 192.168.1.0 0.0.0.255
R1(config-router)#network 10.1.1.0 0.0.0.3
R1(config-router)#no auto-summary


R2(config)#router eigrp 101
R2(config-router)#network 10.1.1.0 0.0.0.3
*May 31 00:12:33.539: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 101: Neighbor 10.1.1.1 (Serial0/0/0) is up: new adjacency
R2(config-router)#network 10.2.2.0 0.0.0.3
R2(config-router)#no auto-summary
R2(config-router)#
*May 31 00:12:46.223: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 101: Neighbor 10.1.1.1 (Serial0/0/0) is resync: summary configured


R3(config)#router eigrp 101
R3(config-router)#network 192.168.3.0 0.0.0.255
R3(config-router)#network 10.2.2.0 0.0.0.3
*May 31 00:14:39.403: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 101: Neighbor 10.2.2.2 (Serial0/0/1) is up: new adjacenc
R3(config-router)#no auto-summary
R3(config-router)#
*May 31 00:14:44.471: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 101: Neighbor 10.2.2.2 (Serial0/0/1) is resync: summary configured


R1#ping 192.168.3.1 source 192.168.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 52/55/56 ms


R1(config)#security passwords min-length 10
R1(config)#line console 0
R1(config-line)#password ciscoconpass
R1(config-line)#exec-timeout 5 0
R1(config-line)#login
R1(config-line)#logging synchronous
R1(config-line)#line aux 0
R1(config-line)#password ciscoauxpass
R1(config-line)#exec-timeout 5 0
R1(config-line)#login
R1(config-line)#line vty 0 4
R1(config-line)#password ciscovtypass
R1(config-line)#exec-timeout 5 0
R1(config-line)#login


R2(config)#line console 0
R2(config-line)#password ciscoconpass
R2(config-line)#exec-timeout 5 0
R2(config-line)#login
R2(config-line)#logging synchronous
R2(config-line)#line aux 0
R2(config-line)#password ciscoauxpass
R2(config-line)#exec-timeout 5 0
R2(config-line)#login
R2(config-line)#line vty 0 4
R2(config-line)#password ciscovtypass
R2(config-line)#exec-timeout 5 0
R2(config-line)#login


R3(config)#line console 0
R3(config-line)#password ciscoconpass
R3(config-line)#exec-timeout 5 0
R3(config-line)#login
R3(config-line)#logging synchronous
R3(config-line)#line aux 0
R3(config-line)#password ciscoauxpass
R3(config-line)#exec-timeout 5 0
R3(config-line)#login
R3(config-line)#line vty 0 4
R3(config-line)#password ciscovtypass
R3(config-line)#exec-timeout 5 0
R3(config-line)#login


R1(config)#ip http server
R1(config)#service password-encryption
R1(config)#do show run
Building configuration...

Current configuration : 1367 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
security passwords min-length 10
logging message-counter syslog
!
no aaa new-model
dot11 syslog
ip source-route
!
!
!
!
/line
filtering...
line con 0
 exec-timeout 5 0
 password 7 094F471A1A0A141D051C053938   
 logging synchronous
 login
line aux 0
 exec-timeout 5 0
 password 7 0822455D0A1604020A1B0D1739   
 login
line vty 0 4
 exec-timeout 5 0
 password 7 121A0C0411041A10333B253B20  
 login
!
scheduler allocate 20000 1000
end


R2(config)#service password-encryption


R3(config)#service password-encryption








R2#ping 10.1.1.1   // PING R1 SERIAL INTERFACE

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/28 ms

R2#ping 192.168.1.3    // PING TO PC-A

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/28 ms


R1#show run
Building configuration...

Current configuration : 1367 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
security passwords min-length 10
logging message-counter syslog
!
no aaa new-model
dot11 syslog
ip source-route
!
!
!
!
ip cef
no ip domain lookup
!
no ipv6 cef
multilink bundle-name authenticated
!
!
!
!
!
archive
 log config
  hidekeys
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 192.168.1.1 255.255.255.0
 duplex auto
 speed auto
!
interface Serial0/0/0
 ip address 10.1.1.1 255.255.255.252
 no fair-queue
 clock rate 64000
!
interface Serial0/0/1
 no ip address
 shutdown
 clock rate 2000000
!
interface Serial0/1/0
 no ip address
 shutdown
 clock rate 2000000
!
interface Serial0/1/1
 no ip address
 shutdown
 clock rate 2000000
!
router eigrp 101
 network 10.1.1.0 0.0.0.3
 network 192.168.1.0
 no auto-summary
!
ip forward-protocol nd
ip http server
no ip http secure-server
!
!
!
!
!
!
!
!
!
!
control-plane
!
!
!
line con 0
 exec-timeout 5 0
 password 7 094F471A1A0A141D051C053938
 logging synchronous
 login
line aux 0
 exec-timeout 5 0
 password 7 0822455D0A1604020A1B0D1739
 login
line vty 0 4
 exec-timeout 5 0
 password 7 121A0C0411041A10333B253B20
 login
!
scheduler allocate 20000 1000
end


R1#auto secure
                --- AutoSecure Configuration ---

*** AutoSecure configuration enhances the security of
the router, but it will not make it absolutely resistant
to all security attacks ***

AutoSecure will modify the configuration of your device.
All configuration changes will be shown. For a detailed
explanation of how the configuration changes enhance security
and any possible side effects, please refer to Cisco.com for
Autosecure documentation.
At any prompt you may enter '?' for help.
Use ctrl-c to abort this session at any prompt.

Gathering information about the router for AutoSecure

Is this router connected to internet? [no]: yes
Enter the number of interfaces facing the internet [1]: 1

Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            unassigned      YES unset  administratively down down
FastEthernet0/1            192.168.1.1     YES manual up                    up 
Serial0/0/0                10.1.1.1        YES manual up                    up 
Serial0/0/1                unassigned      YES unset  administratively down down
Serial0/1/0                unassigned      YES unset  administratively down down
Serial0/1/1                unassigned      YES unset  administratively down down
Enter the interface name that is facing the internet: serial0/0/0

Securing Management plane services...

Disabling service finger
Disabling service pad
Disabling udp & tcp small servers
Enabling service password encryption
Enabling service tcp-keepalives-in
Enabling service tcp-keepalives-out
Disabling the cdp protocol

Disabling the bootp server
Disabling the http server
Disabling the finger service
Disabling source routing
Disabling gratuitous arp

Here is a sample Security Banner to be shown
at every access to device. Modify it to suit your
enterprise requirements.

Authorized Access only
  This system is the property of So-&-So-Enterprise.
  UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.
  You must have explicit permission to access this
  device. All activities performed on this device
  are logged. Any violations of access policy will result
  in disciplinary action.

Enter the security banner {Put the banner between
k and k, where k is any character}:
$ Unauthorized Access Prohibited $
Enable secret is either not configured or
 is the same as enable password
Enter the new enable secret: <cisco12345>
Confirm the enable secret : <cisco12345>
Enter the new enable password: <cisco67890>
Confirm the enable password: <cisco67890>

Configuration of local user database
Enter the username: admin
Enter the password: <cisco12345>
Confirm the password: <cisco12345>
Configuring AAA local authentication
Configuring Console, Aux and VTY lines for
local authentication, exec-timeout, and transport
Securing device against Login Attacks
Configure the following parameters

Blocking Period when Login Attack detected: 60

Maximum Login failures with the device: 2

Maximum time period for crossing the failed login attempts: 30

Configure SSH server? [yes]: no

Configuring interface specific AutoSecure services
Disabling the following ip services on all interfaces:

 no ip redirects
 no ip proxy-arp
 no ip unreachables
 no ip directed-broadcast
 no ip mask-reply
Disabling mop on Ethernet interfaces

Securing Forwarding plane services...

Enabling unicast rpf on all interfaces connected
to internet

Configure CBAC Firewall feature? [yes/no]: yes    // AUTO SECURE GENERATES CBAC; CCP GENERATES ZBF

This is the configuration generated:

no service finger
no service pad
no service udp-small-servers
no service tcp-small-servers
service password-encryption
service tcp-keepalives-in
service tcp-keepalives-out
no cdp run
no ip bootp server
no ip http server
no ip finger
no ip source-route
no ip gratuitous-arps
no ip identd
banner motd ^C Unauthorized Access Prohibited ^C
security authentication failure rate 10 log
enable secret 5 $1$NVLg$tnPQZvEIENzUemrBZK6xh1
enable password 7 14141B180F0B7C7C7C7163
username admin password 7 104D000A061843595F507F
aaa new-model
aaa authentication login local_auth local
line con 0
 login authentication local_auth
 exec-timeout 5 0
 transport output telnet
line aux 0
 login authentication local_auth
 exec-timeout 10 0
 transport output telnet
line vty 0 4
 login authentication local_auth
 transport input telnet
line tty 1
 login authentication local_auth
 exec-timeout 15 0
login block-for 60 attempts 2 within 30
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
logging facility local2
logging trap debugging
service sequence-numbers
logging console critical
logging buffered
interface FastEthernet0/0
 no ip redirects
 no ip proxy-arp
 no ip unreachables
 no ip directed-broadcast
 no ip mask-reply
 no mop enabled
interface FastEthernet0/1
 no ip redirects
 no ip proxy-arp
 no ip unreachables
 no ip directed-broadcast
 no ip mask-reply
 no mop enabled
interface Serial0/0/0
 no ip redirects
 no ip proxy-arp
 no ip unreachables
 no ip directed-broadcast
 no ip mask-reply
interface Serial0/0/1
 no ip redirects
 no ip proxy-arp
 no ip unreachables
 no ip directed-broadcast
 no ip mask-reply
interface Serial0/1/0
 no ip redirects
 no ip proxy-arp
 no ip unreachables
 no ip directed-broadcast
 no ip mask-reply
interface Serial0/1/1
 no ip redirects
 no ip proxy-arp
 no ip unreachables
 no ip directed-broadcast
 no ip mask-reply
access-list 100 permit udp any any eq bootpc
interface Serial0/0/0
 ip verify unicast source reachable-via rx allow-default 100   
ip inspect audit-trail   
ip inspect dns-timeout 7   
ip inspect tcp idle-time 14400   
ip inspect udp idle-time 1800   
ip inspect name autosec_inspect cuseeme timeout 3600  
ip inspect name autosec_inspect ftp timeout 3600  
ip inspect name autosec_inspect http timeout 3600  
ip inspect name autosec_inspect rcmd timeout 3600  
ip inspect name autosec_inspect realaudio timeout 3600  
ip inspect name autosec_inspect smtp timeout 3600  
ip inspect name autosec_inspect tftp timeout 30  
ip inspect name autosec_inspect udp timeout 15  
ip inspect name autosec_inspect tcp timeout 3600  
ip access-list extended autosec_firewall_acl   
 permit udp any any eq bootpc   
 deny ip any any   
interface Serial0/0/0
 ip inspect autosec_inspect out  
 ip access-group autosec_firewall_acl in  
!
end


Apply this configuration to running-config? [yes]: yes

Applying the config generated to running-config

R1#
000042: *May 31 00:56:02.159 UTC: %AUTOSEC-1-MODIFIED: AutoSecure configuration has been Modified on this device   


R1#show run
Building configuration...

Current configuration : 3412 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname R1
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 10 log
security passwords min-length 10
logging message-counter syslog
logging buffered 4096
logging console critical
enable secret 5 $1$NVLg$tnPQZvEIENzUemrBZK6xh1
enable password 7 14141B180F0B7C7C7C7163
!
aaa new-model
!
!
aaa authentication login local_auth local
!
!
aaa session-id common
dot11 syslog
no ip source-route
no ip gratuitous-arps
!
!
!
!
ip cef
no ip bootp server
no ip domain lookup
ip inspect audit-trail    // CBAC DOES STATEFUL PACKET INSPECTION; ALLOW RETURN TRAFFIC INITIATED FROM INSIDE HOST
ip inspect udp idle-time 1800
ip inspect dns-timeout 7
ip inspect tcp idle-time 14400
ip inspect name autosec_inspect cuseeme timeout 3600
ip inspect name autosec_inspect ftp timeout 3600
ip inspect name autosec_inspect http timeout 3600
ip inspect name autosec_inspect rcmd timeout 3600
ip inspect name autosec_inspect realaudio timeout 3600
ip inspect name autosec_inspect smtp timeout 3600
ip inspect name autosec_inspect tftp timeout 30
ip inspect name autosec_inspect udp timeout 15
ip inspect name autosec_inspect tcp timeout 3600  
login block-for 60 attempts 2 within 30
!
no ipv6 cef
multilink bundle-name authenticated
!
!
!
!
!
username admin password 7 104D000A061843595F507F
archive
 log config
  logging enable
  hidekeys
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 shutdown
 duplex auto
 speed auto
 no mop enabled
!
interface FastEthernet0/1
 ip address 192.168.1.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 duplex auto
 speed auto
 no mop enabled
!
interface Serial0/0/0
 ip address 10.1.1.1 255.255.255.252
 ip access-group autosec_firewall_acl in  
 ip verify unicast source reachable-via rx allow-default 100
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip inspect autosec_inspect out   
 snmp trap ip verify drop-rate
 no fair-queue
 clock rate 64000
!
interface Serial0/0/1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 shutdown
 clock rate 2000000
!
interface Serial0/1/0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 shutdown
 clock rate 2000000
!
interface Serial0/1/1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 shutdown
 clock rate 2000000
!
router eigrp 101
 network 10.1.1.0 0.0.0.3
 network 192.168.1.0
 no auto-summary
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
!
ip access-list extended autosec_firewall_acl  
 permit udp any any eq bootpc
 deny   ip any any   
!
logging trap debugging
logging facility local2
access-list 100 permit udp any any eq bootpc
no cdp run

!
!
!
!
!
!
!
control-plane
!
!
banner motd ^C Unauthorized Access Prohibited ^C
!
line con 0
 exec-timeout 5 0
 password 7 094F471A1A0A141D051C053938
 logging synchronous
 login authentication local_auth
 transport output telnet
line aux 0
 exec-timeout 15 0
 password 7 0822455D0A1604020A1B0D1739
 login authentication local_auth
 transport output telnet
line vty 0 4
 exec-timeout 5 0
 password 7 121A0C0411041A10333B253B20
 login authentication local_auth
 transport input telnet
!
scheduler allocate 20000 1000
end


R1#show access-list autosec_firewall_acl    // AUTOSECURE CBAC FIREWALL BLOCKED EIGRP TRAFFIC BY DEFAULT
Extended IP access list autosec_firewall_acl
    10 permit udp any any eq bootpc
    20 deny ip any any (61 matches)   

R1(config)#ip access-list extended autosec_firewall_acl
R1(config-ext-nacl)#15 permit ?
  <0-255>       An IP protocol number
  ahp           Authentication Header Protocol
  eigrp         Cisco's EIGRP routing protocol
  esp           Encapsulation Security Payload
  gre           Cisco's GRE tunneling
  icmp          Internet Control Message Protocol
  igmp          Internet Gateway Message Protocol
  ip            Any Internet Protocol
  ipinip        IP in IP tunneling
  nos           KA9Q NOS compatible IP over IP tunneling
  object-group  Service object group
  ospf          OSPF routing protocol
  pcp           Payload Compression Protocol
  pim           Protocol Independent Multicast
  tcp           Transmission Control Protocol
  udp           User Datagram Protocol

R1(config-ext-nacl)#15 permit eigrp any any
R1(config-ext-nacl)#do show access-list autosec_firewall_acl
Extended IP access list autosec_firewall_acl
    10 permit udp any any eq bootpc
    15 permit eigrp any any (10 matches)   
    20 deny ip any any (102 matches)

R1#
000043: *May 31 00:56:14.275 UTC: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 101: Neighbor 10.1.1.2 (Serial0/0/0) is down: holding time expired
000044: *May 31 01:00:01.675 UTC: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 101: Neighbor 10.1.1.2 (Serial0/0/0) is up: new adjacency
000045: *May 31 01:05:17.379 UTC: %SYS-5-CONFIG_I: Configured from console by console


R1(config)#ip inspect ?
  L2-transparent  Transparent Mode commands
  WAAS            Firewall and Cisco WAE interoperability configuration
  alert-off       Disable alert
  audit-trail     Enable the logging of session information (addresses and
                  bytes)
  dns-timeout     Specify timeout for DNS
  hashtable-size  Specify size of hashtable
  log             Inspect packet logging
  max-incomplete  Specify maximum number of incomplete connections before
                  clamping
  name            Specify an inspection rule
  one-minute      Specify one-minute-sample watermarks for clamping
  redundancy      Redundancy settings for firewall sessions
  tcp             Config timeout values for tcp connections
  udp             Config timeout values for udp flows
  <cr>

R1(config)#ip inspect name ?
  WORD  Name of inspection defined (16 characters max)

R1(config)#ip inspect name autosec_inspect ?
  802-11-iapp       IEEE 802.11 WLANs WG IAPP
  ace-svr           ACE Server/Propagation
  appfw             Application Firewall
  appleqtc          Apple QuickTime
  bgp               Border Gateway Protocol
  biff              Bliff mail notification
  bittorrent        bittorrent
  bootpc            Bootstrap Protocol Client
  bootps            Bootstrap Protocol Server
  cddbp             CD Database Protocol
  cifs              CIFS
  cisco-fna         Cisco FNATIVE
  cisco-net-mgmt    cisco-net-mgmt
  cisco-svcs        cisco license/perf/GDP/X.25/ident svcs
  cisco-sys         Cisco SYSMAINT
  cisco-tdp         Cisco TDP
  cisco-tna         Cisco TNATIVE
  citrix            Citrix IMA/ADMIN/RTMP
  citriximaclient   Citrix IMA Client
  clp               Cisco Line Protocol
  creativepartnr    Creative Partnr
  creativeserver    Creative Server
  cuseeme           CUSeeMe Protocol
  daytime           Daytime (RFC 867)
  dbase             dBASE Unix
  dbcontrol_agent   Oracle dbControl Agent po
  ddns-v3           Dynamic DNS Version 3
  dhcp-failover     DHCP Failover
  directconnect     Direct Connect Version 2.0
  discard           Discard port
  dns               Domain Name Server
  dnsix             DNSIX Securit Attribute Token Map
  echo              Echo port
  edonkey           eDonkey
  entrust-svc-hdlr  Entrust KM/Admin Service Handler
  entrust-svcs      Entrust sps/aaas/aams
  esmtp             Extended SMTP
  exec              Remote Process Execution
  fasttrack         FastTrack Traffic - KaZaA, Morpheus, Gro
  fcip-port         FCIP
  finger            Finger
  fragment          IP fragment inspection
  ftp               File Transfer Protocol
  ftps              FTP over TLS/SSL
  gdoi              GDOI
  giop              Oracle GIOP/SSL
  gnutella          Gnutella Version2 Traffic - BearShare, S
  gopher            Gopher
  gtpv0             GPRS Tunneling Protocol Version 0
  gtpv1             GPRS Tunneling Protocol Version 1
  h323              H.323 Protocol (e.g, MS NetMeeting, Intel Video Phone)
  h323-annexe       H.323 Protocol AnnexE (e.g, MS NetMeetin
  h323-nxg          H.323 Protocol AnnexG
  hp-alarm-mgr      HP Performance data alarm manager
  hp-collector      HP Performance data collector
  hp-managed-node   HP Performance data managed node
  hsrp              Hot Standby Router Protocol
  http              HTTP Protocol
  https             Secure Hypertext Transfer Protocol
  ica               ica (Citrix)
  icabrowser        icabrowser (Citrix)
  icmp              ICMP Protocol
  ident             Authentication Service
  igmpv3lite        IGMP over UDP for SSM
  imap              IMAP Protocol
  imap3             Interactive Mail Access Protocol 3
  imaps             IMAP over TLS/SSL
  ipass             IPASS
  ipsec-msft        Microsoft IPsec NAT-T
  ipx               IPX
  irc               Internet Relay Chat Protocol
  irc-serv          IRC-SERV
  ircs              IRC over TLS/SSL
  ircu              IRCU
  isakmp            ISAKMP
  iscsi             iSCSI
  iscsi-target      iSCSI port
  kazaa2            Kazaa Version 2
  kerberos          Kerberos
  kermit            kermit
  l2tp              L2TP/L2F
  ldap              Lightweight Directory Access Protocol
  ldap-admin        LDAP admin server port
  ldaps             LDAP over TLS/SSL
  login             Remote login
  lotusmtap         Lotus Mail Tracking Agent Protocol
  lotusnote         Lotus Note
  microsoft-ds      Microsoft-DS
  ms-cluster-net    MS Cluster Net
  ms-dotnetster     Microsoft .NETster Port
  ms-sna            Microsoft SNA Server/Base
  ms-sql            Microsoft SQL
  ms-sql-m          Microsoft SQL Monitor
  msexch-routing    Microsoft Exchange Routing
  mysql             MySQL
  n2h2server        N2H2 Filter Service Port
  ncp               NCP (Novell)
  net8-cman         Oracle Net8 Cman/Admin
  netbios-dgm       NETBIOS Datagram Service
  netbios-ns        NETBIOS Name Service
  netbios-ssn       NETBIOS Session Service
  netshow           Microsoft NetShow Protocol
  netstat           Variant of systat
  nfs               Network File System
  nntp              Network News Transport Protocol
  ntp               Network Time Protocol
  oem-agent         OEM Agent (Oracle)
  oracle            Oracle
  oracle-em-vp      Oracle EM/VP
  oraclenames       Oracle Names
  orasrv            Oracle SQL*Net v1/v2
  parameter         Specify inspection parameters
  pcanywheredata    pcANYWHEREdata
  pcanywherestat    pcANYWHEREstat
  pop3              POP3 Protocol
  pop3s             POP3 over TLS/SSL
  pptp              PPTP
  pwdgen            Password  Generator Protocol
  qmtp              Quick Mail Transfer Protocol
  r-winsock         remote-winsock
  radius            RADIUS & Accounting
  rcmd              R commands (r-exec, r-login, r-sh)
  rdb-dbs-disp      Oracle RDB
  realaudio         Real Audio Protocol
  realsecure        ISS Real Secure Console Service Port
  router            Local Routing Process
  rpc               Remote Prodedure Call Protocol
  rsvd              RSVD
  rsvp-encap        RSVP ENCAPSULATION-1/2
  rsvp_tunnel       RSVP Tunnel
  rtc-pm-port       Oracle RTC-PM port
  rtelnet           Remote Telnet Service
  rtsp              Real Time Streaming Protocol
  send              SEND
  shell             Remote command
  sip               SIP Protocol
  sip-tls           SIP-TLS
  skinny            Skinny Client Control Protocol
  sms               SMS RCINFO/XFER/CHAT
  smtp              Simple Mail Transfer Protocol
  snmp              Simple Network Management Protocol
  snmptrap          SNMP Trap
  socks             Socks
  sqlnet            SQL Net Protocol
  sqlserv           SQL Services
  sqlsrv            SQL Service
  ssh               SSH Remote Login Protocol
  sshell            SSLshell
  ssp               State Sync Protocol
  streamworks       StreamWorks Protocol
  stun              cisco STUN
  syslog            SysLog Service
  syslog-conn       Reliable Syslog Service
  tacacs            Login Host Protocol (TACACS)
  tacacs-ds         TACACS-Database Service
  tarantella        Tarantella
  tcp               Transmission Control Protocol
  telnet            Telnet
  telnets           Telnet over TLS/SSL
  tftp              TFTP Protocol
  time              Time
  timed             Time server
  tr-rsrb           cisco RSRB
  ttc               Oracle TTC/SSL
  udp               User Datagram Protocol
  uucp              UUCPD/UUCP-RLOGIN
  vdolive           VDOLive Protocol
  vqp               VQP
  webster           Network Disctionary
  who               Who's service
  winmx             WinMx file-sharing application
  wins              Microsoft WINS
  x11               X Window System
  xdmcp             XDM Control Protocol


C:\Users\PC-A>ipconfig

Windows IP Configuration


Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::4562:9b92:c15f:91ff%10
   IPv4 Address. . . . . . . . . . . : 192.168.1.3
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.1.1
                                      
C:\Users\PC-A>ping 192.168.1.1    // PING R1 LAN GATEWAY

Pinging 192.168.1.1 with 32 bytes of data:
Reply from 192.168.1.1: bytes=32 time=2ms TTL=255
Reply from 192.168.1.1: bytes=32 time=1ms TTL=255
Reply from 192.168.1.1: bytes=32 time=1ms TTL=255
Reply from 192.168.1.1: bytes=32 time=1ms TTL=255

Ping statistics for 192.168.1.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 1ms, Maximum = 2ms, Average = 1ms

C:\Users\John Lloyd>ping 10.1.1.2   // PING R2 SERIAL0/0/0 INTERFACE; NO ICMP INSPECT CONFIGURED ON CBAC IOS FIREWALL

Pinging 10.1.1.2 with 32 bytes of data:
Reply from 192.168.1.3: Destination host unreachable.
Reply from 192.168.1.3: Destination host unreachable.
Reply from 192.168.1.3: Destination host unreachable.
Reply from 192.168.1.3: Destination host unreachable.

Ping statistics for 10.1.1.2:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),


R1(config)#ip inspect name autosec_inspect icmp timeout 5    // DIDN'T WORK INITIALLY; HAD TO REMOVE AND RE-APPLY CBAC ON INTERFFACE SERIAL0/0/0


C:\Users\John Lloyd>ping 10.1.1.2

Pinging 10.1.1.2 with 32 bytes of data:
Reply from 10.1.1.2: bytes=32 time=19ms TTL=254
Reply from 10.1.1.2: bytes=32 time=18ms TTL=254
Reply from 10.1.1.2: bytes=32 time=18ms TTL=254
Reply from 10.1.1.2: bytes=32 time=18ms TTL=254

Ping statistics for 10.1.1.2:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 18ms, Maximum = 19ms, Average = 18ms


R1#show ip inspect sessions detail
Established Sessions
 Session 65EC96E8 (192.168.1.3:8)=>(10.1.1.2:0) icmp SIS_OPEN   
  Created 00:00:30, Last heard 00:00:00
   ECHO request
  Bytes sent (initiator:responder) [928:928]
  In  SID 10.1.1.2[0:0]=>192.168.1.3[0:0] on ACL autosec_firewall_acl  (29 matches)  
  In  SID 0.0.0.0[0:0]=>192.168.1.3[3:3] on ACL autosec_firewall_acl
  In  SID 0.0.0.0[0:0]=>192.168.1.3[11:11] on ACL autosec_firewall_acl

R1#show ip inspect all
Session audit trail is enabled
Session alert is enabled
one-minute (sampling period) thresholds are [unlimited : unlimited] connections
max-incomplete sessions thresholds are [unlimited : unlimited]
max-incomplete tcp connections per host is unlimited. Block-time 0 minute.
tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec
tcp idle-time is 14400 sec -- udp idle-time is 1800 sec
tcp reassembly queue length 16; timeout 5 sec; memory-limit 1024 kilo bytes
dns-timeout is 7 sec
Inspection Rule Configuration
 Inspection name autosec_inspect
    cuseeme alert is on audit-trail is on timeout 3600
    ftp alert is on audit-trail is on timeout 3600
    http alert is on audit-trail is on timeout 3600
    rcmd alert is on audit-trail is on timeout 3600
    realaudio alert is on audit-trail is on timeout 3600
    smtp max-data 20000000 alert is on audit-trail is on timeout 3600
    tftp alert is on audit-trail is on timeout 30
    udp alert is on audit-trail is on timeout 15
    tcp alert is on audit-trail is on timeout 3600
    icmp alert is on audit-trail is on timeout 5

Interface Configuration
 Interface Serial0/0/0
  Inbound inspection rule is not set
  Outgoing inspection rule is autosec_inspect
    cuseeme alert is on audit-trail is on timeout 3600
    ftp alert is on audit-trail is on timeout 3600
    http alert is on audit-trail is on timeout 3600
    rcmd alert is on audit-trail is on timeout 3600
    realaudio alert is on audit-trail is on timeout 3600
    smtp max-data 20000000 alert is on audit-trail is on timeout 3600
    tftp alert is on audit-trail is on timeout 30
    udp alert is on audit-trail is on timeout 15
    tcp alert is on audit-trail is on timeout 3600
    icmp alert is on audit-trail is on timeout 5
  Inbound access list is autosec_firewall_acl
  Outgoing access list is not set

Established Sessions
 Session 65EC96E8 (192.168.1.3:8)=>(10.1.1.2:0) icmp SIS_OPEN  


R1#show access-list autosec_firewall_acl
Extended IP access list autosec_firewall_acl
    10 permit udp any any eq bootpc
    15 permit eigrp any any (588 matches)
    20 deny ip any any (136 matches)  


R2#telnet 10.1.1.1
Trying 10.1.1.1 ...
% Connection timed out; remote host not responding


R1#show access-list autosec_firewall_acl
Extended IP access list autosec_firewall_acl
    10 permit udp any any eq bootpc
    15 permit eigrp any any (603 matches)
    20 deny ip any any (140 matches)  


R1(config)#ip access-list extended autosec_firewall_acl
R1(config-ext-nacl)#18 permit tcp any any eq 23


R2#telnet 10.1.1.1
Trying 10.1.1.1 ... Open
 Unauthorized Access Prohibited

User Access Verification

Username: admin
Password: <cisco12345>

R1>enable
Password: <cisco12345>
R1#show access-list autosec_firewall_acl
Extended IP access list autosec_firewall_acl
    10 permit udp any any eq bootpc
    15 permit eigrp any any (668 matches)
    18 permit tcp any any eq telnet (135 matches)   
    20 deny ip any any (150 matches)


C:\Users\John Lloyd>telnet 10.1.1.2

User Access Verification

Password:
R2>

R1#show ip inspect all
Session audit trail is enabled
Session alert is enabled
one-minute (sampling period) thresholds are [unlimited : unlimited] connections
max-incomplete sessions thresholds are [unlimited : unlimited]
max-incomplete tcp connections per host is unlimited. Block-time 0 minute.
tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec
tcp idle-time is 14400 sec -- udp idle-time is 1800 sec
tcp reassembly queue length 16; timeout 5 sec; memory-limit 1024 kilo bytes
dns-timeout is 7 sec
Inspection Rule Configuration
 Inspection name autosec_inspect
    cuseeme alert is on audit-trail is on timeout 3600
    ftp alert is on audit-trail is on timeout 3600
    http alert is on audit-trail is on timeout 3600
    rcmd alert is on audit-trail is on timeout 3600
    realaudio alert is on audit-trail is on timeout 3600
    smtp max-data 20000000 alert is on audit-trail is on timeout 3600
    tftp alert is on audit-trail is on timeout 30
    udp alert is on audit-trail is on timeout 15
    tcp alert is on audit-trail is on timeout 3600
    icmp alert is on audit-trail is on timeout 5

Interface Configuration
 Interface Serial0/0/0
  Inbound inspection rule is not set
  Outgoing inspection rule is autosec_inspect
    cuseeme alert is on audit-trail is on timeout 3600
    ftp alert is on audit-trail is on timeout 3600
    http alert is on audit-trail is on timeout 3600
    rcmd alert is on audit-trail is on timeout 3600
    realaudio alert is on audit-trail is on timeout 3600
    smtp max-data 20000000 alert is on audit-trail is on timeout 3600
    tftp alert is on audit-trail is on timeout 30
    udp alert is on audit-trail is on timeout 15
    tcp alert is on audit-trail is on timeout 3600
    icmp alert is on audit-trail is on timeout 5
  Inbound access list is autosec_firewall_acl
  Outgoing access list is not set

Established Sessions
 Session 65EC96E8 (192.168.1.3:7985)=>(10.1.1.2:23) tcp SIS_OPEN  

R1#show ip inspect sessions detail
Established Sessions
 Session 65EC96E8 (192.168.1.3:8062)=>(10.1.1.2:23) tcp SIS_OPEN  
  Created 00:00:19, Last heard 00:00:15
  Bytes sent (initiator:responder) [45:65]
  In  SID 10.1.1.2[23:23]=>192.168.1.3[8062:8062] on ACL autosec_firewall_acl  (16 matches)


R2#ping 10.2.2.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/32 ms

R2#ping 192.168.3.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/32 ms


R3#show run
Building configuration...

Current configuration : 1181 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
no aaa new-model
dot11 syslog
ip source-route
!
!
!
!
ip cef
no ip domain lookup
!
no ipv6 cef
multilink bundle-name authenticated
!
!
!
!
!
archive
 log config
  hidekeys
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 192.168.3.1 255.255.255.0
 duplex auto
 speed auto
!
interface Serial0/0/0
 no ip address
 shutdown
 no fair-queue
 clock rate 2000000
!
interface Serial0/0/1
 ip address 10.2.2.1 255.255.255.252
!
router eigrp 101
 network 10.2.2.0 0.0.0.3
 network 192.168.3.0
 no auto-summary
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
!
!
!
!
!
!
!
!
control-plane
!
!
!
line con 0
 exec-timeout 5 0
 password 7 0822455D0A1606181C1B0D1739
 logging synchronous
 login
line aux 0
 exec-timeout 5 0
 password 7 00071A1507540A1317314D5D1A
 login
line vty 0 4
 exec-timeout 5 0
 password 7 094F471A1A0A0106121C053938
 login
!
scheduler allocate 20000 1000
end


R3(config)#enable secret cisco12345
R3(config)#ip http server    // ENABLE WEB SERVER
R3(config)#username admin privilege 15 secret cisco12345
R3(config)#ip http authentication local   // CCP TO USE LOCAL ROUTER DATABASE















class-map type inspect match-all ccp-invalid-src
 match access-group 100

policy-map type inspect ccp-inspect
 class type inspect ccp-invalid-src
  drop log

access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 10.2.2.0 0.0.0.3 any


class-map type inspect match-any SDM_EIGRP
 match access-group name SDM_EIGRP
class-map type inspect match-any SDM_EIGRP_TRAFFIC
 match class-map SDM_EIGRP
class-map type inspect match-all SDM_EIGRP_PT
 match class-map SDM_EIGRP_TRAFFIC

policy-map type inspect ccp-permit
 class type inspect SDM_EIGRP_PT
  pass
 class class-default
  drop

ip access-list extended SDM_EIGRP
 remark CCP_ACL Category=1
 permit eigrp any any


R3#show run
Building configuration...

Current configuration : 4383 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable secret 5 $1$ypyC$Vgw4aKTh9ldDPDP4hm3gv.
!
no aaa new-model
dot11 syslog
ip source-route
!
!
!
!
ip cef
no ip domain lookup
!
no ipv6 cef
multilink bundle-name authenticated
!
!
!
!
!
username admin privilege 15 secret 5 $1$iPbz$1Jkudbr.B0fC6vShWsrWU0
archive
 log config
  hidekeys
!
!
!
!
!
!
class-map type inspect match-any ccp-skinny-inspect
 match protocol skinny
class-map type inspect match-any SDM_EIGRP
 match access-group name SDM_EIGRP
class-map type inspect match-any SDM_EIGRP_TRAFFIC
 match class-map SDM_EIGRP
class-map type inspect match-all SDM_EIGRP_PT
 match class-map SDM_EIGRP_TRAFFIC
class-map type inspect match-any ccp-cls-insp-traffic
 match protocol cuseeme
 match protocol dns
 match protocol ftp
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp extended
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
class-map type inspect match-all ccp-insp-traffic
 match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-h323nxg-inspect
 match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
 match protocol icmp
class-map type inspect match-any ccp-h225ras-inspect
 match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
 match protocol h323-annexe
class-map type inspect match-any ccp-h323-inspect
 match protocol h323
class-map type inspect match-all ccp-invalid-src
 match access-group 100
class-map type inspect match-all ccp-icmp-access
 match class-map ccp-cls-icmp-access
class-map type inspect match-any ccp-sip-inspect
 match protocol sip
class-map type inspect match-all ccp-protocol-http
 match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
 class type inspect ccp-icmp-access
  inspect
 class class-default
  pass
policy-map type inspect ccp-inspect
 class type inspect ccp-invalid-src
  drop log
 class type inspect ccp-protocol-http
  inspect
 class type inspect ccp-insp-traffic
  inspect
 class type inspect ccp-sip-inspect
  inspect
 class type inspect ccp-h323-inspect
  inspect
 class type inspect ccp-h323annexe-inspect
  inspect
 class type inspect ccp-h225ras-inspect
  inspect
 class type inspect ccp-h323nxg-inspect
  inspect
 class type inspect ccp-skinny-inspect
  inspect
 class class-default
  drop
policy-map type inspect ccp-permit
 class type inspect SDM_EIGRP_PT
  pass
 class class-default
  drop
!
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-self-out source self destination out-zone
 service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
 service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
 service-policy type inspect ccp-permit
!
!
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet0/1
 description $FW_INSIDE$
 ip address 192.168.3.1 255.255.255.0
 zone-member security in-zone
 duplex auto
 speed auto
!
interface Serial0/0/0
 no ip address
 shutdown
 no fair-queue
 clock rate 2000000
!
interface Serial0/0/1
 description $FW_OUTSIDE$
 ip address 10.2.2.1 255.255.255.252
 zone-member security out-zone
!
router eigrp 101
 network 10.2.2.0 0.0.0.3
 network 192.168.3.0
 no auto-summary
!
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
!
!
!
ip access-list extended SDM_EIGRP
 remark CCP_ACL Category=1
 permit eigrp any any
!
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 10.2.2.0 0.0.0.3 any
!
!
!
!
!
!
!
control-plane
!
!
!
line con 0
 exec-timeout 5 0
 password 7 0822455D0A1606181C1B0D1739
 logging synchronous
 login
line aux 0
 exec-timeout 5 0
 password 7 00071A1507540A1317314D5D1A
 login
line vty 0 4
 exec-timeout 5 0
 password 7 094F471A1A0A0106121C053938
 login
!
scheduler allocate 20000 1000
end


R3#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     10.0.0.0/30 is subnetted, 2 subnets
C       10.2.2.0 is directly connected, Serial0/0/1
D       10.1.1.0 [90/2681856] via 10.2.2.2, 00:40:27, Serial0/0/1
D    192.168.1.0/24 [90/2684416] via 10.2.2.2, 00:39:36, Serial0/0/1
C    192.168.3.0/24 is directly connected, FastEthernet0/1


C:\Users\PC-C>ipconfig

Windows IP Configuration


Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::4562:9b92:c15f:91ff%10
   IPv4 Address. . . . . . . . . . . : 192.168.3.3
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.3.1

C:\Users\John Lloyd>ping 10.2.2.2

Pinging 10.2.2.2 with 32 bytes of data:
Reply from 10.2.2.2: bytes=32 time=18ms TTL=254
Reply from 10.2.2.2: bytes=32 time=18ms TTL=254
Reply from 10.2.2.2: bytes=32 time=18ms TTL=254
Reply from 10.2.2.2: bytes=32 time=18ms TTL=254

Ping statistics for 10.2.2.2:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 18ms, Maximum = 18ms, Average = 18ms


R2#ping 192.168.3.3     // ZBF POLICY ALLOW PING FROM R3 TO ANY IP

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)


class-map type inspect match-any ccp-cls-icmp-access
 match protocol icmp

class-map type inspect match-all ccp-icmp-access
 match class-map ccp-cls-icmp-access

policy-map type inspect ccp-permit-icmpreply
 class type inspect ccp-icmp-access
  inspect
 class class-default
  pass

zone security in-zone

zone security out-zone

zone-pair security ccp-zp-self-out source self destination out-zone
 service-policy type inspect ccp-permit-icmpreply


R2#telnet 10.2.2.1    // TELNET TRAFFIC UNDER DEFAULT CLASS FROM OUTSIDE TO R3 IS DROPED
Trying 10.2.2.1 ...
% Connection timed out; remote host not responding


policy-map type inspect ccp-inspect
 class type inspect ccp-invalid-src
  drop log
 class type inspect ccp-protocol-http
  inspect
 class type inspect ccp-insp-traffic
  inspect
 class type inspect ccp-sip-inspect
  inspect
 class type inspect ccp-h323-inspect
  inspect
 class type inspect ccp-h323annexe-inspect
  inspect
 class type inspect ccp-h225ras-inspect
  inspect
 class type inspect ccp-h323nxg-inspect
  inspect
 class type inspect ccp-skinny-inspect
  inspect
 class class-default   
  drop   

policy-map type inspect ccp-permit
 class type inspect SDM_EIGRP_PT
  pass
 class class-default   
  drop    

zone-pair security ccp-zp-in-out source in-zone destination out-zone
 service-policy type inspect ccp-inspect


C:\Users\PC-C>ipconfig

Windows IP Configuration


Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::4562:9b92:c15f:91ff%10
   IPv4 Address. . . . . . . . . . . : 192.168.3.3
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.3.1

C:\Users\John Lloyd>telnet 10.2.2.2

User Access Verification

Password: <ciscovtypass>
R2>


R3#show policy-map ?
  WORD           policy-map name
  apn            Show APN related policy information
  control-plane  Show Control Plane policy
  interface      Show Qos Policy Interface
  session        Show session Qos Policy
  type           type of the policy-map
  |              Output modifiers
  <cr>

R3#show policy-map type ?
  NAT              NAT Policymap
  access-control   access-control specific policy-map
  control          Control policy-maps
  inspect          Firewall Policy-map
  logging          Control-plane packet logging
  port-filter      Control-plane tcp/udp port filtering
  queue-threshold  Control-plane protocol queue limiting

R3#show policy-map type inspect ?
  WORD                 Policy-map name
  condition-debugging  Condition Debugging Settings
  h323                 H323
  http                 HTTP
  im                   IM
  imap                 IMAP
  p2p                  P2P
  pop3                 POP3
  sip                  SIP
  smtp                 SMTP
  sunrpc               RPC
  urlfilter            URLF
  zone-pair            Security zone-pair
  |                    Output modifiers
  <cr>

R3#show policy-map type inspect zone-pair ?
  WORD       Security zone-pair name
  sessions   Inspect sessions information
  urlfilter  URLFiltering information
  |          Output modifiers
  <cr>

R3#show policy-map type inspect zone-pair sessions

policy exists on zp ccp-zp-self-out
 Zone-pair: ccp-zp-self-out

  Service-policy inspect : ccp-permit-icmpreply

    Class-map: ccp-icmp-access (match-all)
      Match: class-map match-any ccp-cls-icmp-access
        Match: protocol icmp
          0 packets, 0 bytes
          30 second rate 0 bps

   Inspect

    Class-map: class-default (match-any)
      Match: any
      Pass
        427 packets, 17080 bytes

policy exists on zp ccp-zp-in-out
 Zone-pair: ccp-zp-in-out

  Service-policy inspect : ccp-inspect

    Class-map: ccp-invalid-src (match-all)
      Match: access-group 100
      Drop
        0 packets, 0 bytes

    Class-map: ccp-protocol-http (match-all)
      Match: protocol http

   Inspect

    Class-map: ccp-insp-traffic (match-all)
      Match: class-map match-any ccp-cls-insp-traffic
        Match: protocol cuseeme
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol dns
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol ftp
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol https
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol icmp
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol imap
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol pop3
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol netshow
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol shell
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol realmedia
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol rtsp
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol smtp extended
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol sql-net
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol streamworks
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol tftp
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol vdolive
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol tcp
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol udp
          0 packets, 0 bytes
          30 second rate 0 bps

   Inspect

      Number of Established Sessions = 1
      Established Sessions
        Session 65B74A00 (192.168.3.3:3724)=>(10.2.2.2:23) tacacs:tcp SIS_OPEN  
          Created 00:01:09, Last heard 00:01:05
          Bytes sent (initiator:responder) [45:65]


    Class-map: ccp-sip-inspect (match-any)
      Match: protocol sip
        0 packets, 0 bytes
        30 second rate 0 bps

   Inspect

    Class-map: ccp-h323-inspect (match-any)
      Match: protocol h323
        0 packets, 0 bytes
        30 second rate 0 bps

   Inspect

    Class-map: ccp-h323annexe-inspect (match-any)
      Match: protocol h323-annexe
        0 packets, 0 bytes
        30 second rate 0 bps

   Inspect

    Class-map: ccp-h225ras-inspect (match-any)
      Match: protocol h225ras
        0 packets, 0 bytes
        30 second rate 0 bps

   Inspect

    Class-map: ccp-h323nxg-inspect (match-any)
      Match: protocol h323-nxg
        0 packets, 0 bytes
        30 second rate 0 bps

   Inspect

    Class-map: ccp-skinny-inspect (match-any)
      Match: protocol skinny
        0 packets, 0 bytes
        30 second rate 0 bps

   Inspect

    Class-map: class-default (match-any)
      Match: any
      Drop
        0 packets, 0 bytes

policy exists on zp ccp-zp-out-self
 Zone-pair: ccp-zp-out-self

  Service-policy inspect : ccp-permit

    Class-map: SDM_EIGRP_PT (match-all)
      Match: class-map match-any SDM_EIGRP_TRAFFIC
        Match: class-map match-any SDM_EIGRP
          0 packets, 0 bytes
          30 second rate 0 bps
          Match: access-group name SDM_EIGRP
            0 packets, 0 bytes
            30 second rate 0 bps
      Pass
        862 packets, 34480 bytes

    Class-map: class-default (match-any)
      Match: any
      Drop
        8 packets, 256 bytes