© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.213-1 Lesson 13 Switching and Routing.

Презентация:

Advertisements

Похожие презентации

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Chapter 9 Routing.

Advertisements

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Lesson 8 Object Grouping.

© 2000, Cisco Systems, Inc. CSPFF Chapter 5 Cisco Secure PIX Firewall Configuration.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Chapter 8 Object Grouping.

© 2006 Cisco Systems, Inc. All rights reserved. ICND v Managing IP Traffic with ACLs Scaling the Network with NAT and PAT.

© 2006 Cisco Systems, Inc. All rights reserved. MPLS v MPLS VPN Implementation Configuring Small-Scale Routing Protocols Between PE and CE Routers.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Chapter 3 Cisco PIX Firewall Technology and Features.

© 2006 Cisco Systems, Inc. All rights reserved. BSCI v Implementing Multicast IGMP and Layer 2 Issues.

© 2000, Cisco Systems, Inc. 7-1 Chapter 7 Access Configuration Through the Cisco Secure PIX Firewall.

© 2000, Cisco Systems, Inc. CSPFF Chapter 8 Configuration of Multiple Interfaces.

© 2006 Cisco Systems, Inc. All rights reserved. BSCI v Configuring OSPF Configuring OSPF Special Area Types.

© 2006 Cisco Systems, Inc. All rights reserved. BSCI v Manipulating Routing Updates Implementing Advanced Cisco IOS Features: Configuring DHCP.

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Layer 2 Security Examining Layer 2 Attacks.

© 2006 Cisco Systems, Inc. All rights reserved. ICND v Determining IP Routes Enabling RIP.

© 2006 Cisco Systems, Inc. All rights reserved. MPLS v MPLS VPN Implementation Configuring an MP-BGP Session Between PE Routers.

© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Lesson 13 Configure the Cisco Virtual Private Network 3002 Hardware Client for Software.

© 2006 Cisco Systems, Inc. All rights reserved. ICND v Extending Switched Networks with Virtual LANs Introducing VLAN Operations.

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Adaptive Threat Defense Configuring Cisco IOS Firewall Authentication Proxy.

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v IPv6-Enabled Routing Protocols Routing with RIPng.

© 2005 Cisco Systems, Inc. All rights reserved. BGP v Route Selection Using Policy Controls Using Outbound Route Filtering.

Транксрипт:

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Lesson 13 Switching and Routing

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Objectives Upon completion of this lesson, you will be able to perform the following tasks: Describe the VLAN functionality of the PIX Firewall. Explain the routing functionality of the PIX Firewall. Configure the PIX Firewall to work with RIP. Configure the PIX Firewall to work with OSPF. Configure the PIX Firewall to forward multicast traffic.

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Virtual LANs

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Virtual LANs Two physical LAN connections –Inside –Outside Three virtual LAN connections –DMZ servers Outside Inside Public server Partner server Proxy server VLAN DMZ Internet VLAN trunk port

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Create Logical and Physical Interfaces pix1(config)# interface ethernet3 100full pix1(config)# interface ethernet3 vlan10 physical pix1(config)# interface ethernet3 vlan20 logical pix1(config)# interface ethernet3 vlan30 logical Internet Public server Partner server Proxy server vlan30 vlan20 Trunk port vlan10 vlan30 vlan20

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Assign VLAN Names and Security Levels pix1(config)# nameif vlan10 dmz1 security10 pix1(config)# nameif vlan20 dmz2 security20 pix1(config)# nameif vlan30 dmz3 security Public server Partner server Proxy server vlan30 vlan20 Trunk port vlan10 dmz1 vlan30 dmz3 vlan20 dmz2 Internet

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Assign VLAN IP Addresses pix1(config)# ip address dmz pix1(config)# ip address dmz pix1(config)# ip address dmz Public server Partner server Proxy Server vlan30 vlan20 Trunk port vlan10 dmz dmz dmz Internet

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Maximum Interfaces Supported Restricted licenseUnrestricted license Total interfaces Physical interfaces Logical interfaces Total interfaces Physical interfaces Logical interfaces PIX 501NA 22 Not supported PIX 506ENA 22 Not supported PIX 515E PIX PIX Maximum number of logical interfaces = total interfaces minus physical interfaces in use. Example: PIX515R5 (total) minus 2 (physical) = 3 (logical)

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Static and Dynamic Routing

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Static Routes route if_name ip_address netmask gateway_ip [metric] pixfirewall(config)# Defines a static or default route for an interface pix1(config)# route outside pix1(config)# route inside Default route Static route Internet

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Dynamic RIP Routes pix1(config)# rip outside passive version 2 authentication md5 MYKEY 2 pix1(config)# rip inside default The PIX Firewall accepts encrypted RIP version 2 multicast updates. For example, it could learn the route to network from router A. The PIX Firewall broadcasts IP address as the default route for devices on the inside interface RIP v Default route Router A

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA rip if_name default | passive [version [1 | 2]] [authentication [text | md5 key key_id]] pixfirewall(config)# Dynamic RIP Routes (Cont.) pix1(config)# rip outside passive version 2 authentication md5 MYKEY 2 pix1(config)# rip inside passive pix1(config)# rip dmz passive version 2 RIP v2 RIP v1 RIP v Enables IP routing table updates from received RIP broadcasts

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA OSPF

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA OSPF Private OSPF PIX Firewall Software Release 6.3 adds support for OSPF dynamic routing protocol Some of the OSPF supported features are as follows: Support for intra-area, interarea and external (type 1 and 2) routes Support for virtual links Authentication for OSPF packets Configuring PIX as a DR, ABR, and limited ASBR functionality ABR type 3 LSA filtering Route redistribution Internet

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA OSPF Configuration OSPF configuration Enable OSPF Define interfaces on which OSPF runs Define OSPF areas Private OSPF Router OSPF 1 Internet

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Enable OSPF Routing pix1(config)# router ospf 1 pix1(config-router)# network area 0 pix1(config-router)# network area pix1(config-router)# network area router ospf pid pixfirewall(config)# Enables OSPF routing through the PIX Firewall Private Router OSPF Internet

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Define OSPF Networks pix1(config)# router ospf 1 pix1(config-router)# network area 0 pix1(config-router)# network area pix1(config-router)# network area network prefix ip_address netmask area area_id pixfirewall(config)# Adds and removes interfaces to and from the OSPF routing process Private Router OSPF Internet

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Private Link State Advertisements Router OSPF Advertise Routes OSPF advertises routes to networks May need to prevent networks from being advertised when using private addressing pix1(config-router)# area 0 filter-list prefix ten in pix1(config)# prefix-list ten deny /16 pix1(config)# prefix-list ten permit /24 area area_id filter-list prefix {prefix_list_name in | out} pixfirewall(config)# prefix-list list_name [seq seq_number]{permit|deny prefix/len} Internet

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Private LSA Filter Example Router OSPF pix1(config)# router ospf 1 pix1(config-router)# network area 0 pix1(config-router)# network area pix1(config-router)# network area pix1(config-router)# area 0 filter-list prefix ten in pix1(config)# prefix-list ten deny /16 pix1(config)# prefix-list ten permit /24 X Advertise Routes Internet

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA OSPFOne-Process Network Example pix1(config)# nameif ethernet0 outside security0 pix1(config)# nameif ethernet1 inside security100 pix1(config)# nameif ethernet2 dmz security50 pix1(config)# ip address outside pix1(config)# ip address inside pix1(config)# ip address dmz Inside.1 Internet

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA OSPFStatic and Dynamic Translations pix1(config)# static (inside,outside) pix1(config)# static (dmz,outside) pix1(config)# nat (inside) pix1(config)# global (outside) Private Internet

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA OSPFConfigure Areas and LSA Filter pix1(config)# router ospf 1 pix1(config-router)# network area 0 pix1(config-router)# network area pix1(config-router)# network area pix1(config-router)# area 0 filter-list prefix ten in pix1(config)# prefix-list ten deny /16 pix1(config)# prefix-list ten permit /24 Private Router OSPF X Advertise Routes Internet

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA OSPFTwo Processes Router OSPF Router OSPF 2 0 PIX Firewall OSPF two-process criteria: NAT is used. OSPF is operating on public and private areas. LSA type 3 filtering is required. Run two OSPF processes: One process is for public areas. One process is for the private areas. Internet

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Defining OSPFTwo Processes Router OSPF pix1(config)# router ospf 1 //public AS pix1(config-router)# network area 0 pix1(config)# router ospf 2 //private AS pix1(config-router)# network area pix1(config-router)# network area Router OSPF 2 0 Internet

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Defining Redistribution pix1(config)# router ospf 1 //public AS pix1(config)# router ospf 2 //private AS pix1(config-router)# redistribute ospf 1 //import public routes Redistribute routes Do not redistribute routes X Router OSPF Private Router OSPF 2 X redistribute ospf pid pixfirewall(config)# Configures redistribution of routes between OSPF processes according to the parameters specified 0 Internet

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Redistribution Example pix1(config)# router ospf 1 //public AS pix1(config-router)# network area 0 pix1(config)# router ospf 2 //private AS pix1(config-router)# redistribute ospf 1 //import public routes pix1(config-router)# network area pix1(config-router)# network area Redistribute routes Do not redistribute routes X Router OSPF Router OSPF 2 X 0 Internet

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA OSPFTwo-Process Configuration Example pix1(config)# nameif ethernet0 outside security0 pix1(config)# nameif ethernet1 inside security100 pix1(config)# nameif ethernet2 dmz security50 pix1(config)# ip address outside pix1(config)# ip address inside pix1(config)# ip address dmz Internet

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA OSPFStatic and Dynamic Translations pix1(config)# static (inside,outside) pix1(config)# static (dmz,outside) pix1(config)# nat (inside) pix1(config)# global (outside) Internet.2

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA OSPFConfigure Areas and Redistribution pix1(config)# router ospf 1 //public AS pix1(config-router)# network area 0 pix1(config)# router ospf 2 //private AS pix1(config-router)# redistribute ospf 1 //import public routes pix1(config-router)# network area pix1(config-router)# network area Redistribute routes X Router OSPF Router OSPF 2 X Do not redistribute routes 0 Internet

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Multicast

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA IP Multicasting An IP datagram is transmitted to a set of hosts identified by a single IP destination address. Clients that wish to receive multicasts must join a multicast host group. Multicast router discovers group hosts by sending IGMP query messages. Host group members respond with IGMP reports. PIX Firewall supports Stub Multicast RoutingIGMP proxying. Multicast server Inside Outside Multicast router Multicast client IGMP query IGMP report

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA multicast interface interface_name pixfirewall (config)# Outside Multicast Server Configuring Outside Interface Enables multicast support on the specified interface and places the interface in multicast promiscuous mode pix1(config)# multicast interface outside pix1(config-multicast)# igmp access-group 110 pix1(config)# access-list 110 permit udp any host pixfirewall(config-multicast)# igmp access-group acl-id Applies ACL to multicast interface Multicast server Outside Multicast router Multicast client Multicast group

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Outside Multicast Server Configuring Inside Interface pix1(config)# multicast interface inside pix1(config-multicast)# igmp forward interface outside pix1(config-multicast)# igmp join-group pixfirewall(config-multicast)# igmp forward interface interface_name Enables forwarding of IGMP reports to the multicast router on outside interface Multicast server Inside Multicast router Multicast client IGMP reports pixfirewall(config-multicast)# igmp join-group group Enables PIX Firewall to join a multicast group

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Outside Multicast ServerInside Receiving Hosts Example pix1(config)# multicast interface dmz pix1(config-multicast)# igmp access-group 120 pix1(config)# access-list 120 permit udp any host pix1(config)# multicast interface inside pix1(config-multicast)# igmp forward interface dmz 1. Host sends an IGMP report: Source Destination IGMP group The PIX Firewall accepts the packet, and IGMP places the inside interface on the output list for the group. 3. The PIX Firewall forwards the IGMP packet to the multicast router: Source Destination IGMP group The router places the input interface on the output list for the group. 5. Packets from the multicast server arrive at the router, which forwards them to the necessary interfaces. 6. The PIX Firewall accepts the packets and forwards them to the interfaces for the group. Multicast server Multicast router Multicast client Multicast group IGMP reports

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Inside ServerConfiguring Static Multicast Route pix1(config)# multicast interface outside pix1(config)# multicast interface inside pix1(config)# mroute inside outside Multicast group Inside Multicast server Multicast client mroute src smask in-if-name dst dmask out-if-name pixfirewall(config)# Creates a static multicast route from transmission source to next-hop router interface

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Configuring Other IGMP Options pixfirewall(config-multicast)# igmp version 2 pixfirewall(config-multicast)# igmp query-interval 120 pixfirewall(config-multicast)# igmp query-max- response-time 50 pixfirewall(config-multicast)# igmp version 1 | 2 Sets the version of IGMP to be used igmp query-max-response-time seconds pixfirewall(config-multicast)# Sets the maximum query response time (for IGMP version 2 only) igmp query-interval seconds pixfirewall(config-multicast)# Configures the frequency at which IGMP query messages are sent by the interface

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA pixfirewall(config)# Viewing SMR Configuration show multicast [interface interface_name] Displays all or per-interface multicast settings pixfirewall(config)# show igmp [group | interface interface_name][detail] Displays multicast-related information about one or more groups show mroute [dst [src]] Displays multicast routes pixfirewall(config)#

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA pixfirewall(config)# Debugging SMR Configuration debug igmp Enables debugging for IGMP events debug mfwd pixfirewall(config)# Enable debugging for multicast forwarding events

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Summary

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Summary You can add static routes to the PIX Firewall to enable access to networks connected outside a router on any interface. The PIX Firewall can be configured to listen for RIP version 1 or RIP version 2 routing broadcasts. The PIX Firewall cannot pass RIP updates between interfaces. When RIP version 2 is configured in passive mode, the PIX Firewall accepts RIP version 2 multicast updates with the IP destination of The PIX Firewall transmits default route updates using an IP destination of if configured for the RIP version 2 default mode. The PIX Firewall supports one or two OSPF routing domains.

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Summary (Cont.) The PIX Firewall supports OSPF intra-area and interarea routing. The PIX Firewall supports ABR LSA type 3 filtering. The PIX Firewall supports Stub Multicast Routing, which enables it to pass multicast traffic. The PIX Firewall can be configured to forward multicasts from a transmission source on a higher security level interface to receivers on a lower security level interface. The PIX Firewall can also be configured to allow hosts on a higher security level interface to receive multicasts from a host on a lower security level interface.