Answered step by step
Verified Expert Solution
Question
1 Approved Answer
Please i need help with this network security question Consider the following topology diagram: IN-SERVER-Zone OUT-Zone 192.168.20.0/24 Intranet SERVER .254 -- Fa0/1 SO/0/2 209.165.200.224/27 .1
Please i need help with this network security question
Consider the following topology diagram: IN-SERVER-Zone OUT-Zone 192.168.20.0/24 Intranet SERVER .254 -- Fa0/1 SO/0/2 209.165.200.224/27 .1 225 R2 50/0/0 S0/0/1 .2 ISP Internet .1 ML WRSTV 207.3.0.19 10.1.1.0/30 10.2.2.0/30 IN-LAB-Zone S0/0/0 .1 IN-STAFF-Zone 50/0/1 .2 Fa0/0 R1 Fa0/1 .1 Lab-1 Users Lab-2 Users 192.168.10.0/24 192.168.11.0/24 R3 Fa0/1 Fa0/1 Fa0/1 S1 Fa0/2 S2 Fa0/2 Fa0/1 IT Admins S3 Sales Users 192.168.30.0/24 192.168.40.0/24 Fa0/2 Fa0/3 PC1 PC3 PC4 PC2 .10 .10 .10 .10 1 . Objectives Review and configure ACLs on R1 and R3 Configure a zone-based policy (ZPF) firewall on R2. Configure IOS IPS on R1 A Scenario The Intranet SERVER, is the main asset of the company. However, MLWR Srv is black listed and should be banned from accessing the Intranet SERVER In this question, Router R2 has then to be configured as a basic ZPF to control communications from/to internal resources. Finally, you will configure basic IOS IPS on R1. Routers R1 and R3 are to be configured with a simple extended access-list. All questions are INTERRELATED. This question is split into the following sections: Section A-L2 Security and ACL 1. Write the ACL Control-R3 configuration on R3 (Using the outgoing direction) to implement the below policy: (8 marks) "Permit all devices in IT-Admins zone (except for PC3) to access Intranet Server via FTP Deny all internal users from accessing the MLWSRV via HTTPS Permit all outgoing HTTPS for internal users Permit all devices in IT-Admins zone (except for PC3) to access any server via RDP R3#sh access-lists 5 deny ten host 192.168.30.10 host 192.168.20.254 any eq 21 10 permit tcp 192.168.30.0 0.0.0.255 host 192.168.20.254 any eq21 15 deny tR 192.168.0.0 0.0.255.255 host 207.3.0.19 eq 443 20 permit tcp192.168.0.0 0.0.255.255 any eq 443 30 deny top host 192.168.30.10 any eq 3389 35 permit top any any eq 3389 R3#sh run int s/0/0/1 int S/0/0/1 ip address-10.2.2.2 255.255.255.252 ir access-group Control-R3 out 2. Create a new ACL on R1 to control LAB-1 Users' access:(8 marks) Croato an avtonded ACI named CONTROL D1 with the following ruloc 2. Create a new ACL on R1 to control LAB-1 Users' access:(8 marks) a. Create an extended ACL named CONTROL-R1 with the following rules: (2 marks) Deny LAB-2 users (Except for PC2) from accessing hosts in IT-Admins on TCP port 3389. b. Choose the appropriate interface(s) using the OUT Direction on R1 and write the command to apply CONTROL-R1.(3 marks) C. You checked the existing configuration on port F0/3 on switch $3. What 2 types of attacks mitigated by the below configurations? (3 marks) interface f0/3 dhcp snooping trust dhcp snooping limit 1 Section B- ZPF Configuration 3. Configure basic ZPF firewall settings on router R2. The goal of ZPF configuration is to allow all TCP traffic generated by Intranet Server and internal users (LAB-1 and LAB- 2) users to be inspected and forwarded to the Internet. Up to this level, all of the Zone names shown in the topology have been already created, interfaces are already assigned to each zone name accordingly. Your task is to complete any missing/incorrect configuration. For this purpose, answer the below: (8 marks) a. Use the access-list command to create extended ACL 210 that can define the traffic to be inspected as per the previous description. (2 marks) b. At this level of ZPF configuration on R2, and considering ACLs Control-R3 on R3 and CONTROL-R1 on R1, could PC4 access PC1 on TCP port 3389 successfully? Explain. (3 marks) C. Same question but for PC3 accessing PC1 on TCP port 3389. Explain. (3 marks) 4. Finalize ZPF firewall configuration on router R2: (8 marks) a. Complete the IN-NET-CLASS-MAP class map and IN-2-OUT-PMAP policy map configurations.(2 marks) R2(config)# class-map type inspect match-all IN-NET-CLASS-MAP R2(config-cmap) # match access-group R2(config)# policy-map type inspect IN-2-OUT-PMAP R2(config-pmap) # class type inspect b. Specify the action (inspect, pass or drop) for this policy map.R2 should behave like a stateful firewall for all traffic outgoing to the Internet defined previously in ACL 210. (2marks) R2(config)# policy-map type inspect IN-2-OUT-PMAP R2(config-pmar-c) # C. Assume that the zone pairing is now configured accordingly on R2 between In- LAB-Zone and SERVER-Zone from one hand, as source and OUT-Zone, from the other, as destination. Could MLWR$ry access the Intranet SERVER on TCP port 3389 successfully? Explain. (4 marks) Consider the following topology diagram: IN-SERVER-Zone OUT-Zone 192.168.20.0/24 Intranet SERVER .254 -- Fa0/1 SO/0/2 209.165.200.224/27 .1 225 R2 50/0/0 S0/0/1 .2 ISP Internet .1 ML WRSTV 207.3.0.19 10.1.1.0/30 10.2.2.0/30 IN-LAB-Zone S0/0/0 .1 IN-STAFF-Zone 50/0/1 .2 Fa0/0 R1 Fa0/1 .1 Lab-1 Users Lab-2 Users 192.168.10.0/24 192.168.11.0/24 R3 Fa0/1 Fa0/1 Fa0/1 S1 Fa0/2 S2 Fa0/2 Fa0/1 IT Admins S3 Sales Users 192.168.30.0/24 192.168.40.0/24 Fa0/2 Fa0/3 PC1 PC3 PC4 PC2 .10 .10 .10 .10 1 . Objectives Review and configure ACLs on R1 and R3 Configure a zone-based policy (ZPF) firewall on R2. Configure IOS IPS on R1 A Scenario The Intranet SERVER, is the main asset of the company. However, MLWR Srv is black listed and should be banned from accessing the Intranet SERVER In this question, Router R2 has then to be configured as a basic ZPF to control communications from/to internal resources. Finally, you will configure basic IOS IPS on R1. Routers R1 and R3 are to be configured with a simple extended access-list. All questions are INTERRELATED. This question is split into the following sections: Section A-L2 Security and ACL 1. Write the ACL Control-R3 configuration on R3 (Using the outgoing direction) to implement the below policy: (8 marks) "Permit all devices in IT-Admins zone (except for PC3) to access Intranet Server via FTP Deny all internal users from accessing the MLWSRV via HTTPS Permit all outgoing HTTPS for internal users Permit all devices in IT-Admins zone (except for PC3) to access any server via RDP R3#sh access-lists 5 deny ten host 192.168.30.10 host 192.168.20.254 any eq 21 10 permit tcp 192.168.30.0 0.0.0.255 host 192.168.20.254 any eq21 15 deny tR 192.168.0.0 0.0.255.255 host 207.3.0.19 eq 443 20 permit tcp192.168.0.0 0.0.255.255 any eq 443 30 deny top host 192.168.30.10 any eq 3389 35 permit top any any eq 3389 R3#sh run int s/0/0/1 int S/0/0/1 ip address-10.2.2.2 255.255.255.252 ir access-group Control-R3 out 2. Create a new ACL on R1 to control LAB-1 Users' access:(8 marks) Croato an avtonded ACI named CONTROL D1 with the following ruloc 2. Create a new ACL on R1 to control LAB-1 Users' access:(8 marks) a. Create an extended ACL named CONTROL-R1 with the following rules: (2 marks) Deny LAB-2 users (Except for PC2) from accessing hosts in IT-Admins on TCP port 3389. b. Choose the appropriate interface(s) using the OUT Direction on R1 and write the command to apply CONTROL-R1.(3 marks) C. You checked the existing configuration on port F0/3 on switch $3. What 2 types of attacks mitigated by the below configurations? (3 marks) interface f0/3 dhcp snooping trust dhcp snooping limit 1 Section B- ZPF Configuration 3. Configure basic ZPF firewall settings on router R2. The goal of ZPF configuration is to allow all TCP traffic generated by Intranet Server and internal users (LAB-1 and LAB- 2) users to be inspected and forwarded to the Internet. Up to this level, all of the Zone names shown in the topology have been already created, interfaces are already assigned to each zone name accordingly. Your task is to complete any missing/incorrect configuration. For this purpose, answer the below: (8 marks) a. Use the access-list command to create extended ACL 210 that can define the traffic to be inspected as per the previous description. (2 marks) b. At this level of ZPF configuration on R2, and considering ACLs Control-R3 on R3 and CONTROL-R1 on R1, could PC4 access PC1 on TCP port 3389 successfully? Explain. (3 marks) C. Same question but for PC3 accessing PC1 on TCP port 3389. Explain. (3 marks) 4. Finalize ZPF firewall configuration on router R2: (8 marks) a. Complete the IN-NET-CLASS-MAP class map and IN-2-OUT-PMAP policy map configurations.(2 marks) R2(config)# class-map type inspect match-all IN-NET-CLASS-MAP R2(config-cmap) # match access-group R2(config)# policy-map type inspect IN-2-OUT-PMAP R2(config-pmap) # class type inspect b. Specify the action (inspect, pass or drop) for this policy map.R2 should behave like a stateful firewall for all traffic outgoing to the Internet defined previously in ACL 210. (2marks) R2(config)# policy-map type inspect IN-2-OUT-PMAP R2(config-pmar-c) # C. Assume that the zone pairing is now configured accordingly on R2 between In- LAB-Zone and SERVER-Zone from one hand, as source and OUT-Zone, from the other, as destination. Could MLWR$ry access the Intranet SERVER on TCP port 3389 successfully? Explain. (4 marks)Step by Step Solution
There are 3 Steps involved in it
Step: 1
Get Instant Access to Expert-Tailored Solutions
See step-by-step solutions with expert insights and AI powered tools for academic success
Step: 2
Step: 3
Ace Your Homework with AI
Get the answers you need in no time with our AI-driven, step-by-step assistance
Get Started