Description: The exercise explains configuring and verifying firewall filter based on given set of instructions.
Network Diagram :
Instructions:
1. Enter into Configuration mode
2. Enter the interface mode of the devices and assign the ip address as per the table
3. Ping R2 from both R3 and R4 and see that it is successful
4. Configure ACL on R1 that allows telnet traffic from R3 (192.168.2.2) and allow icmp traffic from R4 (192.168.3.2) and block all other traffic
5. Apply this access-list to R1's Sonet interface inbound traffic
6. Commit your configuration.
7. Verify the ACL applied on R1 by pinging and telnetting R2 from R3 and R4(R3(192.168.2.2)) should not be able to ping R2 but should be able to telnet to R2 and R4 (192.168.3.2) should be able to ping R2 but not telnet to it)
| Device | Interface | IP Address |
|---|---|---|
| R1 | fe-1/3/0
so-0/0/0 |
192.168.1.1/24
192.168.2.1/24 |
| R2 | fe-1/3/0 | 192.168.1.2/24 |
| R3 | so-0/0/0
so-0/0/1 |
192.168.2.2/24
192.168.3.1/24 |
| R4 | so-0/0/0 | 192.168.3.2/24 |
On R1
user@R1>configure
[edit]
user@R1#edit interfaces fe-1/3/0 unit 0 family inet
[edit interfaces fe-1/3/0 unit 0 family inet]
user@R1#set address 192.168.1.1/24
[edit interfaces fe-1/3/0 unit 0 family inet]
user@R1#exit
[edit]
user@R1#edit interfaces so-0/0/0 unit 0 family inet
[edit interfaces so-0/0/0 unit 0 family inet]
user@R1#set address 192.168.2.1/24
[edit interfaces so-0/0/0 unit 0 family inet]
user@R1#exit
[edit]
user@R1#commit
commit complete
[edit]
user@R1#exit
On R2
user@R2>configure
[edit]
user@R2#edit interfaces fe-1/3/0 unit 0 family inet
[edit interfaces fe-1/3/0 unit 0 family inet]
user@R2#set address 192.168.1.2/24
[edit interfaces fe-1/3/0 unit 0 family inet]
user@R2#exit
[edit]
user@R2#commit
commit complete
[edit]
On R3
user@R3>configure
[edit]
user@R3#edit interfaces so-0/0/0 unit 0 family inet
[edit interfaces so-0/0/0 unit 0 family inet]
user@R3#set address 192.168.2.2/24
[edit interfaces so-0/0/0 unit 0 family inet]
user@R3#exit
[edit]
user@R3#edit interfaces so-0/0/1 unit 0 family inet
[edit interfaces so-0/0/1 unit 0 family inet]
user@R3#set address 192.168.3.1/24
[edit interfaces so-0/0/1 unit 0 family inet]
user@R3#exit
[edit]
user@R3#commit
commit complete
[edit]
On R4
user@R4>configure
[edit]
user@R4#edit interfaces so-0/0/0 unit 0 family inet
[edit interfaces so-0/0/0 unit 0 family inet]
user@R4#set address 192.168.3.2/24
[edit interfaces so-0/0/0 unit 0 family inet]
user@R4#exit
[edit]
user@R4#commit
commit complete
[edit]
Verification
user@R3>ping 192.168.1.2
PING 192.168.1.2: 56 data byte 64 bytes from 192.168.1.2 : icmp_seq=0 ttl=253 time=1.028 ms
user@R4>ping 192.168.1.2
PING 192.168.1.2: 56 data byte 64 bytes from 192.168.1.2 : icmp_seq=0 ttl=253 time=1.028 ms
on R1
user@R1>configure
[edit]
user@R1#edit firewall family inet filter filter1
[edit firewall family inet filter filter1]
user@R1#set term term1 from source-address 192.168.2.2/24
[edit firewall family inet filter filter1]
user@R1#set term term1 from protocol tcp
[edit firewall family inet filter filter1]
user@R1#set term term1 from port telnet
[edit firewall family inet filter filter1]
user@R1#set term term1 then accept
[edit firewall family inet filter filter1]
user@R1#set term term2 from source-address 192.168.3.2/24
[edit firewall family inet filter filter1]
user@R1#set term term2 from protocol icmp
[edit firewall family inet filter filter1]
user@R1#set term term2 then accept
[edit firewall family inet filter filter1]
user@R1#exit
[edit]
user@R1#edit interfaces so-0/0/0 unit 0 family inet
[edit interfaces so-0/0/0 unit 0 family
inet]
user@R1#set filter input filter1
[edit interfaces so-0/0/0 unit 0 family
inet]
user@R1#exit
[edit]
user@R1#commit
commit complete
[edit]
user@R1#exit
Note: If a term does not contain a from statement, the packet is considered to match and the action in the term's then statement is taken. If a term does not contain a then statement or if you do not configure an action in the then statement, and if the packet matches the conditions in the term's from statement, the packet is accepted.
Verification
user@R3>ping 192.168.1.2
Trying 192.168.1.2 % Destination unreachable; gateway or host down
user@R3>telnet 192.168.1.2
Trying 192.168.1.. Connected to R2.
user@R4>ping 192.168.1.2
PING 192.168.1.2: 56 data byte 64 bytes from 192.168.1.2 : icmp_seq=0 ttl=253 time=1.028 ms
user@R4>telnet 192.168.1.2
Trying 192.168.1.2 % Destination unreachable; gateway or host down
You can try with different cases as shown below Now , try out different cases of applying ACL and test the same as given below. But before that remove the previously configured ACL on R1 by issuing clear firewall filter command in operational mode.
user@R1>clear firewall filter filter1
Case1: Allow traffic from ip address 192.168.2.2 block all other traffic
user@R1>configure
[edit]
user@R1#edit firewall family inet filter filter1
[edit firewall family inet filter filter1]
user@R1#set term term1 from source-address 192.168.2.2/24
[edit firewall family inet filter filter1]
user@R1#set term term1 then accept
[edit firewall family inet filter filter1]
user@R1#set term term2 then reject
[edit firewall family inet filter filter1]
Apply the firewall filter to router interface
user@R1#edit interfaces so-0/0/0 unit 0 family inet
[edit interfaces so-0/0/0 unit 0 family
inet]
user@R1#set filter input filter1
[edit interfaces so-0/0/0 unit 0 family
inet]
user@R1#exit
[edit]
user@R1#commit
commit complete
[edit]
user@R1#exit
Verification
user@R3>ping 192.168.1.2
PING 192.168.1.2: 56 data byte 64 bytes from 192.168.1.2 : icmp_seq=0 ttl=253 time=1.028 ms
user@R4>ping 192.168.1.2
Trying 192.168.1.2 % Destination unreachable; gateway or host down
Case 2 : Block traffic from ip address 192.168.2.2 and allow all other traffic
user@R1>clear firewall filter filter1
user@R1>configure
[edit]
user@R1#edit firewall family inet filter filter1
[edit firewall family inet filter filter1]
user@R1#set term term1 from source-address 192.168.2.2/24
[edit firewall family inet filter filter1]
user@R1#set term term1 then reject
[edit firewall family inet filter filter1]
user@R1#set term term2 then accept
[edit firewall family inet filter
filter1]
Apply the firewall filter to router interface
user@R1#edit interfaces so-0/0/0 unit 0 family inet
[edit interfaces so-0/0/0 unit 0 family
inet]
user@R1#set filter input filter1
[edit interfaces so-0/0/0 unit 0 family
inet]
user@R1#exit
[edit]
user@R1#commit
commit complete
[edit]
user@R1#exit
Verification
user@R3>ping 192.168.1.2
PING 192.168.1.2: 56 data byte 64 bytes from 192.168.1.2 : icmp_seq=0 ttl=253 time=1.028 ms
user@R4>ping 192.168.1.2
PING 192.168.1.2: 56 data byte 64 bytes from 192.168.1.2 : icmp_seq=0 ttl=253 time=1.028 ms
