Configuring simple security, Configuring simple security -34 – Enterasys Networks Security Router X-PeditionTM User Manual

Page 420

Advertising
background image

Configuration Examples

16-34 Configuring Security on the XSR

XSR(config)#ip firewall policy radius internal internal Radius allow bidirectional
XSR(config)#ip firewall policy RADacct internal internal Radius_ACCT allow
bidirectional

Configuring Simple Security

This configuration offers simple protection for the XSR. The firewall feature set is not used. First,
perform standard port configuration:

XSR(config)#interface FastEthernet 1
XSR(config-if<F1>)#ip address 192.168.10.1 255.255.255.0
XSR(config-if<F1>)#no shutdown
XSR(config)#controller t1 0/2/0
XSR(config-controller<T1/2>)#no shutdown
XSR(config)#interface serial 2/0:0
XSR(config-if<S2/0:0>)#encapsulation ppp
XSR(config-if<S2/0:0>)#ip add 192.168.20.10 255.255.255.0
XSR(config-if<S2/0:0>)#no shutdown

Formulate access lists of allowed and prohibited network addresses:

XSR(config)#access-list 1 permit 192.168.10.0 0.0.0.255
XSR(config)#access-list 1 permit 192.168.20.0 0.0.0.255
XSR(config)#access-list 2 permit host 192.168.9.32
XSR(config)#access-list 100 deny ip any host 192.168.1.15
XSR(config)#access-list 100 deny any host 192.168.1.15 any
XSR(config)#access-list 100 deny ip tcp host 192.168.1.15 any
XSR(config)#access-list 100 permit ip 192.168.1.0 0.0.0.255 any
XSR(config)#access-list 100 permit ip any 192.168.1.0 0.0.0.255

Apply the access list to the network interfaces so that everything that is not permitted will
automatically be filtered out, by default.

XSR(config)#interface fastethernet 1
XSR(config-if<F1>)#ip access-group 1 in
XSR(config-if<F1>)#ip access-group 1 out
XSR(config)#interface serial 2/0:0
XSR(config-if<S2/0:0>)#ip access-group 1 in
XSR(config-if<S2/0:0>)#ip access-group 1 out

For security reasons, you can limit the traffic type to certain ICMP/UDP/TCP/AH, ESP, and GRE
ports. To use traffic type as a criteria, enter the extended

access-list

command, with numbers

ranging from 100 to 199. The standard

access-list

command employs numbers ranging from 1

to 99 and can filter traffic by source IP address(es) only.

Write ACLS to permit Telnet and HTTP sessions. When the access list is applied to the port only,
this type of traffic is allowed to pass through.

XSR(config)#access-list 100 permit tcp any any eq 21
XSR(config)#access-list 100 permit tcp any any eq 80

Create a username with an encrypted password (using the secret option) that is entered as clear text
(using the 0 option).

XSR(config)#username larry password secret 0 larryj

Advertising
Popular Brands
Popular manuals