The following traffic should be allowed (and all others implicitly denied). 1. E
ID: 3845734 • Letter: T
Question
The following traffic should be allowed (and all others implicitly denied).
1. Every host not in the DMZ should be able query the web server (port 80). Where do you place this rule? (Which firewalls and which direction)
2. All hosts associated with the company on should be able to establish communications with the IMAP server over SSL (port 993). What IP and port number will you include in the ACL?
3. Hosts satellite LANs should be able to establish communications with the database server (port 66). Write or describe the rule that applies to FW1.
This chart may help.
Direction
Source IP
Source Port
Destination IP
Destination Port
Protocol
Accept/Deny
Direction
Source IP
Source Port
Destination IP
Destination Port
Protocol
Accept/Deny
192.168.15.0/24 Satellite LAN 1 FW 3 Internet FW 4 Satellite LAN 2 192.168.16.0/24 192.168.14.0/24 Satellite LAN 3 FW 5 Mail (IMAP) 192.168.17.1 FW 2 DMZ Web 192.168.17.2 FW 1 192.168.17.0/24 Enterprise DB LAN 192.169.0.1 192.169.0.0/16
Explanation / Answer
1) Answer:
For this from every servers except DMZ , We need to provide the innound and outbound traffice
2) Answer:
In this question, I'm giving answer with respect to single firewall direction. Remainig all similar to all firewalls.
FW5(config)#interface fa0/0 (inbound interface toward WAN)
FW5(config-if)#access-group 110 permit out
Command should be follow to make configuration between FW5 & FW2
FW5(config)#access-list 110 permit 192.168.14.0 0.0.0.255 host 192.168.17.1 0.0.0.255 993
FW2(config)#interface fa0/0 (toward interface for FW5)
FW2(config-if)# access-group 110 permit out
FW2(config)# access-list 110 permit host 192.168.17.1 0.0.0.255 192.168.14.0 0.0.0.255 993
Same thing will be applicable for remaing firewalls.
3) Answer:
Traffic towards FW1 must be permitted from Satellite firewalls(FW3&FW4&FW5) for port 66
Now providing the answer for FW3 to FW1 , remaing would be same. In this scenario we try to define the rule at FW1 wrt FW3:
For FW1
FW1(config)#interface fa0/0 (toward interface for FW5)
FW1(config-if)# access-group 110 permit out
FW1(config)# access-list 110 permit host 192.169.0.1 0.0.0.255 192.168.15.0 0.0.0.255 66
At FW2, we need to permit all traffic coming from FW3, FW4, FW5 for both inbound and outbound direction..so that FW2 can pass traffic at both direction..
FW2(config)#access-list 10 permit 192.169.0.0 0.0.0.255 192.168.15.0 0.0.0.255
FW2(config)#access-list 10 permit 192.169.0.0 0.0.0.255 192.168.14.0 0.0.0.255
FW2(config)#access-list 10 permit 192.169.0.0 0.0.0.255 192.168.16.0 0.0.0.255
FW2(config)#interface fa0/0 (interface toward inbound direction)
FW2(config-if)#access-group 10 permit in
FW2(config)#interface fa0/1 (interface toward outbound direction)
FW2(config-if)#access-group 10 permit out
Direction SourceIP SourcePort DestinationIP DestinationPort Protocol Accept/Deny FW3 192.168.15.0/24 80 192.168.17.2 80 HTTP Accept (for inbound direction need to permit Web server FW2 FW2 192.168.17.2/24 80 192.168.15.0 80 HTTP Accept (for outbound traffic need to permit for subnet at FW3 FW4 192.168.16.0/24 80 192.168.17.2/24 80 HTTP Accept (for inbound direction need to permit Web server FW2 FW2 192.168.17.2/24 80 19.168.16.0/24 80 HTTP Accept (for outbound traffic need to permit for subnet at FW4 FW5 192.168.14.0/24 80 192.168.17.2/24 80 HTTP Accept (for inbound direction need to permit Web server FW2 FW2 192.168.17.2/24 80 192.168.14.0/24 80 HTTP Accept (for outbound traffic need to permit for subnet at FW5 FW1 192.169.0.0/16 80 192.168.17.2/24 80 HTTP Accept (for inbound direction need to permit Web server FW2 FW2 192.168.17.2/24 80 192.169.0.0/16 80 HTTP Accept (for outbound traffic need to permit for subnet at FW1Related Questions
drjack9650@gmail.com
Navigate
Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.