sat applications tutorial plus a pinch of margrave tim nelson shriram krishnamurthi brown university...
DESCRIPTION
access-list 102 permit tcp any any eq 80 access-list 102 deny ip any any access-list 102 permit tcp any host access-list 102 deny any 3 simple outside inside / /24 allow(p) ↔ (p.proto = tcp and p.tcpDst = 80) or (p.proto = tcp and p.ipDst = and not (p.ipSrc in /24))TRANSCRIPT
hostname simple
interface outsideip address 10.1.1.1 255.255.255.0
interface insideip access-group 102 inip address 192.168.1.1 255.255.0.0
access-list 102 permit tcp any any eq 80access-list 102 deny ip 192.168.4.0 0.0.0.255 any anyaccess-list 102 permit tcp any host 10.1.1.3access-list 102 deny any
ip route 0.0.0.0 0.0.0.0 10.1.1.2
2
simple outsideinside192.168.1.1/24 10.1.1.1/24
access-list 102 permit tcp any any eq 80access-list 102 deny ip 192.168.4.0 0.0.0.255 any anyaccess-list 102 permit tcp any host 10.1.1.3access-list 102 deny any
3
simple outsideinside192.168.1.1/24 10.1.1.1/24
allow(p) ↔(p.proto = tcp and p.tcpDst = 80) or(p.proto = tcp and p.ipDst = 10.1.1.3
and not (p.ipSrc in 192.168.4.0/24))
interface outsideip address 10.1.1.1 255.255.255.0
interface insideip access-group 102 inip address 192.168.1.1 255.255.0.0
4
simple outsideinside192.168.1.1/24 10.1.1.1/24
output(nexthop,o) ↔(nexthop in 10.1.1.0/24 and o = outside)
or(nexthop in 192.168.0.0/16 and o =
inside)
ip route 0.0.0.0 0.0.0.0 10.1.1.2
5
simple outsideinside192.168.1.1/24 10.1.1.1/24
route(p,nexthop) ↔ (nexthop = p.ipDst and (p.dlDst IN 10.1.1.0/24 or p.dlDst IN 192.168.0.0/16)) or (nexthop = 10.1.1.2 and not (p.dlDst IN 10.1.1.0/24 or p.dlDst IN 192.168.0.0/16))
8
“Reasonable facts” as variables
p.ipSrc in 10.1.1.0/24
p.tcpsrc in 10.1.1.0/24
Constraints
(p.ipSrc in 10.1.1.0/24→
p.ipSrc in 10.1.0.0/16)
access-list 102 permit tcp any any eq 80access-list 102 deny ip 192.168.4.0 0.0.0.255 any anyaccess-list 102 permit tcp any host 10.1.1.3 access-list 102 deny any
11
simple outsideinside192.168.1.1/24 10.1.1.1/24
allow(p) ↔(p.proto = tcp and p.tcpDst = 80) or(p.proto = tcp and p.ipDst = 10.1.1.3
and not (p.ipSrc in 192.168.4.0/24))or reflexiveReturn(p.ipSrc, p.ipDst, “web”)
reflect web
Stateful Firewall
access-list 102 permit tcp any any eq 80access-list 102 deny ip 192.168.4.0 0.0.0.255 any anyaccess-list 102 permit tcp any host 10.1.1.3 access-list 102 deny any
12
simple outsideinside192.168.1.1/24 10.1.1.1/24
plus_reflexiveReturn(p.ipSrc, p.ipDst) ↔ (p.proto = tcp and p.tcpDst = 80)
reflect web