|
|
When you define your network topology, you must define it from the outside to the inside. In other words, you define from the point of the access router belonging to your Internet service provider (ISP) down into your network. In this chapter, we use the Topology Wizard to define much of the initial outside-to-inside structure. However, it is important to understand the sequential flow required when you define your topology without the aid of a wizard.
In the Network Topology tree, the Internet node represents your ISP's default gateway, and using the Interfaces panel on this node you can define the IP address of your ISP's default gateway and the network to which that IP address belongs. Once this network is defined, you can define your gateway device, whether it is a router or a firewall, that is attached to the network that you share with your ISP. Your internal networks, defined when you specify the interface settings for the gateway, are connected to the gateway device. You can define other gateways, hosts, or IP ranges below a network. However, strict dependencies exist within the Network Topology tree about the order in which different objects can be defined and under which other objects they can be defined.
Based on the example network described in the previous chapter, we are going to assume that the access router is property of the ISP. Figure 3-1 depicts the Network Topology tree as it appears after you complete this chapter.
The Topology Wizard helps you define most of your initial network topology. The Topology Wizard focuses on defining a gateway and automatically derives the requisite associated network objects, such as networks. Gateways are devices or hosts that represent concentration/boundary points between two or more networks. In our example, we are concerned with defining a Policy Enforcement Point (PEP) gateway, which is the PIX Firewall named Corporate Firewall. In this case, we will use the Topology Wizard to define the following network objects:
Many of these network objects are derived and automatically created on the basis of information that we provide the Topology Wizard. If we did not use the wizard, we would have to explicitly define each of these network objects following a specific order.
The following procedure explains how to use the Topology Wizard to perform the majority of your initial, required topology definition.
Step 1 To access the shortcut menu, right-click the Internet icon in the Network Topology tree.
Step 2 To start the Topology Wizard, point to Wizards, and then click Topology Wizard on the shortcut menu.
Result: The Topology Wizard starts, displaying the welcome panel.
Step 3 To continue after you have verified that you have the required information to complete the wizard, click Next.
Result: The Add A Gateway panel appears.
Figure 3-2 depicts the Add A Gateway panel as it appears after you complete it.
Step 4 To specify that you want to define a PIX Firewall, click PIX Firewall in the Select the gateway type... box.
Result: The Specify a meaningful name... box displays PIX Firewall 1 as the default name.
Step 5 To name the PIX Firewall, type Corporate Firewall in the Specify a meaningful name... box, and then click Next.
Result: The Default Gateway Address panel appears.
The PIX Firewall name can include up to 256 alphanumeric characters, but it cannot include quotation marks (") or semicolons (;).
Figure 3-3 depicts the Default Gateway Address panel as it appears after you complete it.
Step 6 To specify the default gateway, type 192.168.1.254 in the IP Address box.
This address identifies the default gateway address that the Corporate Firewall uses to deliver network packets for which it does not have a direct route defined. Typically, this gateway is owned by your ISP. This address is used to derive routing rules on a PEP, such as a PIX Firewall.
Step 7 To specify the mask of the network to which the 192.168.1.254 address belongs, type 255.255.255.0, which corresponds to a bit count of 24, in the Network Mask box, and then click Next.
Result: The Device Definition Option panel appears.
The wizard uses this mask value to derive the network that is attached to the outside interface on this PIX Firewall node from the IP address assigned to the interface.
Step 8 To specify that we want to manually define the interfaces of the Corporate Firewall, click Manually define interface settings, and then click Next.
Result: The Interface Slot Assignments panel appears.
Figure 3-4 depicts the Interface Slot Assignments panel as it appears after you complete it.
Step 9 To specify that Corporate Firewall has three installed interfaces, click the up arrow to the right of the Total number of slots available box until 3 appears.
Result: The interface names and settings display in the Specify the required settings for each slot box.
Step 10 To specify that Slot #2 does have an interface installed, click Occupied in the Slot Status box in the Slot #2 row, and then click Next.
Result: The Specify an External Interface panel appears.
Figure 3-5 depicts the Specify an External Interface panel as it appears after you complete it.
Step 11 To specify that the outside interface installed in Corporate Firewall is the one that is attached to the default gateway, click outside in the Select the interface that is directly connected to the `Internet' box, and then click Next.
Result: The Interface Settings (`outside') panel appears.
Figure 3-6 depicts the Interface Settings (`outside') panel as it appears after you complete it.
Step 12 To specify the IP address that is assigned to the outside interface, type 192.168.1.51 in the IP Address box under Specify the required values for this interface.
This address identifies the gateway that the fully defined networks downstream from this PIX Firewall node (as well as the unknown networks represented by the Internet node) will use to reach the additional networks that you intend to define under this firewall (upstream from this firewall).
Step 13 To specify the media type of the outside interface, click that type in the Type list, and then click Next.
Result: The Interface Settings (`inside') panel appears.
You can specify one of the following media types:
Figure 3-7 depicts the Interface Settings (`inside') panel as it appears after you complete it.
Step 14 To name the internal perimeter, type Internal Perimeter in the Perimeter box under Specify the perimeter for which this interface is a member.
Step 15 To specify the IP address that is assigned to the inside interface, type 10.1.2.1 in the IP Address box under Specify the required values for this interface.
This address identifies the gateway that all hosts residing on the fully defined networks upstream from this PIX Firewall node will use to reach networks defined downstream from this firewall, including the Internet.
Step 16 To specify the mask of the network to which the 10.1.2.1 address belongs, type 255.255.255.0, which corresponds to a bit count of 24, in the Network Mask box.
The wizard uses this mask value to derive the network that is attached to the inside interface on this PIX Firewall node from the IP address assigned to the interface.
Step 17 To specify the media type of the inside interface, click that type in the Type list, and then click Next.
Result: The Interface Settings (`DMZ-slot:2') panel appears.
Figure 3-8 depicts the Interface Settings (`DMZ-slot:2') panel as it appears after you complete it.
Step 18 To name the DMZ perimeter, type DMZ Perimeter in the Perimeter box under Specify the perimeter for which this interface is a member.
Step 19 To specify the IP address that is assigned to the DMZ-slot:2 interface, type 10.1.1.1 in the IP Address box under Specify the required values for this interface.
Step 20 To specify the mask of the network to which the 10.1.1.1 address belongs, type 255.255.255.0, which corresponds to a bit count of 24, in the Network Mask box.
The wizard uses this mask value to derive the network that is attached to the DMZ-slot:2 interface on this PIX Firewall node from the IP address assigned to the interface.
Step 21 To specify the media type of the DMZ-slot:2 interface, click that type in the Type list, and then click Next.
Result: The Distribution and Monitor Host Settings panel appears.
Figure 3-9 depicts the Distribution and Monitor Host Settings panel as it appears after you complete it.
Step 22 To select the host that is running the Policy Distribution Point that you want to use, click Admin-NT in the Policy Distribution box under Specify the desired distribution and monitor settings.
This box displays only those primary and/or secondary servers defined under the Network Topology tree (or automatically detected as existing but not yet defined) that have a Policy Distribution Point client/server product installed on them.
Step 23 To specify the enable password, type corp1 in the Enable box under Administrative Passwords for.
The enable password can be up to 16 alphanumeric characters. Also, you can use both uppercase and lowercase characters. This password is case sensitive. The Policy Distribution Point uses this password to authenticate to the PIX Firewall before it publishes new network policies to that firewall.
Step 24 To select the host that is running the Policy Monitor Point that you want to use, click Admin-NT in the Policy Monitor box.
This box displays only those primary and/or secondary servers defined under the Network Topology tree (or automatically detected as existing but not yet defined) that have a Policy Monitor Point client/server product installed on them.
Step 25 To specify that this firewall is running the 4.4.(1) software image, click 4.4.(1) in the Version box, and then click Next.
Result: The Ready to Proceed panel appears.
 | Tips It is important that you select the correct release of software running on a PEP. If you do not select the correct version, Cisco Security Manager does not allow you to publish the generated command sets to that PEP. |
Step 26 To complete the Topology Wizard and create all of the required network objects under the Network Topology tree, verify the actions to be performed, and then click Finish.
Result: The Net - 192.168.1.0, Corporate Firewall, Net - 10.1.1.0, and Net - 10.1.2.0 network objects are populated under the Network Topology tree.
Step 27 To save the changes that you have made to the Policy Database, click Save on the File menu.
Result: The System Inconsistencies panel displays the following inconsistencies:
So, we have identified the bare essentials of our network topology. We now have the information that we need to apply policy to the high-level container objects, such as the networks attached to your PIX Firewall. Now, we need to flesh out our topology definition with definitions of specific servers and hosts that are important to us from a security policy perspective. Specifically, we want to identify the following hosts:
The next section focuses on defining and configuring the Cisco Security Manager server, which allows us to resolve the inconsistencies that are specific to the Corporate Firewall node and Network Topology.
The next node that we need to define in the Network Topology tree is the Cisco Security Manager server, which is required to generate and distribute network policies and to monitor network traffic for suspicious audit events and report such events. In fact, we referenced this node earlier in the Topology Wizard. Cisco Security Manager is aware of the network on which this special host resides, so when we attempt to define a host node on a network to which the Cisco Security Manager server could belong, the system prompts you as to whether you want to create this special host.
As a result of defining this server in our topology definition, we also resolve the following inconsistencies:
Because this host monitors network activity and stores the configuration settings, we must ensure that the maximum usage settings for these operations do not exceed the disk space available on that host.
 | Caution Cisco Security Manager does not check for available disk space during operation. Therefore, when specifying these settings, you should be conservative to ensure that you do not impede the virtual memory operations performed by the operating system and that you allow for the consumption of disk space by other applications residing on this host. If the host runs out disk space during operation, the system stops operating. |
The following procedure explains how to add this host to the example network and how to restrict the amount of disk space that the Policy Database and audit event records consume on this host.
Step 1 To access the shortcut menu and to select the network under which you want to define a host, right-click Net - 10.1.1.0 in the Network Topology tree.
Step 2 To create a new host node that will represent the Cisco Security Manager server, point to New, and then click Host on the shortcut menu.
Result: A Cisco Security Manager dialog box displays the following message:
A network object of the specified type has been detected in the Policy Database, and the external address of the object is consistent with the parent network address.
The name of this object is "Admin-NT."
Is this the object that you wish to insert into the Network Topology? If so, click `Yes', otherwise `No'.
Step 3 To specify that you want to add the 10.1.1.10 host named Admin-NT, click Yes.
Result: The Admin-NT host appears below Net 10.1.1.0 in the Network Topology tree. A reference copy of this host also appears in the Security Policy Enforcement branch under the Cisco Security Manager folder.
Step 4 To access the shortcut menu, right-click on the Admin-NT icon in the Network Topology tree.
Step 5 To review the checkpoint settings for the Policy Database on the Admin-NT host, point to Properties, and then click Policy Database on the shortcut menu.
Result: The Policy Database panel appears in the View pane.
Step 6 To select the time interval that you want to use to schedule checkpoints, specify either a time of day (in hours and minutes) or how often (in hours).
You can specify this interval on the basis of either a daily time or an unbounded number of hours between each checkpoint.
Figure 3-10 depicts the Policy Database panel of the Admin-NT node.
Step 7 To specify the maximum size (in megabytes) that the working log file can reach before requiring a checkpoint, type the value in the Limit log file size to box.
The Policy Database synchronizes its working data with the data stored in the working log files when the specified amount of time elapses or when the log file tracking the changes made since the last checkpoint exceeds the specified value---whichever occurs first.
Step 8 To review the amount of disk space that can be consumed by audit event records on this host, click the Policy Monitor tab.
Result: The Policy Monitor panel appears in the View pane.
Step 9 To specify the maximum size that you want to allow for the Policy Database before the oldest audit records are automatically purged, type that value in the Limit database size to box under Event Database.
The value that you enter represents the maximum number of megabytes (MB) of disk space that can be consumed by the Policy Database before audit records are purged.
Step 10 To specify how often the Policy Database should be examined for old audit records, type the number of minutes that should pass before the Policy Database is examined in the Examine database age/size every box under Event Database.
The Policy Database is examined to determine whether it contains audit records that are older than the values specified under Event Purging. The optimal value for this field is dependent on the number of audit records being generated and the amount of disk space that can temporarily be used by the Policy Database. Figure 3-11 depicts the Policy Monitor panel of the Admin-NT node.
Step 11 To accept your changes and close the Policy Monitor panel, click OK.
Step 12 To save the changes that you have made to the Policy Database, click Save on the File menu.
Result: The System Inconsistencies panel displays the following inconsistency:
This last inconsistency error will be resolved when we complete the definition of our security policies, apply them, and publish the results to the Corporate Firewall. These tasks are described in detail throughout the remaining chapters of this tutorial. Therefore, you can safely ignore this inconsistency for now.
Next, we must define any hosts in our network for which we want to define translation rules. In our scenario, two such hosts reside on the 10.1.2.0 network:
The following procedure explains how to perform this task.
Step 1 To find the internal network under which you want to define these two hosts, expand the Network Topology tree until you view the Net - 10.1.2.0 node in the Navigator pane.
Step 2 To access the shortcut menu, right-click the Net - 10.1.2.0 icon under which you want to define a new host.
Step 3 To create a new host node that will represent the corporate web server, point to New, and then click Host on the shortcut menu.
Result: A new node named Host # appears under the selected network.
Step 4 To name the host, type Corporate Web Server in the selected box, and then press Enter.
Result: The new name appears in the Name box of the selected node.
When naming a host, the name can include up to 256 alphanumeric characters, but it cannot include quotation marks (") or semicolons (;).
 | Tips If you cannot edit the name, right-click the new Host icon, and then click Rename on the shortcut menu. |
Step 5 To access the shortcut menu, right-click the Corporate Web Server icon for the host that you just created.
Step 6 To see the properties associated with the web server, click Properties on the shortcut menu.
Result: The General panel appears in the View pane.
Step 7 To specify an address assigned to this host, type 10.1.2.35 in the IP Addresses box, and then click Add.
This value identifies the IP address assigned to this host. A host can have multiple IP addresses associated with its network stack. Each IP address must reside on the network under which this Host node is defined.
Step 8 To accept your changes and close the General panel, click OK.
Step 9 To create the corporate e-mail server, repeat Step 2 through Step 8 using the name Corporate E-mail Server and the 10.1.2.36 address.
Step 10 To save the changes that you have made to the Policy Database, click Save on the File menu.
Result: The System Inconsistencies panel displays the following inconsistency:
To fully represent the example, we need to define an address hiding rule on the PIX Firewall that hides the 10.1.2.0 and 10.1.1.0 networks from the 192.168.1.0 network. Address hiding rules map between an external, exposed IP address and an internal network or host address. They hide specific networks and hosts within a perimeter from other perimeters. These rules are commonly referred to as network address translation (NAT) rules.
Figure 3-12 depicts the Mapping panel of the Corporate Firewall node as it appears after you complete this section.
The following procedure explains how to define the two rules that accomplish this task.
Step 1 To find the PIX Firewall for which you want to create a new address hiding rule, expand the Network Topology tree until you view the Corporate Firewall node in the Navigator pane.
Step 2 To access the shortcut menu, right-click the Corporate Firewall icon that will enforce the address hiding rule that you want to create.
Step 3 To view the Mapping panel, point to Properties, and then click Mapping on the shortcut menu.
Result: The Mapping panel appears in the View pane.
Step 4 To specify that you want to define an address hiding rule, click Address Hiding (source remapping) in the Select rule type box.
Result: An empty list appears in the Address Hiding list.
Step 5 To begin defining a new address hiding rule, click Insert Rule.
Result: A new rule named H0 is created in the Address Hiding list.
Even though the rule name is selected and editable, you cannot change the name of a rule. These names are defined by Cisco Security Manager and are constants.
 | Tips To select an item in a table cell, right-click below the appropriately named box along the line of the rule that you are defining. This tip works for both the Mapping and Routes panels. |
Step 6 To specify that you want to hide the 10.1.2.0 network with this rule, click and hold Net - 10.1.2.0 in the Network Topology tree, and then drag and drop that object under the Hide object box to the right of H0 under Address Hiding (source remapping).
Result: Net - 10.1.2.0 appears in the Hide object box and DMZ Perimeter appears in the from perimeter(s) box.
Step 7 To specify the perimeter from which the 10.1.2.0 network will be hidden, right-click DMZ Perimeter, and then double-click Internet Perimeter in the from perimeter(s) box.
Result: The from perimeter(s) box displays a list of the perimeters directly attached to the PEP, which identifies all unknown networks. However, this list does not contain the perimeter to which the network or host that you want to hide is attached. You cannot hide a network or host from the perimeter to which it is attached.
through with boxes (presumably, the address assigned to the perimeter to which the network objects are attached). The PEP acts as a proxy agent between the hidden objects and the perimeter objects by mapping between the two addresses. However, this mapping only occurs for communications that originate from the hidden object.
Step 8 To specify the starting address of the IP range that the internal network object's address(es) will be remapped to, right-click under the using address box, type 192.168.1.54 in the selected box, and then press Enter.
This value is the specific alias IP address to which you want to translate the real addresses of the translated object. If the value in the through with box is also specified, this address identifies the starting address of the IP range that will be used to translate the network object. However, you can define exactly one address. If the PEP is exposing the network object to users on the Internet, this IP address must be a valid IP address that is registered with the American Registry for Internet Numbers (ARIN).
Step 9 To specify the ending address of the IP range that the internal network object's address(es) will be remapped to, right-click the through with box, type 192.168.1.59 in the selected box, and then press Enter.
This value identifies the ending alias IP address in an IP address range that will be used for this translation rule. If the PEP is exposing the network object to users on the Internet, this IP address must be a valid IP address that is registered with ARIN.
Step 10 To specify the network mask value of the IP range that the internal network object's address(es) will be remapped to, right-click under the mask box, type 24 in the selected box, and then press Enter.
This value identifies the mask of the network on which IP address(es) used as aliases are members. It represents the number of bits in the netmask.
Step 11 (Optional) To specify the maximum number of simultaneous connections for this rule, right-click under the MaxC box, type that value in the selected box, and then press Enter.
This value is a whole number that represents the maximum number of simultaneous connections that can use this translation rule. The PEP enforces this value against new session requests. Use 0 (zero) to specify the default value assigned to the PEP.
Step 12 (Optional) To specify the maximum number of simultaneous embryonic links for this rule, right-click under the EmbL box, type that value in the selected box, and then press Enter.
This value is a whole number (smaller than the MaxC value) that represents the maximum number of simultaneous embryonic links that can use this translation rule. The PEP enforces this value against new session requests by restricting the number of session requests that have not completed the handshake. This feature enables you to guard against TCP_SYN attacks. Use 0 (zero) to specify the default value assigned to the PEP.
Step 13 To begin defining a new address hiding rule, click Insert Rule.
Result: A new rule named H1 is created in the Address Hiding list.
Step 14 To specify that you want to hide the 10.1.1.0 network with this rule, click and hold Net - 10.1.1.0 in the Network Topology tree, and then drag and drop that object under the Hide object box to the right of H1 under Address Hiding (source remapping).
Result: Net - 10.1.1.0 appears in the Hide object box and Internal Perimeter appears in the from perimeter(s) box.
Step 15 To specify the perimeter from which the 10.1.1.0 network will be hidden, right-click Internal Perimeter, and then double-click Internet Perimeter in the from perimeter(s) box.
Step 16 To specify the starting address of the IP range that the internal network object's address(es) will be remapped to, right-click under the using address box, type 192.168.1.54 in the selected box, and then press Enter.
Step 17 To specify the ending address of the IP range that the internal network object's address(es) will be remapped to, right-click under the through with box, type 192.168.1.59 in the selected box, and then press Enter.
Step 18 To specify the network mask value of the IP range that the internal network object's address(es) will be remapped to, right-click under the mask box, type 24 in the selected box, and then press Enter.
Step 19 (Optional) To specify the maximum number of simultaneous connections for this rule right-click under the MaxC box, type that value in the selected box, and then press Enter.
Step 20 (Optional) To specify the maximum number of simultaneous embryonic links for this rule, right-click under the EmbL box, type that value in the selected box, and then press Enter.
Step 21 To accept your changes and close the Mapping panel, click OK.
Step 22 To save the changes that you have made to the Policy Database, click Save on the File menu.
Result: The System Inconsistencies panel displays the following inconsistency:
With this much of your network topology defined, you have the following information:
To ensure that external hosts can reach the internal corporate web server and corporate e-mail server, we must define a static translation rule for each host. A static translation is a rule that gives external users access to one of your internal network hosts. Static translation rules apply to all forms of IP traffic, which means they do not limit access to the host based on a specific network service. A static rule maps an external IP address that is assigned to a network interface in the PIX Firewall to an IP address that is assigned to the internal network host. Static translation rules also override address hiding rules for a specific host.
Figure 3-13 depicts the Mapping panel of the Corporate Firewall node as it appears after you complete this section.
The following procedure explains how to define the two rules that accomplish this task.
Step 1 To find the PIX Firewall on which you want to create a new address hiding rule, expand the Network Topology tree until you view the Corporate Firewall node in the Navigator pane.
Step 2 To access the shortcut menu, right-click the Corporate Firewall icon that will enforce the address hiding rule that you want to create.
Step 3 To view the Mapping panel, point to Properties, and then click Mapping on the shortcut menu.
Result: The Mapping panel appears in the View pane.
Step 4 To specify that you want to define a static translation rule, verify that Static Translation (bidirectional remapping) is selected in the Select rule type box.
Result: The Static Translation list is empty.
Step 5 To begin defining a new static translation rule, click Insert Rule.
Result: A new rule named S0 is created in the Static Translation list.
Step 6 To specify that you want to hide the corporate web server with this rule, click Corporate Web Server in the Network Topology tree, and then drag and drop that object under the Translate object box to the right of S0 under Static Translation (bidirectional remapping).
Result: Corporate Web Server appears in the Translate object box and DMZ Perimeter appears in the via perimeter(s) box.
When you right-click on the Translate object box, it displays a list of the network objects that reside under the PEP node for which you are defining this rule. If you do not see the network object that you want to hide, you must define it within the Network Topology tree.
Step 7 To specify that you want to hide the corporate web server from the Internet perimeter, right-click DMZ Perimeter, and then double-click Internet Perimeter in the via perimeter(s) box.
The via perimeter(s) box displays a list of the perimeters directly attached to the PEP, which identifies all unknown networks. However, this list does not contain the perimeter to which the network or host that you want to hide is attached. You cannot hide a host or network from the perimeter to which it is attached.
When you hide a network object from a perimeter, you are declaring that any network object attached to that perimeter cannot use the real address to access the hidden network object. Instead, such network objects must deliver all network traffic to the address specified in the using address box (presumably, the address assigned to the perimeter to which the network objects are attached). The PEP acts as a proxy agent between the hidden network object and the perimeter objects by mapping between the two addresses. This mapping occurs for communications that originate from either the hidden network object or an object residing on the perimeter specified in this field.
 | Tips To select more than one value from this list, press and hold the Shift key or the Ctrl key while selecting an item in the list. The Shift+Click option enables you to select a sequential set of values. The Ctrl+Click option enables you to select values in any order. |
Step 8 To specify the IP address that the corporate web server's address will be remapped to, right-click under the using address box, type 192.168.1.52 in the selected box, and then press Enter.
Step 9 To specify the network mask value of the IP address that the corporate web server will be remapped to, right-click under the mask box, type 24 in the selected box, and then press Enter.
This value identifies the mask of the network on which IP address(es) used as aliases are members. It represents the number of bits in the netmask.
Step 10 (Optional) To specify the maximum number of simultaneous connections for this rule, right-click under the MaxC box, type that value in the selected box, and then press Enter.
This value is a whole number that represents the maximum number of simultaneous connections that can use this translation rule. The PEP enforces this value against new session requests. Use 0 (zero) to specify the default value assigned to the PEP.
Step 11 (Optional) To specify the maximum number of simultaneous embryonic links for this rule, right-click under the EmbL box, type that value in the selected box, and then press Enter.
This value is a whole number (smaller than the MaxC value) that represents the maximum number of simultaneous embryonic links that can use this translation rule. The PEP enforces this value against new session requests by restricting the number of session requests that have not completed the handshake. This feature enables you to guard against TCP_SYN attacks. Use 0 (zero) to specify the default value assigned to the PEP.
Step 12 To begin defining a new static translation rule, click Insert Rule.
Result: A new rule named S1 is created in the Static Translation list.
Step 13 To specify that you want to hide the corporate e-mail server with this rule, click Corporate E-mail Server in the Network Topology tree, and then drag and drop that object under the Translate object box to the right of S1 under Static Translation (bidirectional remapping).
Result: Corporate E-mail Server appears in the Translate object box and DMZ Perimeter appears in the via perimeter(s) box.
When you right-click on the Translate object box, it displays a list of the network objects that reside under the PEP node for which you are defining this rule. If you do not see the network object that you want to hide, you must define it within the Network Topology tree.
Step 14 To specify that you want to hide the corporate e-mail server from the Internet perimeter, right-click DMZ Perimeter, and then double-click Internet Perimeter in the via perimeter(s) box.
Step 15 To specify the IP address that the corporate e-mail server's address will be remapped to, right-click under the using address box, type 192.168.1.53 in the selected box, and then press Enter.
Step 16 To specify the network mask value of the IP address that the corporate e-mail server will be remapped to, right-click under the mask box, type 24 in the selected box, and then press Enter.
Step 17 (Optional) To specify the maximum number of simultaneous connections for this rule, right-click under the MaxC box, type that value in the selected box, and then press Enter.
Step 18 (Optional) To specify the maximum number of simultaneous embryonic links for this rule, right-click under the EmbL box, type that value in the selected box, and then press Enter.
Step 19 To accept your changes and close the Mapping panel, click OK.
Step 20 To save the changes that you have made to the Policy Database, click Save on the File menu.
Result: The System Inconsistencies panel displays the following inconsistency:
Now we have completely defined the objects residing on the example network. We have only defined what we need to ensure that we can develop and apply good security policies. In other words, the sample networks could have other hosts residing on them, but we are only interested in calling out a few servers because we want to define security policies that restrict network access to those servers.
When defining your own network topology, remember that you only need to define enough of the actual topology to ensure that all the routing rules are generated and to identify any hosts for which you want to define specific security policies. This guideline translates into defining all your networks and gateways, which can be represented in several forms: routers, firewalls, and networks or as cloud objects, such as clouds and cloud networks.
The next chapter discusses how to define security policies that restrict network traffic to only those network services that you want to allow across your network.
Posted: Fri Aug 20 06:58:17 PDT 1999
Copyright 1989-1999©Cisco Systems Inc.