Presentation is loading. Please wait.

Presentation is loading. Please wait.

SAT Applications Tutorial plus a pinch of Margrave Tim Nelson Shriram Krishnamurthi Brown University 1.

Published byClifton York Modified over 8 years ago

Similar presentations

Presentation on theme: "SAT Applications Tutorial plus a pinch of Margrave Tim Nelson Shriram Krishnamurthi Brown University 1."— Presentation transcript:

1 SAT Applications Tutorial plus a pinch of Margrave Tim Nelson Shriram Krishnamurthi Brown University 1

2 hostname simple interface outside ip address 10.1.1.1 255.255.255.0 interface inside ip access-group 102 in ip address 192.168.1.1 255.255.0.0 access-list 102 permit tcp any any eq 80 access-list 102 deny ip 192.168.4.0 0.0.0.255 any any access-list 102 permit tcp any host 10.1.1.3 access-list 102 deny any ip route 0.0.0.0 0.0.0.0 10.1.1.2 2 simple outside inside 192.168.1.1/2410.1.1.1/24

3 access-list 102 permit tcp any any eq 80 access-list 102 deny ip 192.168.4.0 0.0.0.255 any any access-list 102 permit tcp any host 10.1.1.3 access-list 102 deny any 3 simple outside inside 192.168.1.1/2410.1.1.1/24 allow(p) ↔ (p.proto = tcp and p.tcpDst = 80) or (p.proto = tcp and p.ipDst = 10.1.1.3 and not (p.ipSrc in 192.168.4.0/24))

4 interface outside ip address 10.1.1.1 255.255.255.0 interface inside ip access-group 102 in ip address 192.168.1.1 255.255.0.0 4 simple outside inside 192.168.1.1/2410.1.1.1/24 output(nexthop,o) ↔ (nexthop in 10.1.1.0/24 and o = outside) or (nexthop in 192.168.0.0/16 and o = inside)

5 ip route 0.0.0.0 0.0.0.0 10.1.1.2 5 simple outside inside 192.168.1.1/2410.1.1.1/24 route(p,nexthop) ↔ (nexthop = p.ipDst and (p.dlDst IN 10.1.1.0/24 or p.dlDst IN 192.168.0.0/16)) or (nexthop = 10.1.1.2 and not (p.dlDst IN 10.1.1.0/24 or p.dlDst IN 192.168.0.0/16))

6 6 output(nexthop,o) route(p,nexthop) allow(p) …

7 7 output(nexthop,o) route(p,nexthop) allow(p) nat(p, p’) router-pass(p, p’)

8 8 “Reasonable facts” as variables p.ipSrc in 10.1.1.0/24 p.tcpsrc in 10.1.1.0/24 Constraints (p.ipSrc in 10.1.1.0/24 → p.ipSrc in 10.1.0.0/16)

9 9 x (not x) or y y or (not x) or z (not q) and Clause ::= ( ± x 1 or … or ± x n ) (not y)

10 10 What about state?

11 access-list 102 permit tcp any any eq 80 access-list 102 deny ip 192.168.4.0 0.0.0.255 any any access-list 102 permit tcp any host 10.1.1.3 access-list 102 deny any 11 simple outside inside 192.168.1.1/2410.1.1.1/24 allow(p) ↔ (p.proto = tcp and p.tcpDst = 80) or (p.proto = tcp and p.ipDst = 10.1.1.3 and not (p.ipSrc in 192.168.4.0/24)) or reflexiveReturn(p.ipSrc, p.ipDst, “web”) reflect web Stateful Firewall

12 access-list 102 permit tcp any any eq 80 access-list 102 deny ip 192.168.4.0 0.0.0.255 any any access-list 102 permit tcp any host 10.1.1.3 access-list 102 deny any 12 simple outside inside 192.168.1.1/2410.1.1.1/24 plus_reflexiveReturn(p.ipSrc, p.ipDst) ↔ (p.proto = tcp and p.tcpDst = 80) reflect web

13 13 plus_nat(p.ipSrc, p.tcpSrc, next) ↔ p.proto = tcp and not nat(p.ipsrc, p.tcpSrc, ANY) Is the translation reversed at outside gateway? all p | p.locPt = outside and p.ipdst = gateway_addr and nat(oldip, oldpt, p.tcpDst) and forward(p, p’) → (p’.tcpDst = oldpt and p’.ipdst = oldip)

Download ppt "SAT Applications Tutorial plus a pinch of Margrave Tim Nelson Shriram Krishnamurthi Brown University 1."

Similar presentations

Routing Routing in an internetwork is the process of directing the transmission of data across two connected networks. Bridges seem to do this function.

Routing Routing in an internetwork is the process of directing the transmission of data across two connected networks. Bridges seem to do this function.
Fa0/0 ACL NAT Loopback0 DHCP Outside Inside route-map public local Router jednointerface'wy jako serwer DHCP z usługą NAT Autor: Leszek Gorzelnik, Kraków.

Fa0/0 ACL NAT Loopback0 DHCP Outside Inside route-map public local Router jednointerface'wy jako serwer DHCP z usługą NAT Autor: Leszek Gorzelnik, Kraków.
Basic IP Traffic Management with Access Lists

Basic IP Traffic Management with Access Lists
11 P OLICY A NALYSIS U SING M ARGRAVE Shriram Krishnamurthi Brown University.

11 P OLICY A NALYSIS U SING M ARGRAVE Shriram Krishnamurthi Brown University.
Washington School District Computer Network System Threaded Case Study Jim, Jeff, Pete, Adam, Chris  100X LAN Growth  2X WAN Growth  1.0 Mbps to any.

Washington School District Computer Network System Threaded Case Study Jim, Jeff, Pete, Adam, Chris  100X LAN Growth  2X WAN Growth  1.0 Mbps to any.
NESCOT CATC1 Access Control Lists CCNA 2 v3 – Module 11.

NESCOT CATC1 Access Control Lists CCNA 2 v3 – Module 11.
WXES2106 Network Technology Semester 1 2004/2005 Chapter 10 Access Control Lists CCNA2: Module 11.

WXES2106 Network Technology Semester /2005 Chapter 10 Access Control Lists CCNA2: Module 11.
1 Access Lists. 2 Introduction ACL (access list)  a list of conditions that categorize packets. Rules:  Sequential order.  Until a match is made. 

1 Access Lists. 2 Introduction ACL (access list)  a list of conditions that categorize packets. Rules:  Sequential order.  Until a match is made. 
Standard, Extended and Named ACL.  In this lesson, you will learn: ◦ Purpose of ACLs  Its application to an enterprise network ◦ How ACLs are used to.

Standard, Extended and Named ACL.  In this lesson, you will learn: ◦ Purpose of ACLs  Its application to an enterprise network ◦ How ACLs are used to.
CCNA 2 v3.1 Module 11.

CCNA 2 v3.1 Module 11.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Sybex CCNA 640-802 Chapter 11: Network Address Translation Instructor & Todd Lammle.

Sybex CCNA Chapter 11: Network Address Translation Instructor & Todd Lammle.
Access Lists 1 Network traffic flow and security influence the design and management of computer networks Access lists are permit or deny statements that.

Access Lists 1 Network traffic flow and security influence the design and management of computer networks Access lists are permit or deny statements that.
CCNA2 Routing Perrine modified by Brierley Page 18/6/2015 Module 11 Access Control 172.16.3.0172.16.4.0 Non-172.16.0.0 e0e1 s0 172.16.4.13 server.

CCNA2 Routing Perrine modified by Brierley Page 18/6/2015 Module 11 Access Control Non e0e1 s server.
CISCO PIX FIREWALL Configuration for DCSL Tuan Anh Nguyen CSCI 5234 University of Houston Clear Lake Fall Semester, 2005.

CISCO PIX FIREWALL Configuration for DCSL Tuan Anh Nguyen CSCI 5234 University of Houston Clear Lake Fall Semester, 2005.
Chapter 8 PIX Firewall. Adaptive Security Algorithm (ASA)  Used by Cisco PIX Firewall  Keeps track of connections originating from the protected inside.

Chapter 8 PIX Firewall. Adaptive Security Algorithm (ASA)  Used by Cisco PIX Firewall  Keeps track of connections originating from the protected inside.
Interior Gateway Routing Protocol (IGRP) is a distance vector interior routing protocol (IGP) invented by Cisco. It is used by routers to exchange routing.

Interior Gateway Routing Protocol (IGRP) is a distance vector interior routing protocol (IGP) invented by Cisco. It is used by routers to exchange routing.
Access Control Lists Written by Bill Reed 03/11/05.

Access Control Lists Written by Bill Reed 03/11/05.
ICND2 – OSPF – Mark Lab Reset for lab 4 Configure 2 loopback interfaces on both routers –RTR1 – 10.X.X.2/32 and 10.X.X.3/32 (area X) –RTR2 – 10.X.X.4/32.

ICND2 – OSPF – Mark Lab Reset for lab 4 Configure 2 loopback interfaces on both routers –RTR1 – 10.X.X.2/32 and 10.X.X.3/32 (area X) –RTR2 – 10.X.X.4/32.
© 2007 Cisco Systems, Inc. All rights reserved.ICND2 v1.0—7-1 Address Space Management Scaling the Network with NAT and PAT.

© 2007 Cisco Systems, Inc. All rights reserved.ICND2 v1.0—7-1 Address Space Management Scaling the Network with NAT and PAT.

Similar presentations

Ads by Google