Packet Tracer - Configuring a Zone-Based Policy Firewall (ZPF)

Similar documents
Packet Tracer - Skills Integration Challenge Topology

PT Activity 2.6.1: Packet Tracer Skills Integration Challenge

PT Activity: Configuring a Zone-Based Policy Firewall (ZPF)

CCNA Security v2.0 Chapter 9 Exam Answers

CCNA Security v2.0 Chapter 2 Exam Answers

Launching Xacta 360 Marketplace AMI Guide June 2017

Felix Rohrer. Lab 5.5.3: Troubleshooting Access Control Lists. Topology Diagram

CCNA 1 Chapter v5.1 Answers 100%

CCNA 1 Chapter v5.1 Answers 100%

Exercise 1: Deploying Windows Server 2012

CCNA Security v2.0 Chapter 3 Exam Answers

2. When an EIGRP-enabled router uses a password to accept routes from other EIGRP-enabled routers, which mechanism is used?

SafeDispatch SDR Gateway for MOTOROLA TETRA

Telkom VPN-Lite router setup User Manual Billion 810VGTX

1. Which IOS 12.4 software package integrates full features, including voice, security, and VPN capabilities, for all routing protocols?

BMC Remedyforce Integration with Remote Support

1 Getting and Extracting the Upgrader

2. When logging is used, which severity level indicates that a device is unusable?

Telkom VPN-Lite router setup User Manual Billion 800VGT

BMC Remedyforce Integration with Bomgar Remote Support

I. Introduction: About Firmware Files, Naming, Versions, and Formats

1 Getting and Extracting the Upgrader

1 Getting and Extracting the Upgrader

Secure File Transfer Protocol (SFTP) Interface for Data Intake User Guide

CCNA Security v2.0 Chapter 10 Exam Answers

USER MANUAL. RoomWizard Administrative Console

UDS Enterprise Configuring UDS Enterprise in HA

CounterSnipe Software Installation Guide Software Version 10.x.x. Initial Set-up- Note: An internet connection is required for installation.

DIVAR IP 3000 Field Installation Guide

Smart Collector Embedded Assistant User Guide

NiceLabel LMS. Installation Guide for Single Server Deployment. Rev-1702 NiceLabel

CROWNPEAK DESKTOP CONNECTION (CDC) INSTALLATION GUIDE VERSION 2.0

Advanced and Customized Net Conference Powered by Cisco WebEx Technology

Click Studios. Passwordstate. RSA SecurID Configuration

Element Creator for Enterprise Architect

EVALUATION GUIDE - OCTOBER 2018 VMWARE CLOUD ON AWS. Evaluation Guide

Cisco Tetration Analytics, Release , Release Notes

CNS-222-1I: NetScaler for Apps and Desktops

Cisco Nexus Data Broker Embedded: Implementation Quick- Start Guide

These tasks can now be performed by a special program called FTP clients.

1. What is a characteristic of Frame Relay that provides more flexibility than a dedicated line?

Getting Started with the SDAccel Environment on Nimbix Cloud

Adverse Action Letters

Internet Explorer Configuration Reference

Web Application Security Version 13.0 Training Course

Apply power, the appliance may be powered by connecting:

Quick Installation Guide

AvePoint Discovery Tool 3.5. User Guide

Migrating iway Data Quality Server Plans and Components on Windows

Competitor fills in. Expert fills in. Time: 6.75h 39 - IT Network Systems Administration Danny Meier, Florian Meier, Tobias Meier

Single File Upload Guide

Customer Information. Agilent 2100 Bioanalyzer System Startup Service G2949CA - Checklist

SASAC v1.0 Implementing Core Cisco ASA Security Cisco Training

Frequently Asked Questions

CCNA 1 v5.1 Practice Final Exam Answers %

Gemini Intercom Quick Start Guide

WorldShip PRE-INSTALLATION INSTRUCTIONS: INSTALLATION INSTRUCTIONS: Window (if available) Install on a Single or Workgroup Workstation

Campuses that access the SFS nvision Windows-based client need to allow outbound traffic to:

vrealize Operations Management Pack for Storage Devices Release Notes

Troubleshooting of network problems is find and solve with the help of hardware and software is called troubleshooting tools.

Virtual Office

IMPORTING INFOSPHERE DATA ARCHITECT MODELS INFORMATION SERVER V8.7

VMware AirWatch Certificate Authentication for Cisco IPSec VPN

Remove AD DS using the Remove Roles Wizard in Server Manager

Kaltura MediaSpace User Manual. Version: 3.0

HPE AppPulse Mobile. Software Version: 2.1. IT Operations Management Integration Guide

Wave IP 4.5. CRMLink Desktop User Guide

Step- by- Step Instructions for Adding a HotPot Activity 1. Click the Turn editing on button on the course home page.

BANNER BASICS. What is Banner? Banner Environment. My Banner. Pages. What is it? What form do you use? Steps to create a personal menu

Firmware Download Anybus X-gateway Modbus-TCP

Release Notes. Dell SonicWALL Security firmware is supported on the following appliances: Dell SonicWALL Security 200

Element Creator for Enterprise Architect

Installing and Configuring Oracle VM on Oracle Cloud Infrastructure O R A C L E W H I T E P A P E R F E B R U A R Y

CCNA course contents:

File Share Navigator Online

SMART Room System for Microsoft Lync. Software configuration guide

Moving your MedicalDirector Clinical / PracSoft Data to a New Server

Class Roster. Curriculum Class Roster Step-By-Step Procedure

CaseWare Working Papers. Data Store user guide

WebEx Web Conferencing Quick Start Guide

ICND2 Lab Exercises Lesson Companion

EView/400i Management Pack for Systems Center Operations Manager (SCOM)

September 24, Release Notes

I. Introduction: About Firmware Files, Naming, Versions, and Formats

Release Date: 29-April-2011 Purpose: The Configuration & Orchestration Manager Release Notes provide the following information:

Amazon Lab: Deploying applications on AWS

USER GUIDE. Thanks for purchasing the igate! You ll need to follow these five Configuration Steps to get your igate up and running:

Your New Service Request Process: Technical Support Reference Guide for Cisco Customer Journey Platform

ThinManager Certification Test Lab 2

Admin Report Kit for Exchange Server

DocAve 6 ediscovery. User Guide. Service Pack 3, Cumulative Update 1. Revision F Issued August DocAve 6: ediscovery

Getting started. Roles of the Wireless Palette and the Access Point Setup Utilities

Dynamic Storage (ECS)

TRAUMACAD 2.5 PREREQUISITES

Release Type: Firmware Software Hardware New Product

Dolby Conference Phone Support Frequently Asked Questions

Technical Paper. Installing and Configuring SAS Environment Manager in a SAS Grid Environment with a Shared Configuration Directory

TUTORIAL --- Learning About Your efolio Space

Max 8/16 and T1/E1 Gateway, Version FAQs

Trimble Survey GNSS Firmware Version 4.81 (July 2013)

Transcription:

Packet Tracer - Cnfiguring a Zne-Based Plicy Firewall (ZPF) Tplgy Addressing Table R1 R2 R3 Device Interface IP Address Subnet Mask Default Gateway Switch Prt G0/1 192.168.1.1 255.255.255.0 N/A S1 F0/5 S0/0/0 (DCE) 10.1.1.1 255.255.255.252 N/A N/A S0/0/0 10.1.1.2 255.255.255.252 N/A N/A S0/0/1 (DCE) 10.2.2.2 255.255.255.252 N/A N/A G0/1 192.168.3.1 255.255.255.0 N/A S3 F0/5 S0/0/1 10.2.2.1 255.255.255.252 N/A N/A PC-A NIC 192.168.1.3 255.255.255.0 192.168.1.1 S1 F0/6 PC-C NIC 192.168.3.3 255.255.255.0 192.168.3.1 S3 F0/18 Objectives Verify cnnectivity amng devices befre firewall cnfiguratin. Cnfigure a zne-based plicy (ZPF) firewall n R3. Verify ZPF firewall functinality using ping, SSH, and a web brwser. Backgrund/Scenari ZPFs are the latest develpment in the evlutin f Cisc firewall technlgies. In this activity, yu will cnfigure a basic ZPF n an edge ruter R3 that allws internal hsts access t external resurces and blcks external hsts frm accessing internal resurces. Yu will then verify firewall functinality frm internal and external hsts. The ruters have been pre-cnfigured with the fllwing: Cnsle passwrd: cisccnpa55 Passwrd fr vty lines: ciscvtypa55 Enable passwrd: ciscenpa55 Hst names and IP addressing 2015 Cisc and/r its affiliates. All rights reserved. This dcument is Cisc Public. Page 1 f 5

Packet Tracer - Cnfiguring a Zne-Based Plicy Firewall (ZPF) Lcal username and passwrd: Admin / Adminpa55 Static ruting Part 1: Verify Basic Netwrk Cnnectivity Verify netwrk cnnectivity prir t cnfiguring the zne-based plicy firewall. Step 1: Frm the PC-A cmmand prmpt, ping PC-C at 192.168.3.3. Step 2: Access R2 using SSH. a. Frm the PC-C cmmand prmpt, SSH t the S0/0/1 interface n R2 at 10.2.2.2. Use the username Admin and passwrd Adminpa55 t lg in. PC> ssh -l Admin 10.2.2.2 b. Exit the SSH sessin. Step 3: Frm PC-C, pen a web brwser t the PC-A server. a. Click the Desktp tab and then click the Web Brwser applicatin. Enter the PC-A IP address 192.168.1.3 as the URL. The Packet Tracer welcme page frm the web server shuld be displayed. b. Clse the brwser n PC-C. Part 2: Create the Firewall Znes n R3 Nte: Fr all cnfiguratin tasks, be sure t use the exact names as specified. Step 1: Enable the Security Technlgy package. a. On R3, issue the shw versin cmmand t view the Technlgy Package license infrmatin. b. If the Security Technlgy package has nt been enabled, use the fllwing cmmand t enable the package. R3(cnfig)# license bt mdule c1900 technlgy-package securityk9 c. Accept the end-user license agreement. d. Save the running-cnfig and relad the ruter t enable the security license. e. Verify that the Security Technlgy package has been enabled by using the shw versin cmmand. Step 2: Create an internal zne. Use the zne security cmmand t create a zne named IN-ZONE. R3(cnfig)# zne security IN-ZONE R3(cnfig-sec-zne) exit Step 3: Create an external zne. Use the zne security cmmand t create a zne named OUT-ZONE. R3(cnfig-sec-zne)# zne security OUT-ZONE R3(cnfig-sec-zne)# exit 2015 Cisc and/r its affiliates. All rights reserved. This dcument is Cisc Public. Page 2 f 5

Packet Tracer - Cnfiguring a Zne-Based Plicy Firewall (ZPF) Part 3: Identify Traffic Using a Class-Map Step 1: Create an ACL that defines internal traffic. Use the access-list cmmand t create extended ACL 101 t permit all IP prtcls frm the 192.168.3.0/24 surce netwrk t any destinatin. R3(cnfig)# access-list 101 permit ip 192.168.3.0 0.0.0.255 any Step 2: Create a class map referencing the internal traffic ACL. Use the class-map type inspect cmmand with the match-all ptin t create a class map named IN-NET- CLASS-MAP. Use the match access-grup cmmand t match ACL 101. R3(cnfig)# class-map type inspect match-all IN-NET-CLASS-MAP R3(cnfig-cmap)# match access-grup 101 R3(cnfig-cmap)# exit Part 4: Specify Firewall Plicies Step 1: Create a plicy map t determine what t d with matched traffic. Use the plicy-map type inspect cmmand and create a plicy map named IN-2-OUT-PMAP. R3(cnfig)# plicy-map type inspect IN-2-OUT-PMAP Step 2: Specify a class type f inspect and reference class map IN-NET-CLASS-MAP. R3(cnfig-pmap)# class type inspect IN-NET-CLASS-MAP Step 3: Specify the actin f inspect fr this plicy map. The use f the inspect cmmand invkes cntext-based access cntrl (ther ptins include pass and drp). R3(cnfig-pmap-c)# inspect %N specific prtcl cnfigured in class IN-NET-CLASS-MAP fr inspectin. All prtcls will be inspected. Issue the exit cmmand twice t leave cnfig-pmap-c mde and return t cnfig mde. R3(cnfig-pmap-c)# exit R3(cnfig-pmap)# exit Part 5: Apply Firewall Plicies Step 1: Create a pair f znes. Using the zne-pair security cmmand, create a zne pair named IN-2-OUT-ZPAIR. Specify the surce and destinatin znes that were created in Task 1. R3(cnfig)# zne-pair security IN-2-OUT-ZPAIR surce IN-ZONE destinatin OUT- ZONE Step 2: Specify the plicy map fr handling the traffic between the tw znes. Attach a plicy-map and its assciated actins t the zne pair using the service-plicy type inspect cmmand and reference the plicy map previusly created, IN-2-OUT-PMAP. 2015 Cisc and/r its affiliates. All rights reserved. This dcument is Cisc Public. Page 3 f 5

Packet Tracer - Cnfiguring a Zne-Based Plicy Firewall (ZPF) R3(cnfig-sec-zne-pair)# service-plicy type inspect IN-2-OUT-PMAP R3(cnfig-sec-zne-pair)# exit R3(cnfig)# Step 3: Assign interfaces t the apprpriate security znes. Use the zne-member security cmmand in interface cnfiguratin mde t assign G0/1 t IN-ZONE and S0/0/1 t OUT-ZONE. R3(cnfig)# interface g0/1 R3(cnfig-if)# zne-member security IN-ZONE R3(cnfig-if)# exit R3(cnfig)# interface s0/0/1 R3(cnfig-if)# zne-member security OUT-ZONE R3(cnfig-if)# exit Step 4: Cpy the running cnfiguratin t the startup cnfiguratin. Part 6: Test Firewall Functinality frm IN-ZONE t OUT-ZONE Verify that internal hsts can still access external resurces after cnfiguring the ZPF. Step 1: Frm internal PC-C, ping the external PC-A server. Frm the PC-C cmmand prmpt, ping PC-A at 192.168.1.3. The ping shuld succeed. Step 2: Frm internal PC-C, SSH t the R2 S0/0/1 interface. a. Frm the PC-C cmmand prmpt, SSH t R2 at 10.2.2.2. Use the username Admin and the passwrd Adminpa55 t access R2. The SSH sessin shuld succeed. b. While the SSH sessin is active, issue the cmmand shw plicy-map type inspect zne-pair sessins n R3 t view established sessins. What is the surce IP address and prt number? What is the destinatin IP address and prt number? Step 3: Frm PC-C, exit the SSH sessin n R2 and clse the cmmand prmpt windw. Step 4: Frm internal PC-C, pen a web brwser t the PC-A server web page. Enter the server IP address 192.168.1.3 in the brwser URL field, and click G. The HTTP sessin shuld succeed. While the HTTP sessin is active, issue the cmmand shw plicy-map type inspect zne-pair sessins n R3 t view established sessins. Nte: If the HTTP sessin times ut befre yu execute the cmmand n R3, yu will have t click the G buttn n PC-C t generate a sessin between PC-C and PC-A. What is the surce IP address and prt number? What is the destinatin IP address and prt number? 2015 Cisc and/r its affiliates. All rights reserved. This dcument is Cisc Public. Page 4 f 5

Packet Tracer - Cnfiguring a Zne-Based Plicy Firewall (ZPF) Step 5: Clse the brwser n PC-C. Part 7: Test Firewall Functinality frm OUT-ZONE t IN-ZONE Verify that external hsts CANNOT access internal resurces after cnfiguring the ZPF. Step 1: Frm the PC-A server cmmand prmpt, ping PC-C. Frm the PC-A cmmand prmpt, ping PC-C at 192.168.3.3. The ping shuld fail. Step 2: Frm R2, ping PC-C. Frm R2, ping PC-C at 192.168.3.3. The ping shuld fail. Step 3: Check results. Yur cmpletin percentage shuld be 100%. Click Check Results t see feedback and verificatin f which required cmpnents have been cmpleted. 2015 Cisc and/r its affiliates. All rights reserved. This dcument is Cisc Public. Page 5 f 5

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback