Packet Tracer - Cnfiguring a Zne-Based Plicy Firewall (ZPF) Tplgy Addressing Table R1 R2 R3 Device Interface IP Address Subnet Mask Default Gateway Switch Prt G0/1 192.168.1.1 255.255.255.0 N/A S1 F0/5 S0/0/0 (DCE) 10.1.1.1 255.255.255.252 N/A N/A S0/0/0 10.1.1.2 255.255.255.252 N/A N/A S0/0/1 (DCE) 10.2.2.2 255.255.255.252 N/A N/A G0/1 192.168.3.1 255.255.255.0 N/A S3 F0/5 S0/0/1 10.2.2.1 255.255.255.252 N/A N/A PC-A NIC 192.168.1.3 255.255.255.0 192.168.1.1 S1 F0/6 PC-C NIC 192.168.3.3 255.255.255.0 192.168.3.1 S3 F0/18 Objectives Verify cnnectivity amng devices befre firewall cnfiguratin. Cnfigure a zne-based plicy (ZPF) firewall n R3. Verify ZPF firewall functinality using ping, SSH, and a web brwser. Backgrund/Scenari ZPFs are the latest develpment in the evlutin f Cisc firewall technlgies. In this activity, yu will cnfigure a basic ZPF n an edge ruter R3 that allws internal hsts access t external resurces and blcks external hsts frm accessing internal resurces. Yu will then verify firewall functinality frm internal and external hsts. The ruters have been pre-cnfigured with the fllwing: Cnsle passwrd: cisccnpa55 Passwrd fr vty lines: ciscvtypa55 Enable passwrd: ciscenpa55 Hst names and IP addressing 2015 Cisc and/r its affiliates. All rights reserved. This dcument is Cisc Public. Page 1 f 5
Packet Tracer - Cnfiguring a Zne-Based Plicy Firewall (ZPF) Lcal username and passwrd: Admin / Adminpa55 Static ruting Part 1: Verify Basic Netwrk Cnnectivity Verify netwrk cnnectivity prir t cnfiguring the zne-based plicy firewall. Step 1: Frm the PC-A cmmand prmpt, ping PC-C at 192.168.3.3. Step 2: Access R2 using SSH. a. Frm the PC-C cmmand prmpt, SSH t the S0/0/1 interface n R2 at 10.2.2.2. Use the username Admin and passwrd Adminpa55 t lg in. PC> ssh -l Admin 10.2.2.2 b. Exit the SSH sessin. Step 3: Frm PC-C, pen a web brwser t the PC-A server. a. Click the Desktp tab and then click the Web Brwser applicatin. Enter the PC-A IP address 192.168.1.3 as the URL. The Packet Tracer welcme page frm the web server shuld be displayed. b. Clse the brwser n PC-C. Part 2: Create the Firewall Znes n R3 Nte: Fr all cnfiguratin tasks, be sure t use the exact names as specified. Step 1: Enable the Security Technlgy package. a. On R3, issue the shw versin cmmand t view the Technlgy Package license infrmatin. b. If the Security Technlgy package has nt been enabled, use the fllwing cmmand t enable the package. R3(cnfig)# license bt mdule c1900 technlgy-package securityk9 c. Accept the end-user license agreement. d. Save the running-cnfig and relad the ruter t enable the security license. e. Verify that the Security Technlgy package has been enabled by using the shw versin cmmand. Step 2: Create an internal zne. Use the zne security cmmand t create a zne named IN-ZONE. R3(cnfig)# zne security IN-ZONE R3(cnfig-sec-zne) exit Step 3: Create an external zne. Use the zne security cmmand t create a zne named OUT-ZONE. R3(cnfig-sec-zne)# zne security OUT-ZONE R3(cnfig-sec-zne)# exit 2015 Cisc and/r its affiliates. All rights reserved. This dcument is Cisc Public. Page 2 f 5
Packet Tracer - Cnfiguring a Zne-Based Plicy Firewall (ZPF) Part 3: Identify Traffic Using a Class-Map Step 1: Create an ACL that defines internal traffic. Use the access-list cmmand t create extended ACL 101 t permit all IP prtcls frm the 192.168.3.0/24 surce netwrk t any destinatin. R3(cnfig)# access-list 101 permit ip 192.168.3.0 0.0.0.255 any Step 2: Create a class map referencing the internal traffic ACL. Use the class-map type inspect cmmand with the match-all ptin t create a class map named IN-NET- CLASS-MAP. Use the match access-grup cmmand t match ACL 101. R3(cnfig)# class-map type inspect match-all IN-NET-CLASS-MAP R3(cnfig-cmap)# match access-grup 101 R3(cnfig-cmap)# exit Part 4: Specify Firewall Plicies Step 1: Create a plicy map t determine what t d with matched traffic. Use the plicy-map type inspect cmmand and create a plicy map named IN-2-OUT-PMAP. R3(cnfig)# plicy-map type inspect IN-2-OUT-PMAP Step 2: Specify a class type f inspect and reference class map IN-NET-CLASS-MAP. R3(cnfig-pmap)# class type inspect IN-NET-CLASS-MAP Step 3: Specify the actin f inspect fr this plicy map. The use f the inspect cmmand invkes cntext-based access cntrl (ther ptins include pass and drp). R3(cnfig-pmap-c)# inspect %N specific prtcl cnfigured in class IN-NET-CLASS-MAP fr inspectin. All prtcls will be inspected. Issue the exit cmmand twice t leave cnfig-pmap-c mde and return t cnfig mde. R3(cnfig-pmap-c)# exit R3(cnfig-pmap)# exit Part 5: Apply Firewall Plicies Step 1: Create a pair f znes. Using the zne-pair security cmmand, create a zne pair named IN-2-OUT-ZPAIR. Specify the surce and destinatin znes that were created in Task 1. R3(cnfig)# zne-pair security IN-2-OUT-ZPAIR surce IN-ZONE destinatin OUT- ZONE Step 2: Specify the plicy map fr handling the traffic between the tw znes. Attach a plicy-map and its assciated actins t the zne pair using the service-plicy type inspect cmmand and reference the plicy map previusly created, IN-2-OUT-PMAP. 2015 Cisc and/r its affiliates. All rights reserved. This dcument is Cisc Public. Page 3 f 5
Packet Tracer - Cnfiguring a Zne-Based Plicy Firewall (ZPF) R3(cnfig-sec-zne-pair)# service-plicy type inspect IN-2-OUT-PMAP R3(cnfig-sec-zne-pair)# exit R3(cnfig)# Step 3: Assign interfaces t the apprpriate security znes. Use the zne-member security cmmand in interface cnfiguratin mde t assign G0/1 t IN-ZONE and S0/0/1 t OUT-ZONE. R3(cnfig)# interface g0/1 R3(cnfig-if)# zne-member security IN-ZONE R3(cnfig-if)# exit R3(cnfig)# interface s0/0/1 R3(cnfig-if)# zne-member security OUT-ZONE R3(cnfig-if)# exit Step 4: Cpy the running cnfiguratin t the startup cnfiguratin. Part 6: Test Firewall Functinality frm IN-ZONE t OUT-ZONE Verify that internal hsts can still access external resurces after cnfiguring the ZPF. Step 1: Frm internal PC-C, ping the external PC-A server. Frm the PC-C cmmand prmpt, ping PC-A at 192.168.1.3. The ping shuld succeed. Step 2: Frm internal PC-C, SSH t the R2 S0/0/1 interface. a. Frm the PC-C cmmand prmpt, SSH t R2 at 10.2.2.2. Use the username Admin and the passwrd Adminpa55 t access R2. The SSH sessin shuld succeed. b. While the SSH sessin is active, issue the cmmand shw plicy-map type inspect zne-pair sessins n R3 t view established sessins. What is the surce IP address and prt number? What is the destinatin IP address and prt number? Step 3: Frm PC-C, exit the SSH sessin n R2 and clse the cmmand prmpt windw. Step 4: Frm internal PC-C, pen a web brwser t the PC-A server web page. Enter the server IP address 192.168.1.3 in the brwser URL field, and click G. The HTTP sessin shuld succeed. While the HTTP sessin is active, issue the cmmand shw plicy-map type inspect zne-pair sessins n R3 t view established sessins. Nte: If the HTTP sessin times ut befre yu execute the cmmand n R3, yu will have t click the G buttn n PC-C t generate a sessin between PC-C and PC-A. What is the surce IP address and prt number? What is the destinatin IP address and prt number? 2015 Cisc and/r its affiliates. All rights reserved. This dcument is Cisc Public. Page 4 f 5
Packet Tracer - Cnfiguring a Zne-Based Plicy Firewall (ZPF) Step 5: Clse the brwser n PC-C. Part 7: Test Firewall Functinality frm OUT-ZONE t IN-ZONE Verify that external hsts CANNOT access internal resurces after cnfiguring the ZPF. Step 1: Frm the PC-A server cmmand prmpt, ping PC-C. Frm the PC-A cmmand prmpt, ping PC-C at 192.168.3.3. The ping shuld fail. Step 2: Frm R2, ping PC-C. Frm R2, ping PC-C at 192.168.3.3. The ping shuld fail. Step 3: Check results. Yur cmpletin percentage shuld be 100%. Click Check Results t see feedback and verificatin f which required cmpnents have been cmpleted. 2015 Cisc and/r its affiliates. All rights reserved. This dcument is Cisc Public. Page 5 f 5