PT Activity: Configuring a Zone-Based Policy Firewall (ZPF)

Similar documents
PT Activity: Configure AAA Authentication on Cisco Routers

CCNA Security Instructor Packet Tracer Manual

CCNA Security 1.0 Student Packet Tracer Manual

Teacher s Reference Manual

CCNA Security PT Practice SBA

PT Activity 5.6.1: Packet Tracer Skills Integration Challenge Topology Diagram

Packet Tracer - Configuring a Zone-Based Policy Firewall (ZPF)

Packet Tracer - Configure and Verify a Site-to-Site IPsec VPN Using CLI

Packet Tracer - Configure Cisco Routers for Syslog, NTP, and SSH Operations (Instructor Version)

Lab Configure Cisco IOS Firewall CBAC

Lab Configuring and Verifying Extended ACLs Topology

Lab 6: Access Lists. Device Interface IP Address Subnet Mask Gateway/Clock Rate Fa 0/ R1

Lab Configure Cisco IOS Firewall CBAC on a Cisco Router

Lab 1.3.2: Review of Concepts from Exploration 1 - Challenge

Chapter 10 - Configure ASA Basic Settings and Firewall using ASDM

Inspection of Router-Generated Traffic

Packet Tracer - Connect a Router to a LAN (Instructor Version)

Firewall Stateful Inspection of ICMP

Chapter 4 Lab A: Configuring CBAC and Zone-Based Firewalls

Cisco CCNA ACL Part II

Lab - Examining Telnet and SSH in Wireshark

Study Guide. Using ACLs to Secure Networks

Chapter 10 Configure Clientless Remote Access SSL VPNs Using ASDM

Chapter 10 Configure AnyConnect Remote Access SSL VPN Using ASDM

Chapter 8: Lab B: Configuring a Remote Access VPN Server and Client

Lab Configuring and Verifying Standard ACLs Topology

Nested Class Map Support for Zone-Based Policy Firewall

Chapter 10 Configure Clientless Remote Access SSL VPNs Using ASDM

Device Interface IP Address Subnet Mask Default Gateway

Enabling ALGs and AICs in Zone-Based Policy Firewalls

Lab Configuring and Verifying Standard IPv4 ACLs Topology

Packet Tracer - Subnet Scenario 2 (Instructor Version)

Enabling ALGs and AICs in Zone-Based Policy Firewalls

This document is exclusive property of Cisco Systems, Inc. Permission is granted to print and copy this document for non-commercial distribution and

Lab - Troubleshooting ACL Configuration and Placement Topology

Lab Configuring HSRP and GLBP Topology

Sun RPC ALG Support for Firewall and NAT

Lecture (02) Switch remote configuration peer2peer star network clients/server star network Traffic analysis using Packet Tracer

NETWORK LAB 2 Configuring Switch Desktop

Lab Capturing and Analyzing Network Traffic

CCNA Access List Questions

Lab : Challenge OSPF Configuration Lab. Topology Diagram. Addressing Table. Default Gateway. Device Interface IP Address Subnet Mask

Lab - Troubleshooting Standard IPv4 ACL Configuration and Placement Topology

8.9.2 Lab: Configure an Ethernet NIC to use DHCP in Windows Vista

Lab 5.6.2: Challenge RIP Configuration

Sun RPC ALG Support for Firewalls and NAT

Sun RPC ALG Support for Firewalls and NAT

Lab 7 Configuring Basic Router Settings with IOS CLI

Lab Using the CLI to Gather Network Device Information Topology

Configurable Number of Simultaneous Packets per Flow

Lab - Using Wireshark to Examine TCP and UDP Captures

Lab Correcting RIPv2 Routing Problems

CCNA 1 Final Exam Answers UPDATE 2012 eg.2

Lab 9.6.2: Challenge EIGRP Configuration Lab

Lab 2.8.2: Challenge Static Route Configuration

Dr. Tom Hicks. Computer Science Department Trinity University

Experiment 3: Protocol Visualization with Packet Tracer

Packet Tracer - Subnet Scenario 2 Topology

Introduction to Networks: Case Study, Option 2

Lab Configuring and Verifying Standard IPv4 ACLs (Instructor Version Optional Lab)

Case Study. Routing. Cisco Networking Academy Program CCNA 2: Routers and Routing Basics v3.1

Lab VTY Restriction Instructor Version 2500

Packet Tracer - Using Traceroute to Discover the Network (Instructor Version)

Chapter 10 Lab B: Configuring ASA Basic Settings and Firewall Using ASDM

Activity Configuring and Securing a Wireless LAN in Packet Tracer

Lab Troubleshooting LAN Connectivity

Device Interface IP Address Subnet Mask R1 G0/ N/A

Skills Assessment Student Practice

ICND1. Switch Configuration Lab. All configurations have been set to factory defaults for these labs

This document is exclusive property of Cisco Systems, Inc. Permission is granted to print and copy this document for non-commercial distribution and

Object Groups for ACLs

Lab Well-Known Port Numbers and Multiple Sessions

Cisco Cloud Web Security Troubleshooting Guide

Lab Configuring Dynamic and Static NAT (Solution)

Use of the TCP/IP Protocols and the OSI Model in Packet Tracer

Lab Configuring Dynamic and Static NAT (Instructor Version Optional Lab)

CCNA Semester 2 labs. Labs for chapters 2 10

Troubleshooting Network analysis Software communication tests and development Education. Protocols used for communication (10 seconds capture)

Lab Configuring an ISR with SDM Express

Lab Establishing and Verifying a Telnet Connection Instructor Version 2500

Lab Troubleshooting VTP Configuration

Configuring Firewall TCP SYN Cookie

PT Activity 8.6.1: CCNA Skills Integration Challenge Topology Diagram

Lab - Configuring a Switch Management Address

6.5.1: Packet Tracer Skills Integration Challenge Activity Topology Diagram

Lab Configuring Switch Security Features Topology

Implementing Firewall Technologies

Packet Tracer: Novice Session 2007 Cisco Systems, Inc. All rights reserved. Cisco Public. Packet Tracer: Novice Session

Lab Troubleshooting Basic PPP with Authentication Topology

Packet Tracer Mini-Lab 08: Supplement Configuring 2 LANs/2 Routers using Config, CLI, & RIPv2

Access Switch VLAN Y Y.1 /24

Lab 9.6.3: EIGRP Troubleshooting Lab

Lab Configuring 802.1Q Trunk-Based Inter-VLAN Routing Topology

Lab Configuring Basic RIPv2 (Solution)

Department Of Computer Science

Lab 4.2.5a Connectivity Tests Ping

This document is exclusive property of Cisco Systems, Inc. Permission is granted to print and copy this document for non-commercial distribution and

Skills Assessment Student Training

Lab - Connect to a Router for the First Time

Laboration 1 Examine the Topology and Basic Troubleshooting Commands

Transcription:

PT Activity: Configuring a Zone-Based Policy Firewall (ZPF) Instructor Version Topology Diagram Addressing Table Device Interface IP Address Subnet Mask Default Gateway R1 R2 R3 Fa0/1 192.168.1.1 255.255.255.0 N/A S0/0/0 10.1.1.1 255.255.255.252 N/A S0/0/0 10.1.1.2 255.255.255.252 N/A S0/0/1 10.2.2.2 255.255.255.252 N/A Fa0/1 192.168.3.1 255.255.255.0 N/A S0/0/1 10.2.2.1 255.255.255.252 N/A PC-A NIC 192.168.1.3 255.255.255.0 192.168.1.1 PC-C NIC 192.168.3.3 255.255.255.0 192.168.3.1 Learning Objectives Verify connectivity among devices before firewall configuration. Configure a zone-based policy (ZPF) firewall on router R3. Introduction Verify ZPF firewall functionality using ping, Telnet and a web browser. Zone-based policy (ZPF) firewalls are the latest development in the evolution of Cisco firewall technologies. In this activity, you configure a basic ZPF on an edge router R3 that allows internal hosts access to external resources and blocks external hosts from accessing internal resources. You then verify firewall functionality from internal and external hosts. All contents are Copyright 1992-2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 1 of 5

The routers have been pre-configured with the following: Console password: ciscoconpa55 Password for vty lines: ciscovtypa55 Enable password: ciscoenpa55 Host names and IP addressing Static routing Task 1: Verify Basic Network Connectivity Verify network connectivity prior to configuring the zone-based policy firewall. From the PC-A command prompt, ping PC-C at 192.168.3.3. From the PC-C command prompt, Telnet to the Router R2 S0/0/1 interface at 10.2.2.2. Exit the Telnet session. From PC-C, open a web browser to the PC-A server. Click the Desktop tab and click the Web Browser application. Enter the PC-A IP address 192.168.1.3 as the URL. The Packet Tracer 5.x welcome page from the web server should be displayed. Close the browser on PC-C. Task 2: Note: Create the Firewall Zones on Router R3 For all configuration tasks, be sure to use the exact names as specified. Create an internal zone. Use the zone security command to create a zone named IN-ZONE. R3(config)# zone security IN-ZONE Create an external zone. Use the zone security command to create a zone named OUT-ZONE. R3(config-sec-zone)# zone security OUT-ZONE R3(config-sec-zone)# exit Task 3: Define a Traffic Class and Access List Create an ACL that defines internal traffic. Use the access-list command to create extended ACL 101 to permit all IP protocols from the 192.168.3.0/24 source network to any destination. R3(config)# access-list 101 permit ip 192.168.3.0 0.0.0.255 any Create a class map referencing the internal traffic ACL. Use the class map type inspect command with the match-all option to create a class map named IN-NET- CLASS-MAP. Use the match access-group command to match ACL 101. R3(config)# class-map type inspect match-all IN-NET-CLASS-MAP R3(config-cmap)# match access-group 101 R3(config-cmap)# exit All contents are Copyright 1992 2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 2 of 5

Note: Task 4: Although not supported in this Packet Tracer exercise, individual protocols (HTTP, FTP, etc.) can be specific to be matched using the match-any option in order to provide more precise control over what type of traffic is inspected. Specify Firewall Policies Create a policy map to determine what to do with matched traffic. Use the policy-map type inspect command and create a policy map named IN-2-OUT-PMAP. R3(config)# policy-map type inspect IN-2-OUT-PMAP Specify a class type of inspect and reference class map IN-NET-CLASS-MAP. R3(config-pmap)# class type inspect IN-NET-CLASS-MAP Specify the action of inspect for this policy map. The use of the inspect command invokes context-based access control (other options include pass and drop). R3(config-pmap-c)# inspect %No specific protocol configured in class IN-NET-CLASS-MAP for inspection. All protocols will be inspected. Issue the exit command twice to leave config-pmap-c mode and return to config mode. R3(config-pmap-c)# exit R3(config-pmap)# exit Task 5: Apply Firewall Policies Create a pair of zones. Using the zone-pair security command, create a zone pair named IN-2-OUT-ZPAIR. Specify the source and destination zones that were created in Task 1. R3(config)# zone-pair security IN-2-OUT-ZPAIR source IN-ZONE destination OUT-ZONE Specify the policy map for handling the traffic between the two zones. Attach a policy-map and its associated actions to the zone pair using the service-policy type inspect command and reference the policy map previously created, IN-2-OUT-PMAP. R3(config-sec-zone-pair)# service-policy type inspect IN-2-OUT-PMAP R3(config-sec-zone-pair)# exit R3(config)# Assign interfaces to the appropriate security zones. Use the zone-member security command in interface config mode to assign Fa0/1 to IN-ZONE and S0/0/1 to OUT-ZONE. R3(config)# interface fa0/1 R3(config-if)# zone-member security IN-ZONE R3(config-if)# exit R3(config)# interface s0/0/1 R3(config-if)# zone-member security OUT-ZONE R3(config-if)# exit All contents are Copyright 1992 2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 3 of 5

Step 4. Copy the running config to the startup config. Task 6: Test Firewall Functionality from IN-ZONE to OUT-ZONE Verify that internal hosts can still access external resources after configuring the zone-based policy firewall. From internal PC-C, ping the external PC-A server. From the PC-C Command Prompt, ping PC-A at 192.168.1.3. The ping should succeed. From internal PC-C, Telnet to the router R2 S0/0/1 interface. From the PC-C Command Prompt, telnet to R2 at 10.2.2.2 and provide the vty password ciscovtypa55. The telnet should succeed. While the Telnet session is active, issue the command show policy-map type inspect zone-pair sessions on R3 to view established sessions. R3# show policy-map type inspect zone-pair sessions Zone-pair: IN-ZONE-OUT-ZONE Service-policy inspect : IN-2-OUT-PMAP Class-map: IN-NET-CLASS-MAP (match-all) Match: access-group 101 Inspect Established Sessions Session 139644744 (192.168.3.3:1025)=>(10.2.2.2:23) telnet:tcp SIS_OPEN Created 00:00:02, Last heard 00:00:00 Bytes sent (initiator:responder) [0:0] What is the source IP address and port number? 192.168.3.3:1025 (port 1025 is random) What is the destination IP address and port number? 10.2.2.2:23 (Telnet = port 23) From PC-C, exit the Telnet session on R2 and close the Command Prompt window. Step 4. From internal PC-C, open a web browser to the PC-A server web page. Enter the server IP address 192.168.1.3 in the browser URL field and click Go. The HTTP session should succeed. While the HTTP session is active, issue the command show policy-map type inspect zone-pair sessions on R3 to view established sessions. Note: If the HTTP session times out before you execute the command on R3, you will have to click the Go button on PC-C to generate a session between PC-C and PC-A. R3# show policy-map type inspect zone-pair sessions Zone-pair: IN-ZONE-OUT-ZONE Service-policy inspect : IN-2-OUT-PMAP Class-map: IN-NET-CLASS-MAP (match-all) Match: access-group 101 Inspect Established Sessions Session 139142400 (192.168.3.3:1027)=>(192.168.1.3:80) http:tcp SIS_OPEN All contents are Copyright 1992 2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 4 of 5

Created 00:00:02, Last heard 00:00:00 Bytes sent (initiator:responder) [0:0] What is the source IP address and port number? 192.168.3.3:1027 (port 1027 is random) What is the destination IP address and port number? 192.168.1.3:80 (HTTP web = port 80) Step 5. Close the Browser on PC-C. Task 7: Test Firewall Functionality from OUT-ZONE to IN-ZONE Verify that external hosts CANNOT access internal resources after configuring the zone-based policy firewall. From the PC-A server command prompt, ping PC-C. From the PC-A Command Prompt, ping PC-C at 192.168.3.3. The ping should fail. From router R2, ping PC-C. From R2, ping PC-C at 192.168.3.3. The ping should fail. Check results. Your completion percentage should be 100%. Click Check Results to see feedback and verification of which required components have been completed. All contents are Copyright 1992 2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 5 of 5

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback