SlideShare uma empresa Scribd logo

4.4.1.3 packet tracer configuring a zone-based policy firewall (zpf) instructor

Salem Trabelsi
Salem Trabelsi

bhkg

Educação
1 de 5
Baixar para ler offline
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 1 of 5 Packet Tracer - Configuring a Zone-Based Policy Firewall (ZPF) (Instructor Version) Instructor Note: Red font color or Gray highlights indicate text that appears in the instructor copy only. Topology Addressing Table Device Interface IP Address Subnet Mask Default Gateway Switch Port R1 Fa0/1 192.168.1.1 255.255.255.0 N/A S1 Fa0/5 S0/0/0 (DCE) 10.1.1.1 255.255.255.252 N/A N/A R2 S0/0/0 10.1.1.2 255.255.255.252 N/A N/A S0/0/1 (DCE) 10.2.2.2 255.255.255.252 N/A N/A R3 Fa0/1 192.168.3.1 255.255.255.0 N/A S3 Fa0/5 S0/0/1 10.2.2.1 255.255.255.252 N/A N/A PC-A NIC 192.168.1.3 255.255.255.0 192.168.1.1 S1 Fa0/6 PC-C NIC 192.168.3.3 255.255.255.0 192.168.3.1 S3 Fa0/18 Objectives  Verify connectivity among devices before firewall configuration.  Configure a zone-based policy (ZPF) firewall on router R3.  Verify ZPF firewall functionality using ping, Telnet and a web browser. Background / Scenario Zone-based policy (ZPF) firewalls are the latest development in the evolution of Cisco firewall technologies. In this activity, you configure a basic ZPF on an edge router R3 that allows internal hosts access to external resources and blocks external hosts from accessing internal resources. You then verify firewall functionality from internal and external hosts. The routers have been pre-configured with the following: o Console password: ciscoconpa55
Packet Tracer - Configuring a Zone-Based Policy Firewall (ZPF) © 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 2 of 5 o Password for vty lines: ciscovtypa55 o Enable password: ciscoenpa55 o Host names and IP addressing o Static routing Part 1: Verify Basic Network Connectivity Verify network connectivity prior to configuring the zone-based policy firewall. Step 1: From the PC-A command prompt, ping PC-C at 192.168.3.3. Step 2: From the PC-C command prompt, telnet to the Router R2 S0/0/1 interface at 10.2.2.2. Exit the Telnet session. Step 3: From PC-C, open a web browser to the PC-A server. a. Click the Desktop tab and click the Web Browser application. Enter the PC-A IP address 192.168.1.3 as the URL. The Packet Tracer welcome page from the web server should be displayed. b. Close the browser on PC-C. Part 2: Create the Firewall Zones on Router R3 Note: For all configuration tasks, be sure to use the exact names as specified. Step 1: Create an internal zone. Use the zone security command to create a zone named IN-ZONE. R3(config)# zone security IN-ZONE Step 2: Create an external zone. Use the zone security command to create a zone named OUT-ZONE. R3(config-sec-zone)# zone security OUT-ZONE R3(config-sec-zone)# exit Part 3: Define a Traffic Class and Access List Step 1: Create an ACL that defines internal traffic. Use the access-list command to create extended ACL 101 to permit all IP protocols from the 192.168.3.0/24 source network to any destination. R3(config)# access-list 101 permit ip 192.168.3.0 0.0.0.255 any Step 2: Create a class map referencing the internal traffic ACL. Use the class-map type inspect command with the match-all option to create a class map named IN-NET- CLASS-MAP. Use the match access-group command to match ACL 101. R3(config)# class-map type inspect match-all IN-NET-CLASS-MAP R3(config-cmap)# match access-group 101 R3(config-cmap)# exit
Packet Tracer - Configuring a Zone-Based Policy Firewall (ZPF) © 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 3 of 5 Note: Although not supported in this Packet Tracer exercise, individual protocols (HTTP, FTP, etc.) can be specific to be matched using the match-any option in order to provide more precise control over what type of traffic is inspected. Part 4: Specify Firewall Policies Step 1: Create a policy map to determine what to do with matched traffic. Use the policy-map type inspect command and create a policy map named IN-2-OUT-PMAP. R3(config)# policy-map type inspect IN-2-OUT-PMAP Step 2: Specify a class type of inspect and reference class map IN-NET-CLASS-MAP. R3(config-pmap)# class type inspect IN-NET-CLASS-MAP Step 3: Specify the action of inspect for this policy map. The use of the inspect command invokes context-based access control (other options include pass and drop). R3(config-pmap-c)# inspect %No specific protocol configured in class IN-NET-CLASS-MAP for inspection. All protocols will be inspected. Issue the exit command twice to leave config-pmap-c mode and return to config mode. R3(config-pmap-c)# exit R3(config-pmap)# exit Part 5: Apply Firewall Policies Step 1: Create a pair of zones. Using the zone-pair security command, create a zone pair named IN-2-OUT-ZPAIR. Specify the source and destination zones that were created in Task 1. R3(config)# zone-pair security IN-2-OUT-ZPAIR source IN-ZONE destination OUT- ZONE Step 2: Specify the policy map for handling the traffic between the two zones. Attach a policy-map and its associated actions to the zone pair using the service-policy type inspect command and reference the policy map previously created, IN-2-OUT-PMAP. R3(config-sec-zone-pair)# service-policy type inspect IN-2-OUT-PMAP R3(config-sec-zone-pair)# exit R3(config)# Step 3: Assign interfaces to the appropriate security zones. Use the zone-member security command in interface configuration mode to assign Fa0/1 to IN-ZONE and S0/0/1 to OUT-ZONE. R3(config)# interface fa0/1 R3(config-if)# zone-member security IN-ZONE R3(config-if)# exit
Packet Tracer - Configuring a Zone-Based Policy Firewall (ZPF) © 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 4 of 5 R3(config)# interface s0/0/1 R3(config-if)# zone-member security OUT-ZONE R3(config-if)# exit Step 4: Copy the running configuration to the startup configuration. Part 6: Test Firewall Functionality from IN-ZONE to OUT-ZONE Verify that internal hosts can still access external resources after configuring the zone-based policy firewall. Step 1: From internal PC-C, ping the external PC-A server. From the PC-C command prompt, ping PC-A at 192.168.1.3. The ping should succeed. Step 2: From internal PC-C, telnet to the router R2 S0/0/1 interface. a. From the PC-C command prompt, telnet to R2 at 10.2.2.2 and provide the vty password ciscovtypa55. The Telnet session should succeed. b. While the Telnet session is active, issue the command show policy-map type inspect zone-pair sessions on R3 to view established sessions. R3# show policy-map type inspect zone-pair sessions Zone-pair: IN-ZONE-OUT-ZONE Service-policy inspect : IN-2-OUT-PMAP Class-map: IN-NET-CLASS-MAP (match-all) Match: access-group 101 Inspect Established Sessions Session 218154328 (192.168.3.3:1025)=>(10.2.2.2:23) :tcp SIS_OPEN Created 00:03:07, Last heard 00:02:54 Bytes sent (initiator:responder) [0:0] Class-map: class-default (match-any) Match: any Drop (default action) 0 packets, 0 bytes What is the source IP address and port number? ____________________________________________________________________________________ 192.168.3.3:1025 (port 1025 is random) What is the destination IP address and port number? ____________________________________________________________________________________ 10.2.2.2:23 (Telnet = port 23)
Packet Tracer - Configuring a Zone-Based Policy Firewall (ZPF) © 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 5 of 5 Step 3: From PC-C, exit the Telnet session on R2 and close the command prompt window. Step 4: From internal PC-C, open a web browser to the PC-A server web page. Enter the server IP address 192.168.1.3 in the browser URL field, and click Go. The HTTP session should succeed. While the HTTP session is active, issue the command show policy-map type inspect zone-pair sessions on R3 to view established sessions. Note: If the HTTP session times out before you execute the command on R3, you will have to click the Go button on PC-C to generate a session between PC-C and PC-A. R3# show policy-map type inspect zone-pair sessions Zone-pair: IN-ZONE-OUT-ZONE Service-policy inspect : IN-2-OUT-PMAP Class-map: IN-NET-CLASS-MAP (match-all) Match: access-group 101 Inspect Established Sessions Session 167029736 (192.168.3.3:1027)=>(192.168.1.3:80) :tcp SIS_OPEN Created 00:00:01, Last heard 00:00:01 Bytes sent (initiator:responder) [0:0] Class-map: class-default (match-any) Match: any Drop (default action) 0 packets, 0 bytes What is the source IP address and port number? _______________________________________________________________________________________ 192.168.3.3:1027 (port 1027 is random) What is the destination IP address and port number? _______________________________________________________________________________________ 192.168.1.3:80 (HTTP web = port 80) Step 5: Close the Browser on PC-C. Part 7: Test Firewall Functionality from OUT-ZONE to IN-ZONE Verify that external hosts CANNOT access internal resources after configuring the zone-based policy firewall. Step 1: From the PC-A server command prompt, ping PC-C. From the PC-A command prompt, ping PC-C at 192.168.3.3. The ping should fail. Step 2: From router R2, ping PC-C. From R2, ping PC-C at 192.168.3.3. The ping should fail. Step 3: Check results. Your completion percentage should be 100%. Click Check Results to see feedback and verification of which required components have been completed.

Recomendados

4.4.1.2 packet tracer configure ip ac ls to mitigate attacks-instructor
4.4.1.2 packet tracer configure ip ac ls to mitigate attacks-instructor4.4.1.2 packet tracer configure ip ac ls to mitigate attacks-instructor
4.4.1.2 packet tracer configure ip ac ls to mitigate attacks-instructorSalem Trabelsi
 
6.5.1.2 packet tracer layer 2 security instructor
6.5.1.2 packet tracer layer 2 security instructor6.5.1.2 packet tracer layer 2 security instructor
6.5.1.2 packet tracer layer 2 security instructorSalem Trabelsi
 
Router configuration in packet tracer
Router configuration in packet tracerRouter configuration in packet tracer
Router configuration in packet tracerAnabia Anabia
 
2.5.1.2 packet tracer configure cisco routers for syslog, ntp, and ssh oper...
2.5.1.2 packet tracer configure cisco routers for syslog, ntp, and ssh oper...2.5.1.2 packet tracer configure cisco routers for syslog, ntp, and ssh oper...
2.5.1.2 packet tracer configure cisco routers for syslog, ntp, and ssh oper...Salem Trabelsi
 
5.5.1.2 packet tracer configure ios intrusion prevention system (ips) using...
5.5.1.2 packet tracer configure ios intrusion prevention system (ips) using...5.5.1.2 packet tracer configure ios intrusion prevention system (ips) using...
5.5.1.2 packet tracer configure ios intrusion prevention system (ips) using...Salem Trabelsi
 
Cisco CCNA- NAT Configuration
Cisco CCNA- NAT ConfigurationCisco CCNA- NAT Configuration
Cisco CCNA- NAT ConfigurationHamed Moghaddam
 
MikroTik Security
MikroTik SecurityMikroTik Security
MikroTik SecurityRofiq Fauzi
 
Cisco Router and Switch Security Hardening Guide
Cisco Router and Switch Security Hardening GuideCisco Router and Switch Security Hardening Guide
Cisco Router and Switch Security Hardening GuideHarris Andrea
 

Recomendados

4.4.1.2 packet tracer configure ip ac ls to mitigate attacks-instructor
4.4.1.2 packet tracer configure ip ac ls to mitigate attacks-instructor4.4.1.2 packet tracer configure ip ac ls to mitigate attacks-instructor
4.4.1.2 packet tracer configure ip ac ls to mitigate attacks-instructorSalem Trabelsi
 
6.5.1.2 packet tracer layer 2 security instructor
6.5.1.2 packet tracer layer 2 security instructor6.5.1.2 packet tracer layer 2 security instructor
6.5.1.2 packet tracer layer 2 security instructorSalem Trabelsi
 
Router configuration in packet tracer
Router configuration in packet tracerRouter configuration in packet tracer
Router configuration in packet tracerAnabia Anabia
 
2.5.1.2 packet tracer configure cisco routers for syslog, ntp, and ssh oper...
2.5.1.2 packet tracer configure cisco routers for syslog, ntp, and ssh oper...2.5.1.2 packet tracer configure cisco routers for syslog, ntp, and ssh oper...
2.5.1.2 packet tracer configure cisco routers for syslog, ntp, and ssh oper...Salem Trabelsi
 
5.5.1.2 packet tracer configure ios intrusion prevention system (ips) using...
5.5.1.2 packet tracer configure ios intrusion prevention system (ips) using...5.5.1.2 packet tracer configure ios intrusion prevention system (ips) using...
5.5.1.2 packet tracer configure ios intrusion prevention system (ips) using...Salem Trabelsi
 
Cisco CCNA- NAT Configuration
Cisco CCNA- NAT ConfigurationCisco CCNA- NAT Configuration
Cisco CCNA- NAT ConfigurationHamed Moghaddam
 
MikroTik Security
MikroTik SecurityMikroTik Security
MikroTik SecurityRofiq Fauzi
 
Cisco Router and Switch Security Hardening Guide
Cisco Router and Switch Security Hardening GuideCisco Router and Switch Security Hardening Guide
Cisco Router and Switch Security Hardening GuideHarris Andrea
 
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS NetProtocol Xpert
 
MikroTik Basic Training Class - Online Moduls - English
MikroTik Basic Training Class - Online Moduls - English MikroTik Basic Training Class - Online Moduls - English
MikroTik Basic Training Class - Online Moduls - EnglishAdhie Lesmana
 
2.2.4.9 packet tracer configuring switch port security instructions - ig
2.2.4.9 packet tracer configuring switch port security instructions - ig2.2.4.9 packet tracer configuring switch port security instructions - ig
2.2.4.9 packet tracer configuring switch port security instructions - igAlex Ramirez
 
Mail server on using cisco packet tracer
Mail server on using cisco packet tracerMail server on using cisco packet tracer
Mail server on using cisco packet tracerSabrinaUporna
 
MikroTik & RouterOS
MikroTik & RouterOSMikroTik & RouterOS
MikroTik & RouterOSFaelix Ltd
 
Cisco router configuration tutorial
Cisco router configuration tutorialCisco router configuration tutorial
Cisco router configuration tutorialIT Tech
 
How to configure port security in cisco switch
How to configure port security in cisco switchHow to configure port security in cisco switch
How to configure port security in cisco switchIT Tech
 
CCNA 1 Routing and Switching v5.0 Chapter 6
CCNA 1 Routing and Switching v5.0 Chapter 6CCNA 1 Routing and Switching v5.0 Chapter 6
CCNA 1 Routing and Switching v5.0 Chapter 6Nil Menon
 
6.5.1.3 packet tracer layer 2 vlan security instructor
6.5.1.3 packet tracer layer 2 vlan security instructor6.5.1.3 packet tracer layer 2 vlan security instructor
6.5.1.3 packet tracer layer 2 vlan security instructorSalem Trabelsi
 
The TCP/IP Stack in the Linux Kernel
The TCP/IP Stack in the Linux KernelThe TCP/IP Stack in the Linux Kernel
The TCP/IP Stack in the Linux KernelDivye Kapoor
 
LinuxCon 2015 Linux Kernel Networking Walkthrough
LinuxCon 2015 Linux Kernel Networking WalkthroughLinuxCon 2015 Linux Kernel Networking Walkthrough
LinuxCon 2015 Linux Kernel Networking WalkthroughThomas Graf
 
MikroTik MTCNA
MikroTik MTCNAMikroTik MTCNA
MikroTik MTCNAAli Layth
 
01- intro to firewall concepts
01- intro to firewall concepts01- intro to firewall concepts
01- intro to firewall conceptsMostafa El Lathy
 
OpenCanary and Canary Tokens
OpenCanary and Canary TokensOpenCanary and Canary Tokens
OpenCanary and Canary TokensMats Karlsson
 
Access Control List & its Types
Access Control List & its TypesAccess Control List & its Types
Access Control List & its TypesNetwax Lab
 
Ftp server configuration on cisco packet tracer
Ftp server configuration on cisco packet tracerFtp server configuration on cisco packet tracer
Ftp server configuration on cisco packet tracerprodhan999
 
Ccna rse dynamic routing
Ccna rse dynamic routingCcna rse dynamic routing
Ccna rse dynamic routingnewbie2019
 
Palo alto networks NAT flow logic
Palo alto networks NAT flow logicPalo alto networks NAT flow logic
Palo alto networks NAT flow logicAlberto Rivai
 
DevConf 2014 Kernel Networking Walkthrough
DevConf 2014 Kernel Networking WalkthroughDevConf 2014 Kernel Networking Walkthrough
DevConf 2014 Kernel Networking WalkthroughThomas Graf
 
CCNA v6.0 ITN - Chapter 09
CCNA v6.0 ITN - Chapter 09CCNA v6.0 ITN - Chapter 09
CCNA v6.0 ITN - Chapter 09Irsandi Hasan
 
Sc manual
Sc manualSc manual
Sc manualMugdhaDeodhar
 
All contents are Copyright © 1992–2012 Cisco Systems, Inc. A.docx
All contents are Copyright © 1992–2012 Cisco Systems, Inc. A.docxAll contents are Copyright © 1992–2012 Cisco Systems, Inc. A.docx
All contents are Copyright © 1992–2012 Cisco Systems, Inc. A.docxgalerussel59292
 

Mais conteúdo relacionado

Mais procurados

SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS NetProtocol Xpert
 
MikroTik Basic Training Class - Online Moduls - English
MikroTik Basic Training Class - Online Moduls - English MikroTik Basic Training Class - Online Moduls - English
MikroTik Basic Training Class - Online Moduls - EnglishAdhie Lesmana
 
2.2.4.9 packet tracer configuring switch port security instructions - ig
2.2.4.9 packet tracer configuring switch port security instructions - ig2.2.4.9 packet tracer configuring switch port security instructions - ig
2.2.4.9 packet tracer configuring switch port security instructions - igAlex Ramirez
 
Mail server on using cisco packet tracer
Mail server on using cisco packet tracerMail server on using cisco packet tracer
Mail server on using cisco packet tracerSabrinaUporna
 
MikroTik & RouterOS
MikroTik & RouterOSMikroTik & RouterOS
MikroTik & RouterOSFaelix Ltd
 
Cisco router configuration tutorial
Cisco router configuration tutorialCisco router configuration tutorial
Cisco router configuration tutorialIT Tech
 
How to configure port security in cisco switch
How to configure port security in cisco switchHow to configure port security in cisco switch
How to configure port security in cisco switchIT Tech
 
CCNA 1 Routing and Switching v5.0 Chapter 6
CCNA 1 Routing and Switching v5.0 Chapter 6CCNA 1 Routing and Switching v5.0 Chapter 6
CCNA 1 Routing and Switching v5.0 Chapter 6Nil Menon
 
6.5.1.3 packet tracer layer 2 vlan security instructor
6.5.1.3 packet tracer layer 2 vlan security instructor6.5.1.3 packet tracer layer 2 vlan security instructor
6.5.1.3 packet tracer layer 2 vlan security instructorSalem Trabelsi
 
The TCP/IP Stack in the Linux Kernel
The TCP/IP Stack in the Linux KernelThe TCP/IP Stack in the Linux Kernel
The TCP/IP Stack in the Linux KernelDivye Kapoor
 
LinuxCon 2015 Linux Kernel Networking Walkthrough
LinuxCon 2015 Linux Kernel Networking WalkthroughLinuxCon 2015 Linux Kernel Networking Walkthrough
LinuxCon 2015 Linux Kernel Networking WalkthroughThomas Graf
 
MikroTik MTCNA
MikroTik MTCNAMikroTik MTCNA
MikroTik MTCNAAli Layth
 
01- intro to firewall concepts
01- intro to firewall concepts01- intro to firewall concepts
01- intro to firewall conceptsMostafa El Lathy
 
OpenCanary and Canary Tokens
OpenCanary and Canary TokensOpenCanary and Canary Tokens
OpenCanary and Canary TokensMats Karlsson
 
Access Control List & its Types
Access Control List & its TypesAccess Control List & its Types
Access Control List & its TypesNetwax Lab
 
Ftp server configuration on cisco packet tracer
Ftp server configuration on cisco packet tracerFtp server configuration on cisco packet tracer
Ftp server configuration on cisco packet tracerprodhan999
 
Ccna rse dynamic routing
Ccna rse dynamic routingCcna rse dynamic routing
Ccna rse dynamic routingnewbie2019
 
Palo alto networks NAT flow logic
Palo alto networks NAT flow logicPalo alto networks NAT flow logic
Palo alto networks NAT flow logicAlberto Rivai
 
DevConf 2014 Kernel Networking Walkthrough
DevConf 2014 Kernel Networking WalkthroughDevConf 2014 Kernel Networking Walkthrough
DevConf 2014 Kernel Networking WalkthroughThomas Graf
 
CCNA v6.0 ITN - Chapter 09
CCNA v6.0 ITN - Chapter 09CCNA v6.0 ITN - Chapter 09
CCNA v6.0 ITN - Chapter 09Irsandi Hasan
 

Mais procurados (20)

SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
 
MikroTik Basic Training Class - Online Moduls - English
MikroTik Basic Training Class - Online Moduls - English MikroTik Basic Training Class - Online Moduls - English
MikroTik Basic Training Class - Online Moduls - English
 
2.2.4.9 packet tracer configuring switch port security instructions - ig
2.2.4.9 packet tracer configuring switch port security instructions - ig2.2.4.9 packet tracer configuring switch port security instructions - ig
2.2.4.9 packet tracer configuring switch port security instructions - ig
 
Mail server on using cisco packet tracer
Mail server on using cisco packet tracerMail server on using cisco packet tracer
Mail server on using cisco packet tracer
 
MikroTik & RouterOS
MikroTik & RouterOSMikroTik & RouterOS
MikroTik & RouterOS
 
Cisco router configuration tutorial
Cisco router configuration tutorialCisco router configuration tutorial
Cisco router configuration tutorial
 
How to configure port security in cisco switch
How to configure port security in cisco switchHow to configure port security in cisco switch
How to configure port security in cisco switch
 
CCNA 1 Routing and Switching v5.0 Chapter 6
CCNA 1 Routing and Switching v5.0 Chapter 6CCNA 1 Routing and Switching v5.0 Chapter 6
CCNA 1 Routing and Switching v5.0 Chapter 6
 
6.5.1.3 packet tracer layer 2 vlan security instructor
6.5.1.3 packet tracer layer 2 vlan security instructor6.5.1.3 packet tracer layer 2 vlan security instructor
6.5.1.3 packet tracer layer 2 vlan security instructor
 
The TCP/IP Stack in the Linux Kernel
The TCP/IP Stack in the Linux KernelThe TCP/IP Stack in the Linux Kernel
The TCP/IP Stack in the Linux Kernel
 
LinuxCon 2015 Linux Kernel Networking Walkthrough
LinuxCon 2015 Linux Kernel Networking WalkthroughLinuxCon 2015 Linux Kernel Networking Walkthrough
LinuxCon 2015 Linux Kernel Networking Walkthrough
 
MikroTik MTCNA
MikroTik MTCNAMikroTik MTCNA
MikroTik MTCNA
 
01- intro to firewall concepts
01- intro to firewall concepts01- intro to firewall concepts
01- intro to firewall concepts
 
OpenCanary and Canary Tokens
OpenCanary and Canary TokensOpenCanary and Canary Tokens
OpenCanary and Canary Tokens
 
Access Control List & its Types
Access Control List & its TypesAccess Control List & its Types
Access Control List & its Types
 
Ftp server configuration on cisco packet tracer
Ftp server configuration on cisco packet tracerFtp server configuration on cisco packet tracer
Ftp server configuration on cisco packet tracer
 
Ccna rse dynamic routing
Ccna rse dynamic routingCcna rse dynamic routing
Ccna rse dynamic routing
 
Palo alto networks NAT flow logic
Palo alto networks NAT flow logicPalo alto networks NAT flow logic
Palo alto networks NAT flow logic
 
DevConf 2014 Kernel Networking Walkthrough
DevConf 2014 Kernel Networking WalkthroughDevConf 2014 Kernel Networking Walkthrough
DevConf 2014 Kernel Networking Walkthrough
 
CCNA v6.0 ITN - Chapter 09
CCNA v6.0 ITN - Chapter 09CCNA v6.0 ITN - Chapter 09
CCNA v6.0 ITN - Chapter 09
 

Semelhante a 4.4.1.3 packet tracer configuring a zone-based policy firewall (zpf) instructor

All contents are Copyright © 1992–2012 Cisco Systems, Inc. A.docx
All contents are Copyright © 1992–2012 Cisco Systems, Inc. A.docxAll contents are Copyright © 1992–2012 Cisco Systems, Inc. A.docx
All contents are Copyright © 1992–2012 Cisco Systems, Inc. A.docxgalerussel59292
 
managing your network environment
managing your network environmentmanaging your network environment
managing your network environmentscooby_doo
 
CCNA Connecting NetworksSA ExamLab 13 CCNA Connecting Netwo.docx
CCNA Connecting NetworksSA ExamLab 13 CCNA Connecting Netwo.docxCCNA Connecting NetworksSA ExamLab 13 CCNA Connecting Netwo.docx
CCNA Connecting NetworksSA ExamLab 13 CCNA Connecting Netwo.docxketurahhazelhurst
 
Labpractice1 configuringbasicroutingandswitchingwithanswer-121214084802-phpapp02
Labpractice1 configuringbasicroutingandswitchingwithanswer-121214084802-phpapp02Labpractice1 configuringbasicroutingandswitchingwithanswer-121214084802-phpapp02
Labpractice1 configuringbasicroutingandswitchingwithanswer-121214084802-phpapp02Abhilash Kuniyil
 
05 module managing your network enviornment
05 module managing your network enviornment05 module managing your network enviornment
05 module managing your network enviornmentAsif
 
Configure Cisco Routers for Syslog, NTP, and SSH Operations
Configure Cisco Routers for Syslog, NTP, and SSH Operations Configure Cisco Routers for Syslog, NTP, and SSH Operations
Configure Cisco Routers for Syslog, NTP, and SSH Operations Kelson Silva
 
26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rulesFreddy Buenaño
 
Saad baig practical file
Saad baig practical fileSaad baig practical file
Saad baig practical fileSaadBaig33
 
Lab 9 instructions
Lab 9 instructionsLab 9 instructions
Lab 9 instructionstrayyoo
 
Network topology by essay corp uk
Network topology by essay corp ukNetwork topology by essay corp uk
Network topology by essay corp ukJohnsmith5188
 
119163798 icnd1-practice-questions-9tut
119163798 icnd1-practice-questions-9tut119163798 icnd1-practice-questions-9tut
119163798 icnd1-practice-questions-9tutnicolelemmimg
 
Ccnav5.org ccna 4-v5_practice_skills_assessment__packet_tracer
Ccnav5.org ccna 4-v5_practice_skills_assessment__packet_tracerCcnav5.org ccna 4-v5_practice_skills_assessment__packet_tracer
Ccnav5.org ccna 4-v5_practice_skills_assessment__packet_tracerĐồng Quốc Vương
 
Student packet tracer manual v1.1
Student packet tracer manual v1.1Student packet tracer manual v1.1
Student packet tracer manual v1.1milkux
 
Frame relay
Frame relayFrame relay
Frame relayIhda N
 
General lab documentation~cisco router configuration
General lab documentation~cisco router configurationGeneral lab documentation~cisco router configuration
General lab documentation~cisco router configurationsayedatif
 
Id. 01 router (computing)
Id. 01 router (computing)Id. 01 router (computing)
Id. 01 router (computing)Rawa KirKuKi
 

Semelhante a 4.4.1.3 packet tracer configuring a zone-based policy firewall (zpf) instructor (20)

Sc manual
Sc manualSc manual
Sc manual
 
All contents are Copyright © 1992–2012 Cisco Systems, Inc. A.docx
All contents are Copyright © 1992–2012 Cisco Systems, Inc. A.docxAll contents are Copyright © 1992–2012 Cisco Systems, Inc. A.docx
All contents are Copyright © 1992–2012 Cisco Systems, Inc. A.docx
 
managing your network environment
managing your network environmentmanaging your network environment
managing your network environment
 
CCNA Connecting NetworksSA ExamLab 13 CCNA Connecting Netwo.docx
CCNA Connecting NetworksSA ExamLab 13 CCNA Connecting Netwo.docxCCNA Connecting NetworksSA ExamLab 13 CCNA Connecting Netwo.docx
CCNA Connecting NetworksSA ExamLab 13 CCNA Connecting Netwo.docx
 
Labpractice1 configuringbasicroutingandswitchingwithanswer-121214084802-phpapp02
Labpractice1 configuringbasicroutingandswitchingwithanswer-121214084802-phpapp02Labpractice1 configuringbasicroutingandswitchingwithanswer-121214084802-phpapp02
Labpractice1 configuringbasicroutingandswitchingwithanswer-121214084802-phpapp02
 
05 module managing your network enviornment
05 module managing your network enviornment05 module managing your network enviornment
05 module managing your network enviornment
 
Configure Cisco Routers for Syslog, NTP, and SSH Operations
Configure Cisco Routers for Syslog, NTP, and SSH Operations Configure Cisco Routers for Syslog, NTP, and SSH Operations
Configure Cisco Routers for Syslog, NTP, and SSH Operations
 
26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules
 
Saad baig practical file
Saad baig practical fileSaad baig practical file
Saad baig practical file
 
Lab 9 instructions
Lab 9 instructionsLab 9 instructions
Lab 9 instructions
 
lab1
lab1lab1
lab1
 
Network topology by essay corp uk
Network topology by essay corp ukNetwork topology by essay corp uk
Network topology by essay corp uk
 
TN566 labs
TN566 labsTN566 labs
TN566 labs
 
119163798 icnd1-practice-questions-9tut
119163798 icnd1-practice-questions-9tut119163798 icnd1-practice-questions-9tut
119163798 icnd1-practice-questions-9tut
 
Ccnav5.org ccna 4-v5_practice_skills_assessment__packet_tracer
Ccnav5.org ccna 4-v5_practice_skills_assessment__packet_tracerCcnav5.org ccna 4-v5_practice_skills_assessment__packet_tracer
Ccnav5.org ccna 4-v5_practice_skills_assessment__packet_tracer
 
Student packet tracer manual v1.1
Student packet tracer manual v1.1Student packet tracer manual v1.1
Student packet tracer manual v1.1
 
CCNA 1 Final v5.0 2014
CCNA 1 Final v5.0 2014CCNA 1 Final v5.0 2014
CCNA 1 Final v5.0 2014
 
Frame relay
Frame relayFrame relay
Frame relay
 
General lab documentation~cisco router configuration
General lab documentation~cisco router configurationGeneral lab documentation~cisco router configuration
General lab documentation~cisco router configuration
 
Id. 01 router (computing)
Id. 01 router (computing)Id. 01 router (computing)
Id. 01 router (computing)
 

Último

Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfsanyamsingh5019
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...EduSkills OECD
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introductionMaksud Ahmed
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3JemimahLaneBuaron
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphThiyagu K
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfagholdier
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13Steve Thomason
 
social pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajansocial pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajanpragatimahajan3
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Celine George
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxheathfieldcps1
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactdawncurless
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfAdmir Softic
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...christianmathematics
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingTechSoup
 
General AI for Medical Educators April 2024
General AI for Medical Educators April 2024General AI for Medical Educators April 2024
General AI for Medical Educators April 2024Janet Corral
 
9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room servicediscovermytutordmt
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactPECB
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhikauryashika82
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformChameera Dedduwage
 

Último (20)

Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdf
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot Graph
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13
 
social pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajansocial pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajan
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impact
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy Consulting
 
General AI for Medical Educators April 2024
General AI for Medical Educators April 2024General AI for Medical Educators April 2024
General AI for Medical Educators April 2024
 
9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy Reform
 

4.4.1.3 packet tracer configuring a zone-based policy firewall (zpf) instructor

  • 1. © 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 1 of 5 Packet Tracer - Configuring a Zone-Based Policy Firewall (ZPF) (Instructor Version) Instructor Note: Red font color or Gray highlights indicate text that appears in the instructor copy only. Topology Addressing Table Device Interface IP Address Subnet Mask Default Gateway Switch Port R1 Fa0/1 192.168.1.1 255.255.255.0 N/A S1 Fa0/5 S0/0/0 (DCE) 10.1.1.1 255.255.255.252 N/A N/A R2 S0/0/0 10.1.1.2 255.255.255.252 N/A N/A S0/0/1 (DCE) 10.2.2.2 255.255.255.252 N/A N/A R3 Fa0/1 192.168.3.1 255.255.255.0 N/A S3 Fa0/5 S0/0/1 10.2.2.1 255.255.255.252 N/A N/A PC-A NIC 192.168.1.3 255.255.255.0 192.168.1.1 S1 Fa0/6 PC-C NIC 192.168.3.3 255.255.255.0 192.168.3.1 S3 Fa0/18 Objectives  Verify connectivity among devices before firewall configuration.  Configure a zone-based policy (ZPF) firewall on router R3.  Verify ZPF firewall functionality using ping, Telnet and a web browser. Background / Scenario Zone-based policy (ZPF) firewalls are the latest development in the evolution of Cisco firewall technologies. In this activity, you configure a basic ZPF on an edge router R3 that allows internal hosts access to external resources and blocks external hosts from accessing internal resources. You then verify firewall functionality from internal and external hosts. The routers have been pre-configured with the following: o Console password: ciscoconpa55
  • 2. Packet Tracer - Configuring a Zone-Based Policy Firewall (ZPF) © 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 2 of 5 o Password for vty lines: ciscovtypa55 o Enable password: ciscoenpa55 o Host names and IP addressing o Static routing Part 1: Verify Basic Network Connectivity Verify network connectivity prior to configuring the zone-based policy firewall. Step 1: From the PC-A command prompt, ping PC-C at 192.168.3.3. Step 2: From the PC-C command prompt, telnet to the Router R2 S0/0/1 interface at 10.2.2.2. Exit the Telnet session. Step 3: From PC-C, open a web browser to the PC-A server. a. Click the Desktop tab and click the Web Browser application. Enter the PC-A IP address 192.168.1.3 as the URL. The Packet Tracer welcome page from the web server should be displayed. b. Close the browser on PC-C. Part 2: Create the Firewall Zones on Router R3 Note: For all configuration tasks, be sure to use the exact names as specified. Step 1: Create an internal zone. Use the zone security command to create a zone named IN-ZONE. R3(config)# zone security IN-ZONE Step 2: Create an external zone. Use the zone security command to create a zone named OUT-ZONE. R3(config-sec-zone)# zone security OUT-ZONE R3(config-sec-zone)# exit Part 3: Define a Traffic Class and Access List Step 1: Create an ACL that defines internal traffic. Use the access-list command to create extended ACL 101 to permit all IP protocols from the 192.168.3.0/24 source network to any destination. R3(config)# access-list 101 permit ip 192.168.3.0 0.0.0.255 any Step 2: Create a class map referencing the internal traffic ACL. Use the class-map type inspect command with the match-all option to create a class map named IN-NET- CLASS-MAP. Use the match access-group command to match ACL 101. R3(config)# class-map type inspect match-all IN-NET-CLASS-MAP R3(config-cmap)# match access-group 101 R3(config-cmap)# exit
  • 3. Packet Tracer - Configuring a Zone-Based Policy Firewall (ZPF) © 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 3 of 5 Note: Although not supported in this Packet Tracer exercise, individual protocols (HTTP, FTP, etc.) can be specific to be matched using the match-any option in order to provide more precise control over what type of traffic is inspected. Part 4: Specify Firewall Policies Step 1: Create a policy map to determine what to do with matched traffic. Use the policy-map type inspect command and create a policy map named IN-2-OUT-PMAP. R3(config)# policy-map type inspect IN-2-OUT-PMAP Step 2: Specify a class type of inspect and reference class map IN-NET-CLASS-MAP. R3(config-pmap)# class type inspect IN-NET-CLASS-MAP Step 3: Specify the action of inspect for this policy map. The use of the inspect command invokes context-based access control (other options include pass and drop). R3(config-pmap-c)# inspect %No specific protocol configured in class IN-NET-CLASS-MAP for inspection. All protocols will be inspected. Issue the exit command twice to leave config-pmap-c mode and return to config mode. R3(config-pmap-c)# exit R3(config-pmap)# exit Part 5: Apply Firewall Policies Step 1: Create a pair of zones. Using the zone-pair security command, create a zone pair named IN-2-OUT-ZPAIR. Specify the source and destination zones that were created in Task 1. R3(config)# zone-pair security IN-2-OUT-ZPAIR source IN-ZONE destination OUT- ZONE Step 2: Specify the policy map for handling the traffic between the two zones. Attach a policy-map and its associated actions to the zone pair using the service-policy type inspect command and reference the policy map previously created, IN-2-OUT-PMAP. R3(config-sec-zone-pair)# service-policy type inspect IN-2-OUT-PMAP R3(config-sec-zone-pair)# exit R3(config)# Step 3: Assign interfaces to the appropriate security zones. Use the zone-member security command in interface configuration mode to assign Fa0/1 to IN-ZONE and S0/0/1 to OUT-ZONE. R3(config)# interface fa0/1 R3(config-if)# zone-member security IN-ZONE R3(config-if)# exit
  • 4. Packet Tracer - Configuring a Zone-Based Policy Firewall (ZPF) © 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 4 of 5 R3(config)# interface s0/0/1 R3(config-if)# zone-member security OUT-ZONE R3(config-if)# exit Step 4: Copy the running configuration to the startup configuration. Part 6: Test Firewall Functionality from IN-ZONE to OUT-ZONE Verify that internal hosts can still access external resources after configuring the zone-based policy firewall. Step 1: From internal PC-C, ping the external PC-A server. From the PC-C command prompt, ping PC-A at 192.168.1.3. The ping should succeed. Step 2: From internal PC-C, telnet to the router R2 S0/0/1 interface. a. From the PC-C command prompt, telnet to R2 at 10.2.2.2 and provide the vty password ciscovtypa55. The Telnet session should succeed. b. While the Telnet session is active, issue the command show policy-map type inspect zone-pair sessions on R3 to view established sessions. R3# show policy-map type inspect zone-pair sessions Zone-pair: IN-ZONE-OUT-ZONE Service-policy inspect : IN-2-OUT-PMAP Class-map: IN-NET-CLASS-MAP (match-all) Match: access-group 101 Inspect Established Sessions Session 218154328 (192.168.3.3:1025)=>(10.2.2.2:23) :tcp SIS_OPEN Created 00:03:07, Last heard 00:02:54 Bytes sent (initiator:responder) [0:0] Class-map: class-default (match-any) Match: any Drop (default action) 0 packets, 0 bytes What is the source IP address and port number? ____________________________________________________________________________________ 192.168.3.3:1025 (port 1025 is random) What is the destination IP address and port number? ____________________________________________________________________________________ 10.2.2.2:23 (Telnet = port 23)
  • 5. Packet Tracer - Configuring a Zone-Based Policy Firewall (ZPF) © 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 5 of 5 Step 3: From PC-C, exit the Telnet session on R2 and close the command prompt window. Step 4: From internal PC-C, open a web browser to the PC-A server web page. Enter the server IP address 192.168.1.3 in the browser URL field, and click Go. The HTTP session should succeed. While the HTTP session is active, issue the command show policy-map type inspect zone-pair sessions on R3 to view established sessions. Note: If the HTTP session times out before you execute the command on R3, you will have to click the Go button on PC-C to generate a session between PC-C and PC-A. R3# show policy-map type inspect zone-pair sessions Zone-pair: IN-ZONE-OUT-ZONE Service-policy inspect : IN-2-OUT-PMAP Class-map: IN-NET-CLASS-MAP (match-all) Match: access-group 101 Inspect Established Sessions Session 167029736 (192.168.3.3:1027)=>(192.168.1.3:80) :tcp SIS_OPEN Created 00:00:01, Last heard 00:00:01 Bytes sent (initiator:responder) [0:0] Class-map: class-default (match-any) Match: any Drop (default action) 0 packets, 0 bytes What is the source IP address and port number? _______________________________________________________________________________________ 192.168.3.3:1027 (port 1027 is random) What is the destination IP address and port number? _______________________________________________________________________________________ 192.168.1.3:80 (HTTP web = port 80) Step 5: Close the Browser on PC-C. Part 7: Test Firewall Functionality from OUT-ZONE to IN-ZONE Verify that external hosts CANNOT access internal resources after configuring the zone-based policy firewall. Step 1: From the PC-A server command prompt, ping PC-C. From the PC-A command prompt, ping PC-C at 192.168.3.3. The ping should fail. Step 2: From router R2, ping PC-C. From R2, ping PC-C at 192.168.3.3. The ping should fail. Step 3: Check results. Your completion percentage should be 100%. Click Check Results to see feedback and verification of which required components have been completed.