Scribd
Upload
39 views8 pages

SIC Practical 5

This document provides steps to configure a zone-based firewall policy on a router to control traffic between internal and external networks. It involves enabling security licenses, creating internal and external zones, defining an access control list and class map for internal traffic, creating a policy map to inspect the traffic, applying the policy between the zones, and assigning interfaces to the zones. The functionality is then tested by verifying internal hosts can still access external resources but external hosts cannot access internal resources.

Uploaded by

rameshchandra05084
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
39 views8 pages

SIC Practical 5

This document provides steps to configure a zone-based firewall policy on a router to control traffic between internal and external networks. It involves enabling security licenses, creating internal and external zones, defining an access control list and class map for internal traffic, creating a policy map to inspect the traffic, applying the policy between the zones, and assigning interfaces to the zones. The functionality is then tested by verifying internal hosts can still access external resources but external hosts cannot access internal resources.

Uploaded by

rameshchandra05084
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 8

R. K.

Talreja College Security in Computing

Practical No. 5
Aim: Configuring a Zone-Based Policy Firewall .
Topology:

Step 1: Configuring PCs and Router.


PCA Config:

TY. BSc IT. Sem V1


R. K. Talreja College Security in Computing

PCB Config:

R1 Config:

TY. BSc IT. Sem V1


R. K. Talreja College Security in Computing

Server Config:

TY. BSc IT. Sem V1


R. K. Talreja College Security in Computing

Step 2: Create the Firewall Zones on R1.


1: Enable the Security Technology package.

a. On R1, issue the show version command to view the Technology Package license
information.

b. If the Security Technology package has not been enabled, use the following command to
enable the package.

R1(config)# license boot module c1900 technology-package securityk9

c. Accept the end-user license agreement.

d. Save the running-config and reload the router to enable the security license.

e. Verify that the Security Technology package has been enabled by using the show version
command.

2: Create an internal zone. Use the zone security command.

To create a internal Zone

R1(config) # zone security internal

R1(config-sec-zone) # exit

Step 3: Create an internal zone. Use the zone security command.

To create a external Zone

R1(config) # zone security external

R1(config-sec-zone) # exit

Step 3: Identify Traffic Using a Class-Map

1: Create an ACL that defines internal traffic.

Use the access-list command to create extended ACL 101.

R1(config) # ip access-list extended 101

R1(config-ext-nacl) # permit ip 192.168.0.0 0.0.0.255 any

R1(config-ext-nacl) # exit

TY. BSc IT. Sem V1


R. K. Talreja College Security in Computing

2: Create a class map referencing the internal traffic ACL.

Use the class-map type inspect command with the match-all option. Use the match access-
group command to match ACL 101.

R1(config) # class-map type inspect match-all 101

R1(config-cmap) # match access-group name 101

R1(config-cmap) # exit

Step 4: Specify Firewall Policies

1: Create a policy map to determine what to do with matched traffic. Use the policy-map
type inspect command and create a policy map named 101.

R1(config) # policy-map type inspect 101

2: Specify a class type of inspect and reference class map 101.

R1(config-pmap) # class type inspect 101

3: Specify the action of inspect for this policy map.

The use of the inspect command invokes context-based access control (other options include
pass and drop).

R1(config-pmap-c) #inspect
%No specific protocol configured in class 101 for inspection. All protocols will be inspected

R1(config-pmap-c) #ex

R1(config-pmap) #ex

Step 5: Apply Firewall Policies

1: Create a pair of zones.

Using the zone-pair security command, create a zone pair named 101.

R1(config)# zone-pair security 101 source internal destination external

2: Specify the policy map for handling the traffic between the two zones.

Attach a policy-map and its associated actions to the zone pair using the service-policy type
inspect command and reference the policy map previously created, 101.

TY. BSc IT. Sem V1


R. K. Talreja College Security in Computing

R1(config-sec-zone-pair) # service-policy type inspect 101

R1(config-sec-zone-pair) # exit

3: Assign interfaces to the appropriate security zones.

Use the zone-member security command in interface configuration mode to assign gi 0/0 to
internal and gi 0/1 to external.

R1(config) # interface gi 0/0

R1(config-if) # zone-member security internal

R3(config-if) # exit

R3(config) # interface gi 0/1

R3(config-if) # zone-member security external

R3(config-if) # exit

4: Copy the running configuration to the startup configuration.

Step 6: Test Firewall Functionality from internal to external.


Verify that internal hosts can still access external resources after configuring the ZPF.
1: From internal PC-B, ping the external Server.
From the PC-B command prompt, ping Server at 10.10.10.2. The ping should succeed.

TY. BSc IT. Sem V1


R. K. Talreja College Security in Computing

From the PC-A command prompt, ping Server at 10.10.10.2. The ping should succeed.

Part 7: Test Firewall Functionality from external to internal


Verify that external hosts CANNOT access internal resources after configuring the ZPF.
Step 1: From the SERVER command prompt, ping PC-B.
From the Server command prompt, ping PC-B at 192.168.0.2 The ping should fail.

TY. BSc IT. Sem V1


R. K. Talreja College Security in Computing

From the Server command prompt, ping PC-A at 192.168.0.3 The ping should fail

Step 2: Check results. Your completion percentage should be 100%. Click Check Results
to see feedback and verification of which required components have been completed.

TY. BSc IT. Sem V1

You might also like