P5

From the PC-A command prompt, ping PC-C at 192.168.3.3.

Access R2 using SSH.
From the PC-C command prompt, SSH to the S0/0/1 interface on R2 at 10.2.2.2.
Use the username Admin and password Adminpa55 to log in.
PC> ssh -l Admin 10.2.2.2

Exit the SSH session.

From PC-C, open a web browser to the PC-A server.

a. Click the Desktop tab and then click the Web Browser application.
Enter the PC-A IP address 192.168.1.3 as the URL. The Packet Tracer
welcome page from the web server should be displayed.
b. Close the browser on PC-C.

Create the Firewall Zones on R3

a. On R3, issue the show version command to view the Technology Package
license information.
b. If the Security Technology package has not been enabled, use the following
command to enable the package.
R3(config)# license boot module c1900 technology-package securityk9
c. Accept the end-user license agreement.
d. Save the running-config and reload the router to enable the security license.

e. Verify that the Security Technology package has been enabled by

using the show version command.
Create an internal zone.
R3(config)# zone security IN-ZONE
R3(config-sec-zone) exit

Create an external zone.

R3(config-sec-zone)# zone security OUT-ZONE
R3(config-sec-zone)# exit

Create an ACL that defines internal traffic.

R3(config)# access-list 101 permit ip 192.168.3.0 0.0.0.255 any
R3(config)# class-map type inspect match-all IN-NET-CLASS-MAP
R3(config-cmap)# match access-group 101
R3(config-cmap)# exit
R3(config)# policy-map type inspect IN-2-OUT-PMAP
R3(config-pmap)# class type inspect IN-NET-CLASS-MAP
3(config-pmap-c)# inspect

%No specific protocol configured in class IN-NET-CLASS-MAP for

inspection. All protocols will be inspected.

R3(config-pmap-c)# exit
R3(config-pmap)# exit
Apply Firewall Policies
R3(config)# zone-pair security IN-2-OUT-ZPAIR source IN-ZONE
destination OUT-ZONE
R3(config-sec-zone-pair)# service-policy type inspect IN-2-OUT-PMAP
R3(config-sec-zone-pair)# exit
R3(config)#
R3(config)# interface g0/1
R3(config-if)# zone-member security IN-ZONE
R3(config-if)# exit
R3(config)# interface s0/0/1
R3(config-if)# zone-member security OUT-ZONE
R3(config-if)# exit

Test Firewall Functionality from IN-ZONE to OUT-ZONE

From the PC-C command prompt, ping PC-A at 192.168.1.3. The ping
should succeed.

From internal PC-C, SSH to the R2 S0/0/1 interface.

a. From the PC-C command prompt, SSH to R2 at 10.2.2.2. Use the
username Admin and the password Adminpa55 to access R2. The
SSH session should succeed.
b. While the SSH session is active, issue the command show policy-
map type inspect zone-pair sessions on R3 to view established
sessions.
R3# show policy-map type inspect zone-pair sessions

policy exists on zp IN-2-OUT-ZPAIR

Zone-pair: IN-2-OUT-ZPAIR

Service-policy inspect : IN-2-OUT-PMAP

Class-map: IN-NET-CLASS-MAP (match-all)

Match: access-group 101
Inspect

Number of Established Sessions = 1

Established Sessions
Session 175216232 (192.168.3.3:1028)=>(10.2.2.2:22) tcp
SIS_OPEN/TCP_ESTAB
Created 00:00:25, Last heard 00:00:20
Bytes sent (initiator:responder) [1195:1256]
Class-map: class-default (match-any)
Match: any
Drop (default action)
0 packets, 0 bytes
What is the source IP address and port number?
192.168.3.3:1028 (port 1028 is random)

What is the destination IP address and port number?

10.2.2.2:22 (SSH = port 22)

From PC-C, exit the SSH session on R2 and close the command
prompt window.
From internal PC-C, open a web browser to the PC-A server web
page.
Enter the server IP address 192.168.1.3 in the browser URL field, and
click Go. The HTTP session should succeed. While the HTTP session is
active, issue the command show policy-map type inspect zone-pair
sessions on R3 to view established sessions.
Note: If the HTTP session times out before you execute the command
on R3, you will have to click the Go button on PC-C to generate a
session between PC-C and PC-A.

R3# show policy-map type inspect zone-pair sessions

policy exists on zp IN-2-OUT-ZPAIR

Zone-pair: IN-2-OUT-ZPAIR
Service-policy inspect : IN-2-OUT-PMAP

Class-map: IN-NET-CLASS-MAP (match-all)

Match: access-group 101
Inspect

Number of Established Sessions = 1

Established Sessions
Session 565266624 (192.168.3.3:1031)=>(192.168.1.3:80) tcp
SIS_OPEN/TCP_ESTAB
Created 00:00:01, Last heard 00:00:01
Bytes sent (initiator:responder) [284:552]
Class-map: class-default (match-any)
Match: any
Drop (default action)
0 packets, 0 bytes

What is the source IP address and port number?

192.168.3.3:1031 (port 1031 is random)

What is the destination IP address and port number?

192.168.1.3:80 (HTTP web = port 80)

Test Firewall Functionality from OUT-ZONE to IN-ZONE

From the PC-A server command prompt, ping PC-C.

From the PC-A command prompt, ping PC-C at 192.168.3.3. The ping
should fail.
From R2, ping PC-C.
From R2, ping PC-C at 192.168.3.3. The ping should fail.