!----Task 2: Create the Firewall Zones on Router R3
!--Step 1. Create an internal zone.
!
ciscoconpa55
enable
ciscoenpa55
configure terminal
!
zone security IN-ZONE
!
!--Step 2. !--Step 2. Create an external zone.
zone security OUT-ZONE
exit
!
!----Task 3: Define a Traffic Class and Access List
!--Step 1. Create an ACL that defines internal traffic.
!
access-list 101 permit ip 192.168.3.0 0.0.0.255 any
!
!--Step 2. Create a class map referencing the internal traffic ACL .
!
class-map type inspect match-all IN-NET-CLASS-MAP
match access-group 101
exit
!
!----Task 4: Specify Firewall Policies
!--Step 1. Create a policy map to determine what to do with matched traffic .
!
policy-map type inspect IN-2-OUT-PMAP
!
!--Step 2. Specify a class type of inspect and reference class map IN-NET-CLASS-MAP.
!
class type inspect IN-NET-CLASS-MAP
!
!--Step 3. S pecify the action of ins pect for this policy map
!
inspect
exit
exit
!
!----Task 5: Apply Firewall Policies
!--Step 1. Create a pair of zones .
!
zone-pair security IN-2-OUT-ZPAIR source IN-ZONE destination OUT-ZONE
!
!--Step 2. Specify the policy map for handling the traffic between the two zones .
!
service-policy type inspect IN-2-OUT-PMAP
exit
!
!--Step 3. Assign interfaces to the appropriate security zones.
!
interface fa0/1
zone-member security IN-ZONE
exit
interface s0/0/1
zone-member security OUT-ZONE
exit
!
!--Step 4. Copy the running config to the startup config.
!
exit
copy running-config startup-config
!
!----Task 6: Test Firewall Functionality from IN-ZONE to OUT-ZONE
!--Step 2. From internal PC-C, Telnet to the router R 2 S 0/0/1 interface.
!
show policy-map type inspect zone-pair sessions
!
!Zone-pair: IN-ZONE-OUT-ZONE
!
!Service-policy inspect : IN-2-OUT-PMAP
!
! Class-map: IN-NET-CLASS-MAP (match-all)
! Match: access-group 101
! Inspect
! Established Sessions
! Session 139644744 (192.168.3.3:1025)=>(10.2.2.2:23) telnet:tcp
!SIS_OPEN
! Created 00:00:02, Last heard 00:00:00
! Bytes sent (initiator:responder) [0:0]
!
!
!What is the source IP address and port number?
!192.168.3.3:1025 (port 1025 is random)
What is the destination IP address and port number?
!10.2.2.2:23 (Telnet = port 23)
!
!--Step 4. From internal PC-C, open a web browser to the PC-A server webpage.
!
show policy-map type inspect zone-pair sessions
!
!Zone-pair: IN-ZONE-OUT-ZONE
!
!Service-policy inspect : IN-2-OUT-PMAP
!
! Class-map: IN-NET-CLASS-MAP (match-all)
! Match: access-group 101
! Inspect
! Established Sessions
! Session 139142400 (192.168.3.3:1027)=>(192.168.1.3:80)
!http:tcp SIS_OPEN
! Created 00:00:02, Last heard 00:00:00
! Bytes sent (initiator:responder) [0:0]
!
!
!What is the source IP address and port number?
!192.168.3.3:1027 (port 1027 is random)
!
!What is the destination IP address and port number?
!192.168.1.3:80 (HTTP web = port 80)
!
3Q very much!
ReplyDelete