2023年11月28日发(作者:)

PT Activity: Configuring a Zone-Based Policy Firewall

(ZPF)

PT 任务:创建一个基于域策略的防火墙

Addressing Table地址表

Device Interface IP Address Subnet Mask

R1

Fa0/1 192.168.1.1 255.255.255.0 N/A

S0/0/0 10.1.1.1 255.255.255.252 N/A

S0/0/0 10.1.1.2 255.255.255.252 N/A

S0/0/1 10.2.2.2 255.255.255.252 N/A

Fa0/1 192.168.3.1 255.255.255.0 N/A

S0/0/1 10.2.2.1 255.255.255.252 N/A

NIC 192.168.1.3 255.255.255.0 192.168.1.1 PC-A

NIC 192.168.3.3 255.255.255.0 192.168.3.1 PC-C

Default

Gateway

R2

R3

Learning Objectives

Verify connectivity among devices before firewall configuration.

Configure a zone-based policy (ZPF) firewall on router R3

Verify ZPF firewall functionality using ping, Telnet and a web browser.

学习目标:

在进行防火墙配置之前,确保各设备之间的连通性。

R3配置ZPF

使用PingTelnetweb browser来验证防火墙的作用。

Introduction

Zone-based policy (ZPF) firewalls are the latest development in the evolution of Cisco

firewall technologies. In this activity, you configure a basic ZPF on an edge router R3 that

allows internal hosts access to external resources and blocks external hosts from accessing

internal resources. You then verify firewall functionality from internal and external hosts.

The routers have been pre-configured with the following:

Console password: ciscoconpa55

Password for vty lines: ciscovtypa55

Enable password: ciscoenpa55

Host names and IP addressing

Static routing

介绍:

ZPF防火墙是思科公司近期研发的技术之一,在这个任务中,我们在边界路由器R3中配置策略,

运行内部主机可以访问外部资源,相反的,不允许外界主机访问内网的资源。

路由器中已经配置好的参数如下:

控制台密码: ciscoconpa55

Password for vty lines: ciscovtypa55

Enable password: ciscoenpa55

主机的名字和IP地址

静态路由。

Task 1: Verify Basic Network Connectivity

Verify network connectivity prior to configuring the zone-based policy firewall.

Step 1. From the PC-A command prompt, ping PC-C at 192.168.3.3.

Step 2. From the PC-C command prompt, Telnet to the Router R2 S0/0/1 interface at

10.2.2.2. Exit the Telnet session.

Step 3. From PC-C, open a web browser to the PC-A server.

Click the Desktop tab and click the Web Browser application. Enter the PC-A IP address

192.168.1.3 as the URL. The Packet Tracer 5.x welcome page from the web server should

be displayed.

Close the browser on PC-C.

任务1:测试基本的网络连通性

在配置防火墙之前首先测试联通性

第一步,从pc-A ping PC-C

第二步,从PC-C telnet R2 S0/0/1接口(10.2.2.2),然后结束。

第三步,从PC-C访问PC-A上的web server

在桌面标签栏上点击 Web Browser”任务。键入PC-A IP地址 192.168.1.3,将会看到欢

迎界面,然后关闭。

Task 2: Create the Firewall Zones on Router R3

Note: For all configuration tasks, be sure to use the exact names as specified.

Step 1. Create an internal zone.

Use the zone security command to create a zone named IN-ZONE.

Step 2. Step 2. Create an external zone.

Use the zone security command to create a zone named OUT-ZONE.

任务2:在R3创建防火墙区域。

注意:对于整个任务来说,确定使用指定后的精确名字。

第一步:创建一个内部区域。

使用 zone security 命令创建一个域,名称为 IN-ZONE

第二步:创建一个外部区域。

使用 zone security 命令创建一个域,名称为 OUT-ZONE

Task 3: Define a Traffic Class and Access List

Step 1. Create an ACL that defines internal traffic.

Use the access-list command to create extended ACL 101 to permit all IP protocols from

the 192.168.3.0/24 source network to any destination.

Step 2. Create a class map referencing the internal traffic ACL.

Use the class map type inspect command with the match-all option to create a class map

named IN-NET-CLASS-MAP. Use the match access-group command to match ACL 101.

Note: Although not supported in this Packet Tracer exercise, individual protocols (HTTP,

FTP, etc.) can be specific to be matched using the match-any option in order to provide

more precise control over what type of traffic is inspected.

任务3定义一个流量集合ACL

第一步,创建一个ACL定义内部流量。

使用access-list命令创建一个acl 101 运行所有的网络协议从192.168.3.0 访问任何目的地。

第二步,创建一个映射集 映射定义的ACL流量。

使用 class map type inspect 命令创建一个映射名为IN-NET-CLASS-MAP。使用match

access-group 命令对应ACL 101.

注意:尽管PT不一定支持,其实,我们可以使用支持特定的协议如 httpftp协议,可以更

加精确的定义哪些流量被检测(inspect)。

Task 4: Specify Firewall Policies

Step 1. Create a policy map to determine what to do with matched traffic.

Use the policy-map type inspect command and create a policy map

named IN-2-OUT-PMAP.

Step 2. Specify a class type of inspect and reference class map IN-NET-CLASS-MAP.

Step 3. Specify the action of inspect for this policy map .

The use of the inspect command invokes context-based access control (other options

include pass and drop).

R3(config-pmap-c)# inspect

%No specific protocol configured in class IN-NET-CLASS-MAP for

inspection. All protocols will be inspected.

Issue the exit command twice to leave config-pmap-c mode and return to config mode.

R3(config-pmap-c)# exit

R3(config-pmap)# exit

任务4:定义防火墙策略。

第一步,创建一个定义 策略映射来定义对特定的流量做什么操作。

使用

policy-map type inspect 定义一个策略映射名称为 IN-2-OUT-PMAP

第二步:在策略映射中使用类别映射IN-NET-CLASS-MAP

第三步:对这个策略集做的操作做inspect操作。

使用inspect命令唤起相关的acl控制(其他的选项有通过和丢弃的区别)

R3(config-pmap-c)# inspect

%No specific protocol configured in class IN-NET-CLASS-MAP for

inspection. All protocols will be inspected.

执行两次exit 命令,离开config-pmap-c模式,回到config模式。

R3(config-pmap-c)# exit

R3(config-pmap)# exit

Task 5: Apply Firewall Policies

Step 1. Create a pair of zones.

Using the zone-pair security command, create a zone pair named IN-2-OUT-ZPAIR.

Specify the source and destination zones that were created in Task 1.

Step 2. Specify the policy map for handling the traffic between the two zones.

Attach a policy-map and its associated actions to the zone pair using the service-policy

type inspect command and reference the policy map previously created, IN-2-OUT-PMAP.

Step 3. Assign interfaces to the appropriate security zones.

Use the zone-member security command in interface config mode to assign Fa0/1

to IN-ZONE and S0/0/1 to OUT-ZONE.

Step 4. Copy the running config to the startup config.

任务5; 应用防火墙策略

第一步,创建一个域间。

使用zone-pair security命令,创建一个域间名字为IN-2-OUT-ZPAIR.

指定源域和目的域,这两个域在任务1中已经建立。

第二步,指定两个域之间的策略映射。

使用service-policy type inspect命令,引用以前创建好的策略映射IN-2-OUT-PMAP.

第三步,使用zone-member security命令把在接口模式下绑定特定的接口。Fa0/1

to IN-ZONE S0/0/1 to OUT-ZONE.

第四步,保存相关的配置。

Task 6: Test Firewall Functionality from IN-ZONE to OUT-ZONE

Verify that internal hosts can still access external resources after configuring the zone-based

policy firewall.

Step 1. From internal PC-C, ping the external PC-A server.

From the PC-C Command Prompt, ping PC-A at 192.168.1.3. The ping should succeed.

Step 2. From internal PC-C, Telnet to the router R2 S0/0/1 interface.

From the PC-C Command Prompt, telnet to R2 at 10.2.2.2 and provide the vty

password ciscovtypa55. The telnet should succeed. While the Telnet session is active,

issue the command show policy-map type inspect zone-pair sessions on R3 to view

established sessions.

What is the source IP address and port number?

What is the destination IP address and port number?

Step 3. From PC-C, exit the Telnet session on R2 and close the Command Prompt

window.

Step 4. From internal PC-C, open a web browser to the PC-A server web page.

Enter the server IP address 192.168.1.3 in the browser URL field and click Go. The HTTP

session should succeed. While the HTTP session is active, issue the command show

policy-map type inspect zone-pair sessions on R3 established sessions.

What is the source IP address and port number?

What is the destination IP address and port number?

Step 5. Close the Browser on PC-C.

任务6:测试防火墙的功能,在

IN-ZONEOUT-ZONE之间。

第一步,在pc-cping pc-a 数据包都成功。

第二步,pc-c telnet R2 S0/0/1 接口。注意输入密码ciscovtypa55使用show policy-map

type inspect zone-pair sessions命令看建立状态。

记录如下数据:源ip地址和端口号是多少?目的地址和端口号是多少?

第三步,从pc-c上,关闭telnet连接。

第四步,从pc-c访问pc-a上的web browser

R3使用 show policy-map type inspect zone-pair sessions 命令查看状态。

记录数据:源ip地址和端口号是多少?目的地址和端口号是多少?

5 关闭浏览器。

Task 7: Test Firewall Functionality from OUT-ZONE to IN-ZONE

Verify that external hosts CANNOT access internal resources after configuring the

zone-based policy firewall.

Step 1. From the PC-A server command prompt, ping PC-C.

From the PC-A Command Prompt, ping PC-C at 192.168.3.3. The ping should fail.

Step 2. From router R2, ping PC-C.

From R2, ping PC-C at 192.168.3.3. The ping should fail.

Step 3. Check results.

Your completion percentage should be 100%. Click Check Results to see feedback and

verification of which required components have been completed.

任务7:测试防火墙的功能,使用防火墙测试从

OUT-ZONE IN-ZONE的通信情况。

验证外部的主机不能访问内部的主机资源。

第一步,从pc-a ping pc-c,数据应该不通。

第二步,从R2 ping pc-c不通。

第三步,检测结果。

All contents are Copyright © 19922009 Cisco Systems, Inc. All rights

reserved. This document is Cisco Public Information.