Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4119
Views
0
Helpful
1
Replies

Zone-Based Policy Firewall (Packet tracer)

isaiahhavocc
Level 1
Level 1

‎09-27-2019 07:22 PM

I'm testing out a zone-based policy in Packet Tracer for a project but I want to verify that my commands are correct... Here is my topology.

ZoneBasedTopology.PNG

What I'm trying to accomplish:

The R1 router should add a new network, which will be a DMZ.           Policy is as follows:  You should allow web traffic (HTTP and HTTPS  ONLY) to get to the Server in the DMZ of R1.

You will add a server to G0/0 of   R1.         Assign following addresses:    R1 G0/0 – 192.168.2.1 / 24       Server 192.168.2.3/24 with appropriate gateway

Add a new static route on R2 to get to the new network 192.168.2.0/24

The zone-based firewall policy will be done on R1. Implement the commands on R1.   Success would be for PC-C to be able to successfully browse to the 192.168.2.3 server but PC-C should NOT be able to ping 192.168.2.3

Once you have THAT working, a new policy needs to be added.  You should allow pings to the DMZ server as well. Success would mean that PC-C would be able to browse AND ping 192.168.2.3.

 

Just looking for the appropriate commands to implement. Thanks everyone.

 

 

Labels:
0 Helpful
1 Reply 1

Marius Gunnerud
VIP
VIP

‎09-29-2019 05:40 AM

This is a duplicate question to the one further up in the list that I have already answered, but I will post the config here also.

 

ip access-list extended web-to-dmzServer-acl

 permit tcp any host 192.168.2.3 80

 permit tcp any host 192.168.2.3 443

 

class-map type inspect match-any web-to-dmzServer-cmap

 match access-group web-to-dmzServer-acl

 

policy-map type inspect web-to-dmzServer-pmap

 class type inspect web-to-dmzServer-cmap

  inspect

 

zone security dmz

 description DMZ services

 

zone security web

 description Internet

 

zone-pair security web-to-dmz-pair source web destination dmz

 

interface Gig0/0/0

 description Internet

 zone-member security web

 

interface Gig0/0/1

 description DMZ

 zone-member security dmz

 

Verification:

show policy-map type inspect zone web

show policy-map type inspect zone dmz

show policy-map type inspect zone-pair web-to-dmz-pair

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card