Packet Tracer - Configuring a Zone-Based Policy Firewall (ZPF)

Topology

Addressing Table

Device Interface IP Address Subnet Mask Default Gateway Switch Port

G0/1 192.168.1.1 255.255.255.0 N/A S1 F0/5

R1
S0/0/0 (DCE) 10.1.1.1 255.255.255.252 N/A N/A
S0/0/0 10.1.1.2 255.255.255.252 N/A N/A
R2
S0/0/1 (DCE) 10.2.2.2 255.255.255.252 N/A N/A
G0/1 192.168.3.1 255.255.255.0 N/A S3 F0/5
R3
S0/0/1 10.2.2.1 255.255.255.252 N/A N/A
PC-A NIC 192.168.1.3 255.255.255.0 192.168.1.1 S1 F0/6
PC-C NIC 192.168.3.3 255.255.255.0 192.168.3.1 S3 F0/18

Objectives
 Verify connectivity among devices before firewall configuration.
 Configure a zone-based policy (ZPF) firewall on R3.
 Verify ZPF firewall functionality using ping, SSH, and a web browser.

Background/Scenario
ZPFs are the latest development in the evolution of Cisco firewall technologies. In this activity, you will
configure a basic ZPF on an edge router R3 that allows internal hosts access to external resources and
blocks external hosts from accessing internal resources. You will then verify firewall functionality from internal
and external hosts.
The routers have been pre-configured with the following:
o Console password: ciscoconpa55
o Password for vty lines: ciscovtypa55
o Enable password: ciscoenpa55

© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 1 of 11
Packet Tracer - Configuring a Zone-Based Policy Firewall (ZPF)

o Host names and IP addressing

o Local username and password: Admin / Adminpa55
o Static routing

Part 1: Verify Basic Network Connectivity

Verify network connectivity prior to configuring the zone-based policy firewall.

Step 1: From the PC-A command prompt, ping PC-C at 192.168.3.3.

Step 2: Access R2 using SSH.

a. From the PC-C command prompt, SSH to the S0/0/1 interface on R2 at 10.2.2.2. Use the username
Admin and password Adminpa55 to log in.
PC> ssh -l Admin 10.2.2.2
b. Exit the SSH session.

© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 2 of 11
Packet Tracer - Configuring a Zone-Based Policy Firewall (ZPF)

Step 3: From PC-C, open a web browser to the PC-A server.

a. Click the Desktop tab and then click the Web Browser application. Enter the PC-A IP address
192.168.1.3 as the URL. The Packet Tracer welcome page from the web server should be displayed.
b. Close the browser on PC-C.

Part 2: Create the Firewall Zones on R3

Note: For all configuration tasks, be sure to use the exact names as specified.

Step 1: Enable the Security Technology package.

a. On R3, issue the show version command to view the Technology Package license information.

© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 3 of 11
Packet Tracer - Configuring a Zone-Based Policy Firewall (ZPF)

b. If the Security Technology package has not been enabled, use the following command to enable the
package.
R3(config)# license boot module c1900 technology-package securityk9

© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 4 of 11
Packet Tracer - Configuring a Zone-Based Policy Firewall (ZPF)

c. Accept the end-user license agreement.

d. Save the running-config and reload the router to enable the security license.

© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 5 of 11
Packet Tracer - Configuring a Zone-Based Policy Firewall (ZPF)

e. Verify that the Security Technology package has been enabled by using the show version command.

© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 6 of 11
Packet Tracer - Configuring a Zone-Based Policy Firewall (ZPF)

Step 2: Create an internal zone.

Use the zone security command to create a zone named IN-ZONE.

© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 7 of 11
Packet Tracer - Configuring a Zone-Based Policy Firewall (ZPF)

Step 3: Create an external zone.

Use the zone security command to create a zone named OUT-ZONE.

Part 3: Identify Traffic Using a Class-Map

Step 1: Create an ACL that defines internal traffic.
Use the access-list command to create extended ACL 101 to permit all IP protocols from the 192.168.3.0/24
source network to any destination.

Step 2: Create a class map referencing the internal traffic ACL.

Use the class-map type inspect command with the match-all option to create a class map named IN-NET-
CLASS-MAP. Use the match access-group command to match ACL 101.

Part 4: Specify Firewall Policies

Step 1: Create a policy map to determine what to do with matched traffic.
Use the policy-map type inspect command and create a policy map named IN-2-OUT-PMAP.

Step 2: Specify a class type of inspect and reference class map IN-NET-CLASS-MAP.

Step 3: Specify the action of inspect for this policy map.

The use of the inspect command invokes context-based access control (other options include pass and
drop).

Issue the exit command twice to leave config-pmap-c mode and return to config mode.

© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 8 of 11
Packet Tracer - Configuring a Zone-Based Policy Firewall (ZPF)

Part 5: Apply Firewall Policies

Step 1: Create a pair of zones.
Using the zone-pair security command, create a zone pair named IN-2-OUT-ZPAIR. Specify the source and
destination zones that were created in Task 1.

Step 2: Specify the policy map for handling the traffic between the two zones.
Attach a policy-map and its associated actions to the zone pair using the service-policy type inspect
command and reference the policy map previously created, IN-2-OUT-PMAP.

Step 3: Assign interfaces to the appropriate security zones.

Use the zone-member security command in interface configuration mode to assign G0/1 to IN-ZONE and
S0/0/1 to OUT-ZONE.

Step 4: Copy the running configuration to the startup configuration.

Part 6: Test Firewall Functionality from IN-ZONE to OUT-ZONE

Verify that internal hosts can still access external resources after configuring the ZPF.

Step 1: From internal PC-C, ping the external PC-A server.

From the PC-C command prompt, ping PC-A at 192.168.1.3. The ping should succeed.

© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 9 of 11
Packet Tracer - Configuring a Zone-Based Policy Firewall (ZPF)

Step 2: From internal PC-C, SSH to the R2 S0/0/1 interface.

a. From the PC-C command prompt, SSH to R2 at 10.2.2.2. Use the username Admin and the password
Adminpa55 to access R2. The SSH session should succeed.
b. While the SSH session is active, issue the command show policy-map type inspect zone-pair
sessions on R3 to view established sessions.

What is the source IP address and port number?

192.168.3.3:1027
What is the destination IP address and port number?
10.2.2.2:22

Step 3: From PC-C, exit the SSH session on R2 and close the command prompt window.

Step 4: From internal PC-C, open a web browser to the PC-A server web page.
Enter the server IP address 192.168.1.3 in the browser URL field, and click Go. The HTTP session should
succeed. While the HTTP session is active, issue the command show policy-map type inspect zone-pair
sessions on R3 to view established sessions.
Note: If the HTTP session times out before you execute the command on R3, you will have to click the Go
button on PC-C to generate a session between PC-C and PC-A.
What is the source IP address and port number?
192.168.3.3:1031
What is the destination IP address and port number?
10.2.2.2:80

Step 5: Close the browser on PC-C.

Part 7: Test Firewall Functionality from OUT-ZONE to IN-ZONE

Verify that external hosts CANNOT access internal resources after configuring the ZPF.

Step 1: From the PC-A server command prompt, ping PC-C.

From the PC-A command prompt, ping PC-C at 192.168.3.3. The ping should fail.

© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 10 of 11
Packet Tracer - Configuring a Zone-Based Policy Firewall (ZPF)

Step 2: From R2, ping PC-C.

From R2, ping PC-C at 192.168.3.3. The ping should fail.

Step 3: Check results.

Your completion percentage should be 100%. Click Check Results to see feedback and verification of which
required components have been completed.

CONCLUSIONES

 En esta actividad apreciaremos la implementacion de Firewall de política basado en zonas

que consiste en un metodo Avanzado del firewall con estado, aqui se crea zonas y se
asigna una interfaz, se crea un mapa de clases, se crea un mapa de politicas, se asigna un
mapa de clases al mapa de politicas y se configura un par de zonas y se la politica
 Al inicio se debe de habilitar el paquete de tecnoligia de seguridad
 Se crea una zona de seguridad dentro de la zona y otra fuera de la zona
 Se crea una ACL 101 extendida para permitir todos los protocolos IP
 Se crea un mapa de clase con el commando inspeccion
 Se crea un mapa de politicas con el commando inspeccion
 Se le asigna a la interfaz g0/1 dentro de la zona y fuera de la zona a la interfaz S0/0/1

© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 11 of 11