Cisco FTD and FMC : Interface configuration, Access Policy and Routing

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey guys welcome back today we will continue with the FTD configuration in the last video we basically connected my FTD with my FMC right so this is my topology this is my FTD and this is my FMC we collected my FTD with my FMC which means that is correct committee I can you can check that over here as well if I do a sudo - King 192 168 dot hundred dot fifty-two should work right that's good so there was connectivity and then we kind of set it up we will go ahead and do little more configurations in this video we will start with configuring the interfaces right so when you do that you go to interface go to devices right here click on the pencil of the particular device you go to interfaces tab and here you go you have your interfaces right so now let's start configuring if you look at my to ecology here I'm going to use the interfaces gigabit the 0 slash series for management and there is a small issue with the gns3 where if you look here you know I have used the interfaces 2 3 and 4 right but these these three interfaces are actually mapped to 1 2 & 3 on my on my actual FMC right so don't be confused this is just an issue with the Janus 3 if it's a real device you know or if it's a real if it's not assimilating and we're on went then you need not bother about that it's because of the gns3 I'm just bumping up one interface right so I will show you how I do that so we'd go here we go to the interfaces I'm not going to use the 0 1 I'm going to use the 0 / 1 right so let's go here and I will configure this to be my outside interface right I want my 0 / 1 which is nothing but 0 / 2 here to be my outside interface so how do I do that I can go to outside right and have to create enable this security zone right so there is already a security zone which I've created here so I can select that if I have not created then I can create a new one as well right I can create something new but I've already created something called outside earlier so I'm going to use the same thing and what else breasts remain same I need to put a IP address which is 192 161 dot 20 dot 10 write its last 24 and we are good with this let's go and do the next one which is going to be inside interface so 0 / 2 which is 0 / 3 here will be my inside one so let's start with inside let's go here and you know securities always gonna be inside IP address is going to be 10 dot lovin dot 11.10 / 24th okay hope I'm labeled it ok you want to enable it animal is basically like no shut off a particular interface right now the last one is my DMZ zone right if you look here I have my inside I have our outside and our threes might TMZ so I'm going to do the DMZ as well this won't be DMZ and let's put the DMZ zone here IP address is going to be 192 1 dot what do I use let me check 168 sorry one sixty eight dot one dot n slash 24 looks good let's do this so we have all the three here did I enable it probably I'd not let me do that I did not enable it right so these are my three interfaces now let me save this and let me also go and deploy this once I save this it's taking a bit of time right that's good now I'm going to apply this so I'm going to select this and deploy okay so which is good so the deployment has started right it's pretty good the development has started let's wait for the deployment to finish and then we'll be able to test it right so we have just put the IP addresses on the interfaces of my FTD right we'll be able to ping the interfaces from the routers from r1 will be able to ping the inside interface which is 0/3 from r2 we'll be able to ping the outside one this you know the one of these interfaces and from dmz as well will be able to ping 0/4 right that's right takes a bit of time but yeah okay well this is being done I think we can also this is still happening so while this is done we will go to the next step once this is done I'll be able to show you the deployment how it worked the next is well let's look at policies right so if you look at the diagram here what if I want to send all the traffic from r1 to r2 right from inside to outside if I want to allow all the traffic from inside zone to outside zone how would I do it right so we'll have to do that using policies so you've got a policies here I already have a policy which was put in place when I created this FMC when I imported this FTD right and I registered this FTD in fact so yeah let's open this okay so for now the default policy is that it is blocking all the traffic right default action is blocking all the traffic whatever is passing through the FTD is getting blocked right irrespective of what is owned - what it is flowing it but what do you want to do is we were hello it so how do we do that let's create a rule let's go to add rules I'm going to create this rule whatever call this as r1 okay let's say we want traffic from in to out right so let's say into out into out all the traffic has to be allowed so allow it's enabled here this zone is going to be add to source this is the inside one and this is the outside one okay what do we do next networks you want to allow from inside network right so here you can create objects I have already created an object here for my 10.11 not leaven 0.0 network which is my inside network but if this is not here you can create it this way you just need to press add object and you can create for your name you can create a network or you can create a host and you save it and then it will start appearing over here right since I already have it I'm going to use this I'm gonna use this as my inside network and for the outside I'm going to use any so I'm going to retain this right and I want all traffic to go right it's not just certain application so this is amazing advantage of using my you know FTD over a sa right so we are able to you can actually you know block applications as well right in in a say we just you had access list which was you straight but here you can block applications like I can literally select Facebook right if I don't want people to use Facebook I can select Facebook and you can see here there are lot of you know options here which I select and you know I can actually restrict use of that as well right for now I'm gonna not touch that let's go to ports so this is another interesting place where you can play around with course we look into this the next thing so for now for this particular road I'm gonna just do this I'm going to put I'm gonna say that all the traffic from inside to outside should go right and let's add this so added one rule right what do we do next let's add one more rule where we will allow all the telnet and the ping to happen from r2 to r3 right so we allowed everything from r1 to r2 and telnet and ping from r2 to r3 right so how do we do that so let's call this as another rule which is r2 to r3 right and the first one is going to the source is going to be outside and this is going to be the destination right and what do we do here the network's the networks is from anywhere outside then at any any IP for right so it's going to be any over here but to my destination Network which is 192 168 1.0 right this is also a network which I had already created so I'm going to keep it here is the DMZ zone right and what else so now I'm gonna use the sports right so we talked about ten Nets I want to allow telnet right so I'm going to select telnet here right at the destination price I'm gonna allow the telnet one and I also need to allow ping right so ping is probably maybe it was not a port earlier so I had to create right so I had to create it so here also you can create a port the same way right so I created a port and I call that ass pig gonna have that to destination as well and once this is done that's you know added ok so that looks good okay so you can use this option here to check if there are any conflicts currently there are no conflicts so that looks good I can save this okay meanwhile let's see if the deployment has been done yeah the deployment has worked so I can go and check now from r1 let's put some IP addresses on my r1 right so let's do that so where is my ok so this is going to be my r1 here let's define it here ok so you see if the r1 configuration is pretty simple I've just defined our interface put in IP address of 10.11 dot one dot one 11.1 and i've also enabled telnet on it and put a default route towards my STD right and i'm going to do the same thing for r2 and r3 as well okay this is going to be in life r2 and this is going to be my r3 okay so how do we do this we'll take our ones configuration and put it on r1 I'll take the r2 as well sorry probably don't get copied let's do this so that's done and let's also pick the r3 configuration pretty much very simple I'm just putting the IP addresses for now okay I think something you don't get copied this one all right so r1 r2 r3 pretty good now let's see if I can ping right we did the configuration IP addresses configuration on my FTD's so I really should be able to bring so let's do let's ping the FDD 192 sorry 10.11 dot 11.10 right that works similarly if I go to my r2 I should be able to ping the default gateway which is my FTD right works so similarly the r3 works as well now we have done the interface configuration right let's we have also done the access policy configurations here we will go in let's go and deploy our access policy configuration and test if this is working right now if I ping from r1 to r2 or let's do a telnet from r1 to r2 do you think it would work it is not working right but we will have to see now what happens after I'd apply this so let's take this and apply okay the deployment has started as usual so we covered the FTD FMC integration we also did the basic configurations like an NTP and the interface configurations on my you know FTD through FMC obviously and once we did that we moved ahead and we lived into access policies how you can write access policies for data to move from one zone to other zone right and that is an example here where we are deploying it right now once we'd apply this we will be able to test it as well right so once that is done the next piece which I would like to cover is the routing part which is going to be very interesting again right so let's wait for a minute for this to happen okay let's take a bit of time but yeah hold on your patience okay looks like the deployment has been done right you can look here well the tasks are done so now we can go and test it let's see if the standard works now there you go isn't it working and why it worked it's because of the policy which we just now put in so all the traffic is a nod from you know r1 to r2 when I can ping as well 192 one dot 20.2 right that works whereas r2 to r1 if I want to do it would not work right because we did not put a policy we can test it as well so if you want to ping ten dot one dot 11.11 dot one see you won't work because the policy doesn't exist right now what if I want to do that telnet from r2 to r3 we put a policy for doing a telnet from r2 to r3 as well right so how do you do that so 192 168 if I am NOT wrong dot 1.3 right 34 that works no different so we have done the access policies part of FTD FMC you can play around more as well the last part which I want to cover in this video is the routing right so for the routing part how do you about it we again go back to my devices right I go on click the pencil mark here and yeah so you see here routing taking a bit of time again yeah so you have lot of types of route right you have static routes you have you know right so you have static routes you have rip or SP of BGP and so on right let's just pick couple of them if you want static route I can show you a static route or maybe let's we think do you want to start it out okay static loud as well probably on my our tree I could do a static load I'll show you how to do a static load may be one of them so let's start with so what do we do static route let's configure a static route on my for my r3 which means let me go to my r3 and put in a I would say our loopback interface right i loopback interface for an address you know let's go ahead and put this let's use this it's going to put here right I'm gonna put in a loopback address of 192 168 11.11 right and I'm gonna put a static route or I could do it on my r1 as well that's because I'm gonna do Oh s PF later so I'm gonna do a static route between my ftt and my r1 itself right and what IP do I use for the static route probably you know yeah let's pick this up let's go to r1 let's put a address let's put on a dress like 10.20 dot 20.1 right so this is going to be my look back at us and I'm gonna put this on my router for now configuration router there you go so on the router it's done right to do it on the FTD ipv4 on which side is it inside right because it's a static load towards inside okay and you can see that the host is probably not here so I will create the network I'm sorry I have to create the network so what the new network which I created which is net what is the network 1020 20.0 right that's a network which I created so I'm gonna create that here sorry dot zero so want to create a network put in here what I can actually create the host as well right yeah that should work so I just want the static load to r1 right so that space can you call this as r1 look back one right r1 look back one and the host is 10 20 minute don't 1 and that you go there you go so we are gonna save this saving the object which I created and I will go and select it over here so I can select it yeah I'm gonna add it so that is done now I need to put our default gateway which is going to be my R 1 which is 10.11 dot 11.1 right and that's good so there you go I'm gonna save this and this is going to be my you know static load towards 10.20 Network right so that is how you do static loads moving on let's also do OSPF right let's do a SPF and probably bgp right so I'm going to do SPF on my r1 first let me do it on my router right so if I go to my router I'm gonna create one two more loopback addresses right go back 0 or loopback to probably so how what did he want loopback one so we're creative back to these are the two networks 192 168 2.1 10.1.1.1 and let me also put the OSPF configuration on my router side right so i'm gonna advertise 10.1 networked 192 168 2.0 network and the 10.11 s1 right which are the three networks on this now let me just pick this up quickly and put it on the router that's our one good now the interesting thing is we need to do the configuration on my FTD so how do I do this let me select the process for now I'm gonna use it as my internal I will change it to a different role later right network ID probably the IP address with which I want to form the neighbor shape which is r1 and let's keep the rest over there in the area place I go and click on add I'm gonna create this the voice fear process is going to be one right well you saw SP of one but the area is basically zero so I'm going to create the zero area it's going to be normal area type and the network which I want you know to advertise from here is my 10.11 network right 10.11 dot 11.0 so I'm going to add that and the rest is same so I want to say of this right so that is all about OSPF so that's how you do SPF right let's also do bgp between the FTDI and r2 right so let me go to BGP and I'm going to enable BGP create a ace number of 65,000 one right like I said we need to do the BGP configuration on r2 before that so let's do that put in a loopback address and also put the BGP configuration right the loopback addresses Torah 2.2 and the BGP configuration is 192 120 dot 10 right here motox 65,000 one yeah that looks good right this is the basically BGP configuration iodized advertising the tool 2.00 network right ok I think I did not put it on the router so let me put this on the router as well that's how I are - there you go so that's done so I'm going to continue my routing here configuration so once this is done I can go to you know ipv4 right here right so I'm gonna go to neighbor I'm gonna go to neighbor and I'm gonna do a add what's going to be my neighbor it's one ninety two dot one dot 20.2 which is my are two remote is is 6500 one enable the addresses right and that is it right I'm gonna press okay here so I've done OSPF bgp right pretty good yeah so let's save this and go ahead and deploy it so I've done OSP of PGP and the static roars so my router should be you know will start seeing neighbor ships on their devices as well speed for a minute it's deploying this is my r1 little clear Darwin a bit so if I do show IP route oh it's already come has it yeah it's still happening but I can see yeah okay so maybe I should do show IP ospf neighbors okay it's not that come because the deployment is still happening yeah you can see something happening here so probably the deployment completed yeah it is done now now if I go and see show IP ospf neighbor you can see that I have formed on my router r1 s from the neighbor ship with my ft d 10.11 dot 11.10 right similar is the case with the art - it should be show IP ospf I mean sorry let's do BGP see if there are BGP routes yeah checking shore out bgp okay so do not it come let's check show bgp yeah you can see the 2.0 network here right so that's basically the loopback address which I advertised on my BGP as well we can actually go to FTD and check it as well so this is how you can do it so I can do Shore out here and you can see that FTD has formed neighbor shape and it has learnt the 2.0 Network from my r2 right and it has learnt the 10.1.1.1 from my r1 through OSPF right over here and it has also learned another OSPF route through 192 168 or 2.1 right and what else did we do we also did some static routing the static routing if I'm not wrong was on r1 and it was 10.20 dot 20.1 and that is also that here so you can see the S it basically means as a static route right now the other thing which I also want to show you is there a redistribution how do you really just build one protocol into the other right probably we can do that inside BGP so if I go to BGP I can go to I feeI be me for I go to redistribution I can click on add and select OSPF because OSPF is something which I want to reduce weight into BGP the process ID is important the process ID was one so I'm going to put that one and yeah colonel and yeah I think this should work right so that's redistributing my way step so let's do that on the OST of side as well let's try to reduce mute my BGP inside OSPF okay so when I have to redistribute that's why I need to change my router I have to change it the role to ASPR and now I'll be able to redistribute into OSPF one I'm gonna redistribute bgp subnets and yeah yes number is important 65 double zero one sure you have configure yes right so these are the couple of things which I did for redistributing and there you go so it's getting saved now let's go and apply it gotta wait for a couple of minutes for this deployment to happen all right so once that is done we will be able to check it still happening few more seconds yeah so the deployment is completed now we can check so if you see the difference between the show IP route command earlier and now right this is on r2 and r2 has actually learned the routes for r1 as well right the 10.1 networks which are from r1 you can see here those routes are there and that basically proves that you know the registration actually worked right right so yeah so that's something which I actually wanted to show you here in this particular video so we talked about we talked about the whole FMC FTD integration we talked about the interface configurations and the basic configurations then we did a bit of access policies we configured access policies and we looked into how we can move across the zones of different of the you know on both the inside and outside and the DMZ and all of that and the last we also configured routing protocols right all we looked into static routing OSPF BGP and to wind it we are we also concluded by you know redistributing the routes into either of the protocols so yeah thank you for watching bye

Info

Channel: BitsPlease

Views: 6,030

Rating: undefined out of 5

Keywords: cisco gns3, cisco FTD, cisco FMC, threat defense, ccie security

Id: 5bswgs3cxLc

Channel Id: undefined

Length: 34min 10sec (2050 seconds)

Published: Mon Feb 04 2019