How to configure a Zone-Based Firewall on Cisco router in EVE-NG Lab Video 2020

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello guys welcome back to another video with infosec pack in this video what i want to do is configure a zone based firewall on a cisco router and we're going to have an inside and an outside and i'll show you guys how to set up um you know say for example you have a small business and you only have one little router and you want to have firewall functionalities these are for small you know smaller smaller companies that you can actually set up your router as a firewall as well it's called zone-based firewalls so if you're ready to get into the video let's get into it thanks guys [Music] all right guys hey welcome back so this is the zone based firewalls configuration lab we have a vpc-1 our router which we can do this real quick let's just uh let's make sure it's on okay perfect so let's go ahead and make this bigger really quick so we can see what's going on appearance change i'll do 18. okay perfect all right so let's do an enable here let's do show ip interface brief first things first let's make sure there's no ip configuration before we make any changes all right perfect so the router is good so i want to bring the router over here for a second and what i'm going to do um i want to actually i'm going to do some text really quick so for the network space what we're going to do is 192.168.10.1 for the whoa no no no um so this is going to be 192.168.10.1 on gigabit zero zero and let's go ahead and do inside zone inside zone zone all right so let's do that let's do this here and then let's go ahead and put outside zone outside zone all right cool deal that's perfect right there let's just make this a little smaller so we can uh fit this in so this pc here is going to be 10. i 192.168.10.2 with a slash 24. all right so whoa why is it always do you have craziness all right so put that here so this is pc1 and then pc2 over here we're going to make this bad boy 192 what is it over here is 192 168.1.2 so let's do that really quick let me make sure i have all these yep 1.2 so 192.168.1.2 with the slash 24. okay it's last 24. all right so that should be fine here that's gonna be here boom and the outside interface gigabit zero zero one zero one excuse me is going to be 192.168.1.1 24. perfect all right so let's make this uh let me just leave it like that that should be fine all right perfect so this is the outside this is the inside and we should be good to go this is pretty much our topology so let's bring the router back in actually before we put the router back in let's configure the vpcs uh let's go ahead and make this bigger change settings and we do 18. okay perfect so first things first first things first we're gonna do show ip so there's nothing configured so we'll do ip192 168.10. dot two right two yep slash twenty four okay and then one i two want to create that 10.1 for the gateway all right so that's gonna configure that once that's done we could use show ip again and now that's configured perfect let's x out of here and now let's go ahead and configure pc number two so to show ip do the same thing i'm just going to do it really quick ip192 168.1.2 24. and 192.168.1.1 okay so do the same thing and then we'll bring up the router and start show ip show ip all right so that ip is configured so let's open up the uh the firewall again to make this bigger which i don't know why it does that but 18 should be good all right cool deal so we can make this bigger all right so we can start configuring this bad boy so let's go configure terminal do the host name first the host name is gonna be zone based firewall router one all right that's without that's what i'm going to end up naming that so now what we can do is configure the interfaces so interface gigabit zero slash one so zero slash one is on the outside i believe yep the outside so we can do description real quick outside outside outside that's fine and um so the next thing we're going to do is do the ip address and for this one is going to be 192 168.1.1 with a 24-bit mask and then no shutdown all right perfect and now we're going to go ahead and get into gigabit zero zero interface gig zero slash zero and now we do ip address 192.168.10.1 with the 24 bit mask and into the description really quick and this is going to be inside no shutdown all right so now we're going to do show ip interface brief now we can see those two are up all right so all right so i think we should let's do show running config now we should see the interfaces right here this is uh the interface for the inside and this is the interface for the outside here we go boom and as you can see here there's the inside and this is the outside all right so we're making progress so let's go back into configure terminal so the next thing we're going to do is let's make sure have everything configured set up here all right so the next thing we're going to do is let's see what we want to do first all right let's just do the class map first we can do a class map type and then the type is going to be inspect and then match it sorry match uh any and then the word here i want to use is my underscore class underscore map all right that's that's that's the name of my map the class map i'm going to use for this for this demo so match protocol and what protocol we want to do we can do icmp we can do a whole bunch of them here but we're going to do icmp uh just because it's just ping so before we actually do that okay and we'll do a before and after so i'll do ic mp okay so we're gonna match on that okay so once we match on that that means it's going to allow that if we negate it then it will stop that once this configuration is done all right so now we can exit out of here and we can create the policy map so the policy map type so what we're going to do here is what kind of type we're going to inspect right because we want to configure the firewall policy map so inspect and then if we question mark here and we're going to do what what are we going to inspect do you know we're going to inspect my pot like word right here i'm going to do my policy map okay my underscore i'll see underscore map all right so now that's going to configure the firewall policy map for my policy map so i made my own okay so we're going to do class question mark and what are we going to do we're going to do a type of clap we're going to do a type of class map i'm going to do a question mark we're going to inspect and then the word that we're going to inspect so here the class and the class map name i have written down here thank god it's um my classmate so class underscore map okay perfect so now we should type inspect question mark and that's it just inspect and exit here all right so exit all right so now we're just back in configuration mode so now what we're going to do is zone oh not that zone and this should be security and then inside i'm going to name it inside all right and then exit and then and then i'm going to do outside outside perfect and then eggs out of here and now we're going to do the the zone pair right like we do question mark we have a whole boatload of stuff here go all the way down we're going to do a zone pair okay so zone pair question mark security question mark and then the name of it so i want to name it in dash to out so pretty much into out okay and then the source is the next one and then what are we going to do from the source we're gonna do inside and then the destination it's gonna be outside okay oh man so now we use the service policy type and i inspect question mark and the policy that we named it that i named it in this is gonna be my underscore policy map okay and enter there perfect now we can exit out of here now what we have to do quickly is get into the interfaces and assign them the zone membership so let's go into interface gig zero slash zero and now if we do zone dash member question mark security question mark and then this is gonna be um inside right because this is the zero zero let's make sure zero zero is inside yes so inside perfect and now we can just put a quick description i'm gonna put inside zone okay perfect so now quick thing we can do is get into the next interface which is going to be the outside so interface gig zero slash one and then here we do zone same pretty much let's actually hit zone and this is going to be for the outside perfect and let's do a description real quick outside zone perfect all right so we exited here x out of here write the config so pretty much what we're doing here is just doing a stateful firewall configuration that's pretty much what a zone based firewall is so what we can do now before we do anything let's go back to configure terminal so i want to move this down so let's go from pc1 this bloody thing um it's x out of here let's go back into pc1 and let's make this bigger i don't know why it does that but it's so annoying all right so now let's try to ping 192.168.1.2 it's pinging and that's that's pc2 over here so now let's go back into the firewall or in this case the the router and now if we go ahead and go to the policy map the class map sorry so if i do i'm just going to copy this really quick copy and i want to paste it so i don't have to do so now if we do match inspect or match protocol sorry and then the protocol is icmp right so crap i just do so icmp but if i negate this so i'm going to put no so now let's see if we can ping it now it's going to say nope sorry you're not permitted you see that now the now the the pings the icmp requests are timed out and now let's go ahead and put up and let's go ahead and match it enter and now it should work again boom see that so that's pretty much how you configure a zone based firewall so i want to show you one more thing what we can do here is just do some show commands so let's end this let's write the config make sure that's all good let's actually take this out yet the background so it doesn't confuse anyone so now what we can do is show class map type inspect and now we can see the cl the class map that it's inspecting is icmp because we don't have any web servers so we didn't do http we don't have any mail servers for pop or ice uh smtp or whatever quote unquote so another one we could do is show policy map and then type policy show policy map it's been a while yeah policy map maybe i'm just a show policy map inspect no type i got it t-y-p-e-t-y-p-e and then inspect and then we can see here there's the the policy the policy map that we have configured um on our firewall all right and then you know i'll do one more i'll do so zone pair security and then we can see the configuration for the security the service policy which we made my policy map all right so this is pretty much how you configure a zone based firewall on a cisco router and what i'm using here is um what kind of router is this it's just a an ios image but uh do let's show flash show flash um let's do show version it's i guess it's just like the ios v so it's just like a little um i'm not even sure but that's how you go ahead and configure zone based firewall in in a cisco environment so that's uh that's pretty much sums it up so hopefully you guys enjoyed the video please like subscribe if you have any questions about the configuration let me know my social media or leave a comment below again have a good one please like subscribe and you know all that good stuff thanks guys take care

Info

Channel: InfoSec Pat

Views: 918

Rating: undefined out of 5

Keywords: CCNA Security Lab, ZPF, zone-based policy firewall, router, EVE-NG Labs, ccnp security 2020, cisco, zone-based, firewall, ccnp, ccna, training, ccie, security, network, Management, Technology, Data, Software, System, Business, Information, Computer, Solutions

Id: rf-c06f0DiU

Channel Id: undefined

Length: 18min 13sec (1093 seconds)

Published: Wed Feb 12 2020