****************************************** Zone-based Firewall ****************************************** ================================================= Lab 1 - Base setup ================================================= ---- R1 ---- en config t no ip domain-lookup ! Hostname R1 ! interface loopback0 ip address 1.1.1.1 255.0.0.0 ! interface E 0/0 ip address 192.1.12.1 255.255.255.0 no shut ! ip route 192.1.23.0 255.255.255.0 192.1.12.2 ip route 192.1.24.0 255.255.255.0 192.1.12.2 ip route 192.1.25.0 255.255.255.0 192.1.12.2 ! line vty 0 4 password cisco login transport input all ---- R2 ---- en config t no ip domain-lookup ! Hostname R2 ! interface E 0/0 ip address 192.1.12.2 255.255.255.0 no shut ! interface E 0/1 ip address 192.1.23.2 255.255.255.0 no shut ! interface E 0/2 ip address 192.1.24.2 255.255.255.0 no shut ! interface E 0/3 ip address 192.1.25.2 255.255.255.0 no shut ! ip route 0.0.0.0 0.0.0.0 192.1.12.1 ! line vty 0 4 password cisco login transport input all ---- R3 ---- en config t no ip domain-lookup ! Hostname R3 ! interface E 0/0 ip address 192.1.23.3 255.255.255.0 no shut ! ip route 0.0.0.0 0.0.0.0 192.1.23.2 ! line vty 0 4 password cisco login transport input all ---- R4 ---- en config t no ip domain-lookup ! Hostname R4 ! interface E 0/0 ip address 192.1.24.4 255.255.255.0 no shut ! ip route 0.0.0.0 0.0.0.0 192.1.24.2 ! line vty 0 4 password cisco login transport input all ---- R5 ---- en config t no ip domain-lookup ! Hostname R5 ! interface E 0/0 ip address 192.1.25.5 255.255.255.0 no shut ! ip route 0.0.0.0 0.0.0.0 192.1.25.2 ! line vty 0 4 password cisco login transport input all ================================================= Lab 2 - Configure R2 as a Zone-based Firewall ================================================= ---------------------------- 1. Create the Zones ---------------------------- ---- R2 ---- zone security OUTSIDE zone security INSIDE zone security DMZ -------------------------------------- 2. Assign the interfaces to the Zones -------------------------------------- ---- R2 ---- Interface E0/0 zone-member security OUTSIDE ! Interface E0/1 zone-member security INSIDE ! Interface E0/2 zone-member security INSIDE ! Interface E0/3 zone-member security DMZ ============================================================ Lab 3 - Configure a Zone Pair policy from INSIDE To OUTSIDE ============================================================ ---------------------------- 1. Classify the traffic ---------------------------- class-map type inspect match-any CM-I-O match protocol http match protocol https match protocol dns match protocol smtp match protocol icmp match protocol telnet -------------------------------------------------- 2. Specify the Action for the classified Traffic -------------------------------------------------- policy-map type inspect PM-I-O class CM-I-O inspect -------------------------------------------------- 3. Configure a Zone-Pair Policy -------------------------------------------------- zone-pair security I-O source INSIDE destination OUTSIDE service-policy type inspect PM-I-O Verification: -------------- sh policy-map type inspect zone-pair I-O sessions [ This command is like the show conn command on the ASA ] ============================================================ Lab 4 - Configure a Zone Pair policy from INSIDE To DMZ ============================================================ ---------------------------- 1. Classify the traffic ---------------------------- class-map type inspect match-any CM-I-D match protocol http match protocol dns match protocol icmp match protocol telnet -------------------------------------------------- 2. Specify the Action for the classified Traffic -------------------------------------------------- policy-map type inspect PM-I-D class CM-I-D inspect -------------------------------------------------- 3. Configure a Zone-Pair Policy -------------------------------------------------- zone-pair security I-D source INSIDE destination DMZ service-policy type inspect PM-I-D Verification: -------------- sh policy-map type inspect zone-pair I-D sessions [ This command is like the show conn command on the ASA ] ============================================================ Lab 5 - Configure a Zone Pair policy from OUTSIDE To DMZ ============================================================ ---------------------------- 1. Classify the traffic ---------------------------- access-list 101 permit ip any host 192.1.25.12 access-list 102 permit ip any host 192.1.25.13 access-list 103 permit ip any host 192.1.25.11 access-list 104 permit ip any host 192.1.25.5 ! class-map type inspect match-all CM-O-D-DNS match protocol dns match access-group 101 ! class-map type inspect match-all CM-O-D-MAIL match protocol smtp match access-group 102 ! class-map type inspect match-any CM-WEB match protocol http match protocol https ! class-map type inspect match-all CM-O-D-WEB match class-map CM-WEB match access-group 103 ! class-map type inspect match-any CM-R5 match protocol icmp match protocol ssh match protocol telnet ! class-map type inspect match-all CM-O-D-R5 match class-map CM-R5 match access-group 104 -------------------------------------------------- 2. Specify the Action for the classified Traffic -------------------------------------------------- policy-map type inspect PM-O-D class CM-O-D-DNS inspect class CM-O-D-MAIL inspect class CM-O-D-WEB inspect class CM-O-D-R5 inspect -------------------------------------------------- 3. Configure a Zone-Pair Policy -------------------------------------------------- zone-pair security O-D source OUTSIDE destination DMZ service-policy type inspect PM-O-D Verification: -------------- sh policy-map type inspect zone-pair O-D sessions [ This command is like the show conn command on the ASA ] ============================================================ Lab 6 - Configure a Custom Application Port Mapping ============================================================ ---------------------------- 1. Create the mapping ---------------------------- ip port-map user-RDP port tcp 3389 -------------------------------------- 2. Use the mapping in your Class Map -------------------------------------- class-map type inspect match-any CM-I-D match protocol user-RDP ****************************************** FTD ****************************************** ================================== Lab # 1 - Initializing FMC - CLI ================================== 1. Login using the default creds (admin/Admin123) 2. Configure the IP address for FMC sudo configure-network Password: Admin123 IPv4 Address: 192.168.100.50 Subnet Mask: 255.255.255.0 Default Gateway: 192.168.100.254 Save : Y ================================== Lab # 2 - Initializing FMC - GUI ================================== --------------------- Initializing Page --------------------- Password: Kbits@123 Confirm Password: Kbits@123 --------------------------------------------- Verify IP Configuration and Change Hostname --------------------------------------------- IP Address: 192.168.100.50 Subnet Mask: 255.255.255.0 Default Gateway: 192.168.100.254 Hostname: FMC Domain Name: Kbits.live Change the Timezone: Asia/Dubai Apply the Changes: Note: You need to wait for a bit for it to come back. ----------------- Licensing ----------------- System -> Licensing -> Smart Licensing -> Evaluation Mode -> Activate Evaluation Period ================================== Lab # 3 - Initializing FTD ================================== 1. Login using the default creds (admin/Admin123) 2. Accept the EULA 3. Change the default password (Kbits@123) 4. Configure the IP Address for FTD Management Interface IPv4 Address: 192.168.100.51 Subnet Mask: 255.255.255.0 Default Gateway: 192.168.100.254 Hostname: FTD.Kbits.live 5. Using Local Administration (No) 6. Configure the Firewall Mode (Routed/Transparent) Routed 7. Configure the relationship with FMC configure manager add 192.168.100.50 cisco123 8. Verifying the connectivity ping system 192.168.100.50 ====================================== Lab # 4 - Registering the FTD on FMC ====================================== Devices -> Device Management -> Add Device Address: 192.168.100.51 Display Name: FTD-1 Registration Key: cisco123 Default Policy : FTD-1-ACP (Block All traffic) Enable the licenses and Add Note: The process to finish registration takes approiximately 5-10 minutes ====================================== Lab # 5 - Configure the FTD Interfaces ====================================== Devices -> Device Management -> FTD1 -> Edit -> Interfaces Interface : Gig0/0 Name: Outside Enabled: Check Zone: OUTSIDE IP Address: 192.1.20.10/24 Interface : Gig0/1 Name: Inside Enabled: Check Zone: INSIDE IP Address: 10.11.11.10/24 Interface : Gig0/2 Name: DMZ Enabled: Check Zone: DMZ IP Address: 192.168.1.10/24 ====================================== Lab # 6 - Configure the Routers ====================================== ------------- R1 ------------- en config t ! no ip domain-lookup line con 0 logg sync no exec-timeout ! host R1 ! Interface E 0/0 ip address 10.11.11.1 255.255.255.0 no shut ! Interface loo0 ip add 10.1.1.1 255.255.255.0 ip ospf network point-to-point ! Interface loo1 ip add 10.10.10.10 255.255.255.0 ip ospf network point-to-point ! Interface loo10 ip add 10.10.10.10 255.255.255.0 ip ospf network point-to-point ! Interface loo11 ip add 10.111.111.111 255.255.255.0 ip ospf network point-to-point ! router ospf 1 network 10.0.0.0 0.255.255.255 area 0 ! ip route 0.0.0.0 0.0.0.0 10.11.11.10 ! line vty 0 4 password cisco login transport input all ------------- R2 ------------- en config t ! no ip domain-lookup line con 0 logg sync no exec-timeout ! host R2 ! Interface E 0/0 ip address 192.1.20.2 255.255.255.0 no shut ! Interface loo0 ip add 2.2.2.2 255.0.0.0 ! Interface loo199 ip add 199.1.1.1 255.255.255.0 ! Interface loo200 ip add 200.1.1.1 255.255.255.0 ! router bgp 200 network 199.1.1.0 network 200.1.1.0 neighbor 192.1.20.10 remote-as 1000 ! line vty 0 4 password cisco login transport input all ------------- R3 ------------- en config t ! no ip domain-lookup line con 0 logg sync no exec-timeout ! host R3 ! Interface E 0/0 ip address 192.168.1.3 255.255.255.0 no shut ! Interface loo0 ip add 10.3.3.3 255.255.255.0 ! router ospf 1 network 10.0.0.0 0.255.255.255 area 0 network 192.168.1.0 0.0.0.255 area 0 ! ip route 0.0.0.0 0.0.0.0 192.168.1.10 ! line vty 0 4 password cisco login transport input all ====================================== Lab # 7 - Configure the FTD Routing ====================================== -> Devices -> Device Management -> FTD1 -> Edit -> Routing -> Enable OSPF towards the Inside & DMZ (Demonstrated in Video) -> Enable BGP towards the outside (Demonstrated in Video) -> Configure a Static Route (Demonstrated in Video) -> Redistribute between the Routing Protocols. -> Redistribute Connected Networks into the Routing Protocols. ===================================================================== Lab # 8 - NAT [Dynamic/Static NAT, Dynamic/Static PAT, Manual NAT] ===================================================================== Devices -> NAT -> Add a new Threat Defense NAT Policy __________________________ Auto-NAT / Object NAT __________________________ ------------- Dynamic NAT ------------- Inside-Network 10.11.11.0/24 should be able to go out using a Public range of 192.1.20.51-192.1.20.254 ------------- Static NAT ------------- DMZ - Web Server - 192.168.1.11 => 192.1.20.21 DNS Server - 192.168.1.12 => 192.1.20.22 E-MAIL - 192.168.1.13 => 192.1.20.23 R3 - 192.168.1.3 => 192.1.20.24 ------------- Dynamic PAT ------------- Inside-Network 10.10.10.0/24 should be able to go out using a Public address of 192.1.20.5. This is for all users from the 10.10.10.0/24 network to access the Internet. ------------- Static PAT ------------- DMZ - Web Server - 192.168.1.14 => 192.1.20.6 TCP/80 DNS Server - 192.168.1.15 => 192.1.20.6 UDP/53 E-MAIL - 192.168.1.16 => 192.1.20.6 TCP/25 R33 - 10.3.3.3(23) => 192.1.20.6 TCP/2999 _________________________ Manual-Twice-NAT _________________________ ------------------------ Policy NAT ------------------------ Translate R1 (10.11.11.1) based on the following flows: 1. When R1 communicates to 199.1.1.1, translate it to 192.1.20.31 2. When R1 communicates to 200.1.1.1, translate it to 192.1.20.32 ========================================================================================= Lab # 9 - Access Policy - Basic ========================================================================================= Policies -> Access Control -> Access Control -> FTD-ACP -> Edit (Pencil) -> Allow all traffic from Inside to Outside -> Allow incoming traffic based on the Static NAT configured in the previous Lab OUTSIDE - TO - DMZ -------------------- Rule#1 ------------ OUTSIDE Zone -> DMZ Zone Source IP: any-ipv4 Destination IP: WWW1 & WWW2 Port#: HTTP(80) & HTTPS (443) Rule#2 ------------ OUTSIDE Zone -> DMZ Zone Source IP: any-ipv4 Destination IP: DNS1 & DNS2 Port#: UDP(53) Rule#3 ------------ OUTSIDE Zone -> DMZ Zone Source IP: any-ipv4 Destination IP: EMAIL1 & EMAIL2 Port#: SMTP(25) Rule#4 ------------ OUTSIDE Zone -> DMZ Zone Source IP: any-ipv4 Destination IP: R3 & R33 Port#: Telnet(23), SSH(22) & PING(ICMP-Echo Request) ========================================================================================= Lab # 10 - Access Policy Geolocation Block ========================================================================================= Policies -> Access Control -> Access Control -> FTD-ACP -> Edit (Pencil) Block all traffic coming in from the Outside zone that is sourced from North Korea. Make it the 1st rule in the Mandatory category. ========================================================================================= Lab # 11 - Access Policy AVC Block ========================================================================================= Policies -> Access Control -> Access Control -> FTD-ACP -> Edit (Pencil) Block all Medium, High & Very High Risk applications. This should be applied to traffic from INSIDE to OUTSIDE Zones. Make it the 2nd rule in the Mandatory category. Block Facebook Video Chats from INSIDE to OUTSIDE Zones. Make it the 3rd rule in the Mandatory category. ========================================================================================= Lab # 12 - Access Policy URL Filtering ========================================================================================= Policies -> Access Control -> Access Control -> FTD-ACP -> Edit (Pencil) Add a rule to the Mandatory Category to block the following URL Categories. Make it the 4th rule in the Mandatory category. This should be done for Traffic from the INSIDE zone to the OUTSIDE zone: ➢ Adult & Pornography ➢ Gambling ➢ Games Debugging: ------------ system support firewall-engine-debug