Packet Tracer - Configure Zone Policy Firewall
topology
- address table
equipment |
interface |
IP address |
subnet mask |
default gateway |
switch port |
R1 |
F0/1 |
192.168.1.1 |
255.255.255.0 |
N/A |
S1 F0/2 |
S0/3/0 (DCE) |
10.1.1.1 |
255.255.255.252 |
N/A |
N/A |
|
R2 |
S0/3/0 |
10.1.1.2 |
255.255.255.252 |
N/A |
N/A |
S0/3/1 (DCE) |
10.2.2.2 |
255.255.255.252 |
N/A |
N/A |
|
R3 |
F0/0 |
192.168.33.1 |
255.255.255.0 |
N/A |
N/A |
F0/1 |
192.168.3.1 |
255.255.255.0 |
N/A |
S3 F0/1 |
|
S0/3/0 |
10.2.2.1 |
255.255.255.252 |
N/A |
N/A |
|
PC-A |
NIC |
192.168.1.3 |
255.255.255.0 |
192.168.1.1 |
S1 F0/1 |
PC-B |
NIC |
192.168.3.3 |
255.255.255.0 |
192.168.3.1 |
S3 F0/2 |
PC-C |
NIC |
192.168.33.3 |
255.255.255.0 |
192.168.33.1 |
N/A |
Target
Part 1: Basic Router Configuration
- Configure the hostname, interface IP address, and access password.
- Configure static routing to enable end-to-end connectivity.
Part 2: Configuring a Zone-Based Policy Firewall (ZPF)
- Configure a zone-based policy firewall using the CLI.
- Verify the configuration using the CLI.
Basic router configuration
In Part 1 of this lab, you will establish a network topology and configure basic settings such as interface IP addresses, static routes, device access, and passwords.
NOTE : All tasks should be performed on routers R1, R2, and R3. The operating procedure for only one of the routers is shown here.
Create a network as shown in the topology diagram.
Connect devices and cables as shown in the topology diagram.
Configure basic settings for each router.
- Configure the hostname as shown in the topology.
Router(config)#hostname R1
Router(config)#hostname R2
Router(config)#hostname R3
- Configure the interface IP address as shown in the IP address assignment table.
R1(config)#interface f0/1
R1(config-if)#ip add 192.168.1.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#interface s0/3/0
R1(config-if)#ip address 10.1.1.1 255.255.255.252
R1(config-if)#no shutdown
R2(config)#interface s0/3/0
R2(config-if)#ip add 10.1.1.2 255.255.255.252
R2(config-if)#no shutdown
R2(config-if)#interface s0/3/1
R2(config-if)#ip add 10.2.2.2 255.255.255.252
R2(config-if)#no shutdown
R3(config)#interface s0/3/0
R3(config-if)#ip add 10.2.2.1 255.255.255.252
R3(config-if)#no shutdown
R3(config-if)#exit
R3(config)#interface f0/0
R3(config-if)#ip add 192.168.33.1 255.255.255.0
R3(config-if)#no shutdown
R3(config-if)#interface f0/1
R3(config-if)#ip add 192.168.3.1 255.255.255.0
R3(config-if)#no shutdown
- Connect the DCE serial cable to configure the clock rate for the router's serial interface.
R1(config)#interface Serial0/3/0
R1(config-if)#clock rate 250000
R2(config-if)#interface s0/3/1
R2(config-if)#clock rate 250000
Disable DNS resolution.
To prevent the router from attempting to translate incorrectly entered commands, disable DNS lookups. no ip domain-lookup
R1(config)#no ip domain-lookup
R2(config)#no ip domain-lookup
R3(config)#no ip domain-lookup
Configure static routes on R1, R2, and R3.
For end-to-end IP reachability, proper static routing must be configured on R1, R2, and R3. R1 and R3 are stub routers, so only a default route pointing to R2 is needed. R2 acts as an ISP and must know how to reach R1 and R3's internal network before achieving end-to-end IP reachability. Following is the static routing configuration for R1, R2, and R3.
On R1, use the following command:
Configure default static
R1(config)#ip route 0.0.0.0 0.0.0.0 10.1.1.2
On R2 , use the following command .
Configure static
R2(config)#ip route 0.0.0.0 0.0.0.0 10.2.2.1
R2(config)#ip route 0.0.0.0 0.0.0.0 10.1.1.1
On R3 , use the following command.
Configure default static
R3(config)#ip route 0.0.0.0 0.0.0.0 10.2.2.2
test connectivity
Configure the PC host IP settings.
Configure static IP addresses, subnet masks, and default gateways for PC-A, PC-B, and PC-C as shown in the IP address assignment table.
Verify basic network connectivity.
Ping R3 from R1.
If the ping fails, you need to troubleshoot the basic configuration of the device before proceeding.
From PC-A on R1 LAN, ping PC-C on R3 LAN.
If the ping fails, you need to troubleshoot the basic configuration of the device before proceeding.
NOTE : End-to-end IP reachability is achieved if PC-C can be pinged from PC-A. If you cannot ping, but the device interface is enabled and the IP address is correct, use the show interface, show ip interface , and show ip route commands to help identify the problem.
Configure user accounts, encryption passwords, and encryption keys for SSH.
Note : The minimum password length in this task is set to 5 characters, but for the convenience of performing experiments, the password is relatively simple. It is recommended to use more complex passwords in production networks.
Configure the minimum password length by using the Minimum Password Length setting to 5 characters.
Configure the domain name. (Comment on name)
test.com
R1(config)#ip domain-name fxd.com
R2(config)#ip domain-name fxd.com
R3(config)#ip domain-name fxd.com
Configure encryption keys for SSH
Configure the user account test 01 with password cisco12345. (use your own name)
R1(config)#username fxd01 secret cisco12345
R2(config)#username fxd01 secret cisco12345
R3(config)#username fxd01 secret cisco12345
Configure console line 0 to log in using the local user database. To improve security, the exec-timeout command will log out this line if there is no operation within 5 minutes. The logging synchronous command prevents console messages from interrupting command input.
R1(config)#line console 0
R1(config-line)#exec-timeout 300
R1(config-line)#logging synchronous
R2(config)#line console 0
R2(config-line)#exec-timeout 300
R2(config-line)#logging synchronous
R3(config)#line console 0
R3(config-line)#exec-timeout 300
R3(config-line)#logging synchronous
Configure vty line 0 4 to log in using the local user database and restrict access to SSH connections only.
Configure the enable cipher using a strong encryption method. Cisco _
R1(config)#line vty 0 4
R1(config-line)#transport input ssh
R1(config-line)#password Cisco
R2(config)#line vty 0 4
R2(config-line)#transport input ssh
R2(config-line)#password Cisco
R3(config)#line vty 0 4
R3(config-line)#transport input ssh
R3(config-line)#password Cisco
Save the basic running configuration of the three routers.
At the privileged EXEC mode prompt, save the running configuration to the startup configuration.
R1# copy running-config startup-config
Configure Zone-Based Policy Firewall (ZPF)
In Part 2 of this lab, you will configure a zone-based policy firewall (ZPF) on R3 using the command line interface (CLI).
Verify the current router configuration.
In this task, you verify end-to-end network connectivity before implementing ZPF.
Verify end-to-end network connectivity.
Ping R3 from R1 using the Gigabit Ethernet interface IP address of R3.
If the ping fails, you need to troubleshoot the basic configuration of the device before proceeding.
From PC-A on R1 LAN, ping PC-C on R3 conference room LAN.
If the ping fails, you need to troubleshoot the basic configuration of the device before proceeding.
Do a ping from PC-A on the R1 LAN to PC-B on the R3 internal LAN.
If the ping fails, you need to troubleshoot the basic configuration of the device before proceeding.
Displays the R3 running configuration.
Issue the show ip interface brief command on R3 to verify that the correct IP address is assigned. Use the IP address assignment table to verify the address.
Issue the show ip route command on R3 to verify that it has a static default route pointing to serial interface 0/0/1 on R2.
Issue the show run command to see the current base configuration of R3.
Create a zone-based policy firewall
In this task, you will create a zone-based policy firewall on R3 so that it can act not only as a router, but also as a firewall. R3 is currently responsible for routing packets for the three networks it is connected to. The interface role configuration for R3 is as follows:
Serial interface 0/0/1 is connected to the Internet. Since this is a public network, it is considered an untrusted network and should have a minimum level of security.
G0/1 is connected to the internal network. Only authorized users have access to this network. In addition, important institutional resources are located within this network. Internal networks are considered trusted and should have the highest level of security.
G0/0 is connected to the conference room. Meeting rooms are used for meetings with people who are not part of this organization.
Enable Security Technology Pack.
a. On R3 , issue the show version command to view security technology package license information.
b. If the Security Technology Pack is not enabled, enable the Technology Pack using the following command.
R3(config)#license boot module c1900 technology-package securityk9
c. Accept the End User License Agreement.
d. Save the running configuration and reload the router to enable the security license.
R3#write
Building configuration...
[OK]
R3#reload
e. Use the show version command to verify that the security technology package is enabled.
% use 'write' command to make license boot config take effect on next boot
The security policy to be enforced by R3 when acting as a firewall specifies:
- Do not allow traffic from the Internet to enter the internal or conference room network.
- Return Internet traffic (returning packets from the Internet to the R3 site in response to requests from any R3 network) should be allowed.
- Computers on R3's internal network are considered trusted devices and can send out any type of traffic (TCP, UDP, or ICMP based).
- Computers on the R3 room network are considered untrusted devices and are only allowed to send web traffic (HTTP or HTTPS) to the Internet.
- No traffic is allowed between the internal network and the meeting room network. The status of guest computers on the room network cannot be guaranteed. Such computers may be infected with malware and may attempt to send spam or other malicious traffic.
Create safe zones.
In this lab, the R3 site has three interfaces; one to the internal trusted network, one to the conference room network, and one to the Internet. Since the three networks have different security requirements and properties, we will create three different security zones.
Security zones are created in global configuration mode, and this command allows defining zone names. In R3, create three zones named INSIDE , CONFROOM , and INTERNET :
R3(config)#zone security INSIDE
R3(config-sec-zone)#exit
R3(config)#zone security CONFROOM
R3(config-sec-zone)#EXIT
R3(config)#ZONE security INTERNET
R3(config-sec-zone)#EXIT
Create a security policy
Before ZPF can decide whether to allow or deny some specific traffic, it must be told which traffic it should consider. Cisco IOS uses class maps to select traffic. traffic of interest is the common name for traffic selected by the class map.
Although class-maps can select traffic, they do not determine what to do with the selected traffic; policy-maps determine where the selected traffic ultimately goes .
ZPF traffic policies are defined as policy-maps and use class-maps to select traffic. In other words, class-maps define which traffic will be policed, and policy-maps define the actions to be taken on selected traffic .
A policy map can drop traffic, allow it through, or perform inspection. Since we want the firewall to monitor traffic moving in the zone-pair direction, we will create an inspection policy-map. Inspection policy-maps allow dynamic handling of return traffic.
First, you need to create a class map. After creating a class map , you need to create a policy map and associate the class map with the policy map .
Create an inspection class map to match traffic allowed from the INSIDE zone to the INTERNET zone. Since we trust the INSIDE (internal) zone, we allow all major protocols.
R3(config)#class-map type inspect match-any INSIDE_INTERNET
R3(config-cmap)#description INSIDE to INTERNET
R3(config-cmap)# match protocol icmp
R3(config-cmap)# match protocol tcp
R3(config-cmap)# match protocol udp
R3(config-cmap)# match protocol http
R3(config-cmap)# match protocol https
Create an inspection class map INSIDE_PROTOCOLS . The keyword match-any indicates to the router that any matching protocol statement is regarded as a successful match, thereby applying the policy. The result is a match against a TCP or UDP or ICMP packet .
R3(config)#class-map type inspect match-any INSIDE_PROTOCOLS
R3(config-cmap)#description INSIDE to PROTOCOLS
R3(config-cmap)#match protocol icmp
R3(config-cmap)#match protocol tcp
R3(config-cmap)#match protocol udp
R3(config-cmap)#exit
Likewise, create a class map CONFROOM_PROTOCOLS to match traffic allowed from the CONFROOM zone to the INTERNET zone. Since we don't fully trust the CONFROOM zone, we must restrict what the server sends to the internet: http, https, dns ( match-any )
R3(config)#class-map type inspect match-any CONFROOM_PROTOCOLS
R3(config-cmap)#description CONFROOM to INTERNET
R3(config-cmap)#match protocol dns
R3(config-cmap)#match protocol http
R3(config-cmap)#match protocol https
R3(config-cmap)#exit
Now that the class map is created, you can create the policy map.
In the following command, the first line will create an inspection policy map named INSIDE_TO_INTERNET .
R3(config)#policy-map type inspect INSIDE_TO_INTERNET
R3(config-pmap)#class type inspect INSIDE_INTERNET
R3(config-pmap-c)#inspect
R3(config-pmap-c)#exit
R3(config-pmap)#exit
The second line binds the previously created INSIDE_PROTOCOLS class map with the INSIDE_TO_PROTOCOLS policy map, and the system will check for matching packets .
R3(config)#policy-map type inspect INSIDE_TO_PROTOCOLS
R3(config-pmap)#class type inspect INSIDE_PROTOCOLS
R3(config-pmap-c)#inspect
R3(config-pmap-c)#exit
R3(config-pmap)#exit
The next three lines will create a similar policy map named CONFROOM_TO_INTERNET , and associate the CONFROOM_PROTOCOLS class map, and the system will check for matching packets .
R3(config)#policy-map type inspect CONFROOM_TO_INTERNET
R3(config-pmap)#class type inspect CONFROOM_PROTOCOLS
R3(config-pmap-c)#inspect
R3(config-pmap-c)#exit
R3(config-pmap)#exit
create region pair
Zone pairs allow you to specify a unidirectional firewall policy between two security zones.
For example, a common security policy stipulates that the internal network can send any traffic to the Internet, but traffic originating from the Internet is not allowed to reach the internal network.
To define a zone pair, use the zone-pair security command. The direction of traffic is specified by source and destination zones.
In this lab, you need to create three region pairs:
INSIDE_TO_INTERNET : Allow traffic from the internal network to the Internet.
R3(config)#zone-pair security INSIDE_TO_INTERNET source INSIDE destination INTERNET
R3(config-sec-zone-pair)#exit
INSIDE_TO_CONFROOM : Allow traffic from the internal network to the conference room network.
R3(config)#zone-pair security INSIDE_TO_CONFROOM source INSIDE destination CONFROOM
R3(config-sec-zone-pair)#exit
CONFROOM_TO_INTERNET : Allow internet access from the conference room network.
R3(config)#zone-pair security CONFROOM_TO_INTERNET source CONFROOM destination INTERNET
R3(config-sec-zone-pair)#exit
Check Create Zone Pairs:
Verify that the zone pair was created correctly by issuing the show zone-pair security command. Note that there are no policies associated with the zone pair yet. The security policy will be applied to the zone pair in the next step.
R3# show zone-pair security
Zone-pair name INSIDE_TO_INTERNET
Source-Zone INSIDE Destination-Zone INTERNET
service-policy not configured
Zone-pair name INSIDE_TO_CONFROOM
Source-Zone INSIDE Destination-Zone CONFROOM
service-policy not configured
Zone-pair name CONFROOM_TO_INTERNET
Source-Zone CONFROOM Destination-Zone INTERNET
service-policy not configured
App Security Policy
As a final configuration step , apply the policy-map to the zone pair :
R3(config)#zone-pair security INSIDE_TO_INTERNET source INSIDE destination INTERNET
R3(config-sec-zone-pair)#service-policy type inspect INSIDE_TO_INTERNET
R3(config-sec-zone-pair)#exit
R3(config)#zone-pair security CONFROOM_TO_INTERNET source CONFROOM destination INTERNET
R3(config-sec-zone-pair)#service-policy type inspect CONFROOM_TO_INTERNET
R3(config-sec-zone-pair)#exit
R3(config)#zone-pair security CONFROOM_TO_INSIDE source INSIDE destination CONFROOM
R3(config-sec-zone-pair)#service-policy type inspect INSIDE_TO_PROTOCOLS
R3(config-sec-zone-pair)#exit
Issue the show zone-pair security command again to verify the zone pair configuration. Note that the following service policies are displayed:
R3#show zone-pair security
Zone-pair name INSIDE_TO_INTERNET
Source-Zone INSIDE Destination-Zone INTERNET
service-policy INSIDE_TO_INTERNET
Zone-pair name CONFROOM_TO_INTERNET
Source-Zone CONFROOM Destination-Zone INTERNET
service-policy CONFROOM_TO_INTERNET
Zone-pair name CONFROOM_TO_INSIDE
Source-Zone INSIDE Destination-Zone CONFROOM
service-policy INSIDE_TO_PROTOCOLS
R3#
To get more information about a zone pair, its policy-map, class-map, and match counters, use the show policy-map type inspect zone-pair sessions command:
R3#show policy-map type inspect zone-pair sessions
policy exists on zp INSIDE_TO_INTERNET
Zone-pair: INSIDE_TO_INTERNET
Service-policy inspect : INSIDE_TO_INTERNET
Class-map: INSIDE_INTERNET (match-any)
Match: protocol icmp
8 packets, 1024 bytes
30 second rate 0 bps
Match: protocol tcp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol udp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol http
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol https
0 packets, 0 bytes
30 second rate 0 bps
Inspect
Class-map: class-default (match-any)
Match: any
Drop (default action)
0 packets, 0 bytes
policy exists on zp CONFROOM_TO_INTERNET
Zone-pair: CONFROOM_TO_INTERNET
Service-policy inspect : CONFROOM_TO_INTERNET
Class-map: CONFROOM_PROTOCOLS (match-any)
Match: protocol http
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol https
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol dns
0 packets, 0 bytes
30 second rate 0 bps
Inspect
Class-map: class-default (match-any)
Match: any
Drop (default action)
0 packets, 0 bytes
policy exists on zp CONFROOM_TO_INSIDE
Zone-pair: CONFROOM_TO_INSIDE
Service-policy inspect : INSIDE_TO_PROTOCOLS
Class-map: INSIDE_PROTOCOLS (match-any)
Match: protocol icmp
19 packets, 2432 bytes
30 second rate 0 bps
Match: protocol tcp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol udp
0 packets, 0 bytes
30 second rate 0 bps
Inspect
Class-map: class-default (match-any)
Match: any
Drop (default action)
0 packets, 0 bytes
R3#
Assign the interface to the appropriate security zone
Use the zone-member security interface command to assign interfaces (both physical and logical) to security zones.
Assign G0/0 of R3 to the CONFROOM security area:
R3(config)#interface f0/0
R3(config-if)#zone-member security CONFROOM
R3(config-if)#exit
Assign G0/1 of R3 to the INSIDE security area:
R3(config)#interface f0/1
R3(config-if)#zone-member security INSIDE
R3(config-if)#exit
Assign S0/0/1 of R3 to the Internet security zone:
R3(config)#interface s0/3/0
R3(config-if)#zone-member security INTERNET
R3(config-if)#exit
Verify Territory Assignment
Issue the show zone security command to ensure that the zone was created correctly and the interfaces were assigned correctly:
R3#show zone security
zone self
Description: System defined zone
zone INSIDE
Member Interfaces:
FastEthernet0/1
zone CONFROOM
Member Interfaces:
FastEthernet0/0
zone INTERNET
Member Interfaces:
Serial0/3/0
R3#
Even though no command was issued to create its own zone, the relevant information is shown in the above output. Why does R3 show a zone called "self"? What is the significance of this area?
This is because in Cisco IOS Firewall, the "self" zone is considered required to handle traffic related to the router itself. It allows you to set access control policies, security policies, and other configurations for the router itself.
So when you run the "show running" command on R3, you will see a zone named "self" in the output even though you didn't explicitly create the "self" zone. It represents the existence of the router itself as an entity and security domain.
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
ZPF verification
Verify ZPF firewall functionality
traffic from the internet
- To test the effectiveness of the firewall, ping PC-B from PC-A. In PC-A, open a command prompt and issue the following command:
C:\Users\NetAcad> ping 192.168.3.3
Was the ping successful? Explain the reason.
No success ________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
- Ping PC-C from PC-A. In PC-A, open a command window and issue the following command:
C:\Users\NetAcad> ping 192.168.33.3
Was the ping successful? Explain the reason.
No success ________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
- Ping PC-A from PC-B. In PC-B, open a command window and issue the following command:
C:\Users\NetAcad> ping 192.168.1.3
- Was the ping successful? Explain the reason.
Success___________________________________________________________________ _
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
- Ping PC-A from PC-C. In PC-C, open a command window and issue the following command:
C:\Users\NetAcad> ping 192.168.1.3
- Was the ping successful? Explain the reason.
No success ________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
Own zone authentication
- From PC-A, ping the G0/1 interface of R3:
C:\Users\NetAcad> ping 192.168.3.1
Was the ping successful? Is this behavior correct? Explain the reason.
Success ____________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
- From PC-C, ping the G0/1 interface of R3:
C:\Users\NetAcad> ping 192.168.3.1
Was the ping successful? Is this behavior correct? Explain the reason.
Success___________________________________________________________________ _
________________________________________________________________________
________________________________________________________________________
Experimental script:
R1:
enable
conf t
hostname R1
username fxd01 secret cisco12345
no ip domain-lookup
ip domain-name fxd.com
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
no shutdown
interface Serial0/3/0
ip address 10.1.1.1 255.255.255.252
clock rate 250000
no shutdown
exit
ip route 0.0.0.0 0.0.0.0 10.1.1.2
line con 0
exec-timeout 300
logging synchronous
line vty 0 4
password Cisco
login
transport input ssh
end
write
R2:
enable
conf t
hostname R2
username fxd01 secret cisco12345
no ip domain-lookup
ip domain-name fxd.com
interface Serial0/3/0
ip address 10.1.1.2 255.255.255.252
no shutdown
interface Serial0/3/1
ip address 10.2.2.2 255.255.255.252
clock rate 250000
no shutdown
ip route 0.0.0.0 0.0.0.0 10.2.2.1
ip route 0.0.0.0 0.0.0.0 10.1.1.1
line con 0
exec-timeout 300
logging synchronous
line vty 0 4
password Cisco
login
transport input ssh
end
write
R3 (Basic):
enable
conf t
hostname R3
username fxd01 secret cisco12345
no ip domain-lookup
ip domain-name fxd.com
interface FastEthernet0/0
ip address 192.168.33.1 255.255.255.0
no shutdown
interface FastEthernet0/1
ip address 192.168.3.1 255.255.255.0
no shutdown
interface Serial0/3/0
ip address 10.2.2.1 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 10.2.2.2
line con 0
exec-timeout 300
logging synchronous
line vty 0 4
password Cisco
login
transport input ssh
end
write
R3 (zpf configuration):
enable
conf t
class-map type inspect match-any INSIDE_PROTOCOLS
description INSIDE to PROTOCOLS
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any CONFROOM_PROTOCOLS
description CONFROOM to INTERNET
match protocol http
match protocol https
match protocol dns
class-map type inspect match-any INSIDE_INTERNET
description INSIDE to INTERNET
match protocol icmp
match protocol tcp
match protocol udp
match protocol http
match protocol https
policy-map type inspect INSIDE_TO_INTERNET
class type inspect INSIDE_INTERNET
inspect
policy-map type inspect CONFROOM_TO_INTERNET
class type inspect CONFROOM_PROTOCOLS
inspect
policy-map type inspect INSIDE_TO_PROTOCOLS
class type inspect INSIDE_PROTOCOLS
inspect
zone security INSIDE
zone security CONFROOM
zone security INTERNET
zone-pair security INSIDE_TO_INTERNET source INSIDE destination INTERNET
service-policy type inspect INSIDE_TO_INTERNET
zone-pair security CONFROOM_TO_INTERNET source CONFROOM destination INTERNET
service-policy type inspect CONFROOM_TO_INTERNET
zone-pair security CONFROOM_TO_INSIDE source INSIDE destination CONFROOM
service-policy type inspect INSIDE_TO_PROTOCOLS
interface FastEthernet0/0
zone-member security CONFROOM
interface FastEthernet0/1
zone-member security INSIDE
interface Serial0/3/0
zone-member security INTERNET
end
write
Experiment link: https://pan.baidu.com/s/1wMYLsevosrVqlwlmhjiUYA?pwd=zpf1
Extraction code: zpf1
--Sharing from Baidu Netdisk super member V3
There are built topology diagrams and finished topology diagrams in the link, please distinguish by yourself.