一、题目环境

实验拓扑

地址规划

实验要点

· Verify connectivity among devices before firewall configuration.
·在配置防火墙之前，检查设备之间的连接。
· Configure a zone-based policy (ZPF) firewall on router R3
·在路由器R3上配置基于区域的策略(ZPF)防火墙
· Verify ZPF firewall functionality using ping, Telnet and a web browser.
·使用ping、Telnet和web浏览器验证ZPF防火墙功能。

二、配置过程

1. Use the zone security command to create a zone named IN-ZONE.
//使用zone security命令创建一个名为IN-ZONE的区域。
Use the zone security command to create a zone named OUT-ZONE.
//使用zone security命令创建一个名为OUT-ZONE的区域。

R3(config)#zone security IN-ZONE
R3(config)#zone security OUT-ZONE

2. Use the access-list command to create extended ACL 101 to permit all IP protocols from the 192.168.3.0/24 source network to any destination.
//使用access-list命令创建扩展的ACL 101，以允许从192.168.3.0/24源网络到任何目的地的所有IP协议。

R3(config)#access-list 101 permit ip 192.168.3.0 0.0.0.255 any

3. Use the class map type inspect command with the match-all option to create a class map named IN-NET-CLASS-MAP. Use the match access-group command to match ACL 101.
//使用带有match-all选项的类映射类型inspect命令创建一个名为IN-NET-CLASS-MAP的类映射。使用match access-group命令来匹配ACL 101。

R3(config)#class-map type inspect match-all IN-NET-CLASS-MAP
R3(config-cmap)#match access-group 101

4. Use the policy-map type inspect command and create a policy map named IN-2-OUT-PMAP.
//使用策略映射类型inspect命令并创建一个名为IN-2-OUT-PMAP的策略映射。
Specify a class type of inspect and reference class map IN-NET-CLASS-MAP.
//映射中指定映射类型。
The use of the inspect command invokes context-based access control (other options include pass and drop).
//使用inspect命令将调用基于上下文的访问控制(其他选项包括传递和删除)

R3(config)#policy-map type inspect IN-2-OUT-PMAP
R3(config-pmap)#class type inspect IN-NET-CLASS-MAP
R3(config-pmap-c)#inspect

5. Using the zone-pair security command, create a zone pair named IN-2-OUT-ZPAIR. Specify the source and destination zones that were created in Task 1.
//使用区域对安全命令，创建一个名为IN-2-OUT-ZPAIR的区域对。指定在Task 1中创建的源和目标区域。
Attach a policy-map and its associated actions to the zone pair using the service-policy type inspect command and reference the policy map previously created, IN-2-OUT-PMAP.
//使用service-policy类型inspect命令将策略映射及其相关操作附加到区域对，并引用之前创建的策略映射IN-2-OUT-PMAP。

R3(config)#zone-pair security IN-2-OUT-ZPAIR source IN-ZONE destination OUT-ZONE 
R3(config-sec-zone-pair)#service-policy type inspect IN-2-OUT-PMAP

6. Use the zone-member security command in interface config mode to assign Fa0/1 to IN-ZONE and S0/0/1 to OUT-ZONE.
//在接口配置模式下使用区域成员安全命令将Fa0/1分配给in - zone，将S0/0/1分配给OUT-ZONE。

R3(config)#interface fastEthernet 0/1
R3(config-if)#zone-member security IN-ZONE
R3(config-if)#exit
R3(config)#interface serial 0/0/1
R3(config-if)#zone-member security OUT-ZONE
R3(config-if)#exit

三、验证

PC访问SERVER，ping及网页
查看建立的会话

R3#show policy-map type inspect zone-pair sessions 
 Zone-pair: IN-2-OUT-ZPAIR

  Service-policy inspect : IN-2-OUT-PMAP

    Class-map: IN-NET-CLASS-MAP (match-all)
      Match: access-group 101
      Inspect

        Established Sessions
         Session 189484728 (192.168.3.3:1)=>(192.168.1.3:0) icmp SIS_OPEN
          Created 00:00:10, Last heard 00:00:10
           ECHO request
          Bytes sent (initiator:responder) [512:512]
         Session 214582768 (192.168.3.3:1027)=>(192.168.1.3:80) tcp SIS_OPEN/TCP_ESTAB
          Created 00:00:01, Last heard  00:00:01
          Bytes sent (initiator:responder) [284:552]
    Class-map: class-default (match-any)
      Match: any
      Drop (default action)
        0 packets, 0 bytes

实验完整配置文档

R3 running-config
Building configuration…

Current configuration : 1342 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname R3
!
!
!
enable secret 5 $1$mERr$TfFTxE.mmb5O5BVC56ndL0
!
!
!
!
!
!
ip cef
no ipv6 cef

R3#show running-config
Building configuration…

Current configuration : 1342 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname R3
!
!
!
enable secret 5 $1$mERr$TfFTxE.mmb5O5BVC56ndL0
!
!
!
!
!
!
ip cef
no ipv6 cef
!
!
!
!
!
!
!
!
!
!
ip ssh version 1
ip name-server 0.0.0.0
!
!
spanning-tree mode pvst
!
class-map type inspect match-all IN-NET-CLASS-MAP
match access-group 101
!
policy-map type inspect IN-2-OUT-PMAP
class type inspect IN-NET-CLASS-MAP
inspect
!
!
!
zone security IN-ZONE
zone security OUT-ZONE
zone-pair security IN-2-OUT-ZPAIR source IN-ZONE destination OUT-ZONE
service-policy type inspect IN-2-OUT-PMAP
!
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
shutdown
!
interface FastEthernet0/1
ip address 192.168.3.1 255.255.255.0
zone-member security IN-ZONE
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
clock rate 2000000
shutdown
!
interface Serial0/0/1
ip address 10.2.2.1 255.255.255.252
zone-member security OUT-ZONE
!
interface Vlan1
no ip address
shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.2.2.2
!
ip flow-export version 9
!
!
access-list 101 permit ip 192.168.3.0 0.0.0.255 any
!
!
!
!
!
logging trap debugging
line con 0
password ciscoconpa55
login
!
line aux 0
!
line vty 0 4
password ciscovtypa55
login
!
!
ntp update-calendar
!
end