***************************************************** 1. Zone-Based Firewall ***************************************************** ===================================================== 1. Create the Zones ===================================================== ---- R2 ---- zone security OUTSIDE zone security INSIDE zone security DMZ ===================================================== 2. Assign the interfaces to the Zones ===================================================== ---- R2 ---- Interface E0/0 zone-member security OUTSIDE ! Interface E0/1 zone-member security INSIDE ! Interface E0/2 zone-member security INSIDE ! Interface E0/3 zone-member security DMZ =================================================================================== 3. Configure a Zone-Pair Policy to allow Inter-Zone Traffic from INSIDE To OUTSIDE =================================================================================== ---- R2 ---- ! 1. Classify the traffic class-map type inspect match-any CM-I-O match protocol http match protocol https match protocol telnet match protocol ssh match protocol icmp match protocol dns match protocol smtp ! 2. Specify the Action policy-map type inspect PM-I-O class CM-I-O inspect ! 3. Apply the policy-map to a Zone-Pair zone-pair security I-O source INSIDE destination OUTSIDE service-policy type inspect PM-I-O Verification: --------------- sh policy-map type inspect zone-pair I-O sessions =================================================================================== 4. Configure a Zone-Pair Policy to allow Inter-Zone Traffic from INSIDE To DMZ =================================================================================== ---- R2 ---- ! 1. Classify the traffic class-map type inspect match-any CM-I-D match protocol http match protocol https match protocol telnet match protocol ssh match protocol dns ! 2. Specify the Action policy-map type inspect PM-I-D class CM-I-D inspect ! 3. Apply the policy-map to a Zone-Pair zone-pair security I-D source INSIDE destination DMZ service-policy type inspect PM-I-D Verification: --------------- sh policy-map type inspect zone-pair I-D sessions =================================================================================== 5. Configure a Zone-Pair Policy to allow Inter-Zone Traffic from OUTSIDE To DMZ =================================================================================== ---- R2 ---- ! 1. Classify the traffic access-list 101 permit ip any host 192.1.25.12 access-list 102 permit ip any host 192.1.25.11 access-list 103 permit ip any host 192.1.25.5 ! class-map type inspect match-all CM-O-D-DNS match protocol dns match access-group 101 ! class-map type inspect match-any CM-R5 match protocol telnet match protocol ssh match protocol icmp ! class-map type inspect match-any CM-WEB match protocol http match protocol https ! class-map type inspect match-all CM-O-D-WEB match class-map CM-WEB match access-group 102 ! class-map type inspect match-all CM-O-D-R5 match class-map CM-R5 match access-group 103 ! 2. Specify the Action policy-map type inspect PM-O-D class CM-O-D-DNS inspect class CM-O-D-WEB inspect class CM-O-D-R5 inspect ! 3. Apply the policy-map to a Zone-Pair zone-pair security O-D source OUTSIDE destination DMZ service-policy type inspect PM-O-D Verification: --------------- sh policy-map type inspect zone-pair O-D sessions ***************************************************** 2. Configuring HSRP ***************************************************** ============================================================ 1. Configure the Routers to communicate to each using HSRP ============================================================ ---- R1 ---- Interface E0/1 standby 10 ip 192.168.100.5 standby 10 priority 105 standby 10 preempt standby 10 authentication md5 key-string Cisco123 ---- R2 ---- Interface E0/1 standby 10 ip 192.168.100.5 standby 10 authentication md5 key-string Cisco123 ============================================================ 2. Configure HSRP with Interface Tracking ============================================================ ---- R1 ---- track 11 interface E0/0 line-protocol ! Interface E0/1 standby 10 track 11 decrement 10 ---- R2 ---- Interface E0/1 standby 10 preempt ***************************************************** 3. Configuring VRRP ***************************************************** ============================================================ 1. Configure the Routers to communicate to each using HSRP ============================================================ ---- R1 ---- default interface E0/1 ! Interface E0/1 ip address 192.168.100.1 255.255.255.0 vrrp 10 ip 192.168.100.5 vrrp 10 priority 105 vrrp 10 authentication md5 key-string Cisco123 ---- R2 ---- default interface E0/1 ! Interface E0/1 ip address 192.168.100.2 255.255.255.0 vrrp 10 ip 192.168.100.5 vrrp 10 authentication md5 key-string Cisco123 ============================================================ 2. Configure VRRP with Interface Tracking ============================================================ ---- R1 ---- Interface E0/1 vrrp 10 track 11 decrement 10 ***************************************************** 4. Configuring DHCP - 192.168.100.0/24 ***************************************************** ============================================================ 1. Configure R1 as the DHCP Server for 192.168.100.0/24 ============================================================ ---- R1 ---- ip dhcp excluded-address 192.168.100.1 192.168.100.100 ip dhcp excluded-address 192.168.100.201 192.168.100.254 ! ip dhcp pool POOL-A network 192.168.100.0 /24 default-router 192.168.100.5 dns-server 192.168.100.2 *************************************************************** 5. Configuring DHCP - 192.168.200.0/24 [DHCP Relay required] *************************************************************** ============================================================ 1. Configure R1 as the DHCP Server for 192.168.200.0/24 ============================================================ ---- R1 ---- ip dhcp excluded-address 192.168.200.1 192.168.200.50 ! ip dhcp pool POOL-B network 192.168.200.0 /24 default-router 192.168.200.3 dns-server 192.168.100.2 ---- R3 ---- Interface E0/1 ip helper-address 192.168.100.1 ! no ip forward-protocol udp 37 no ip forward-protocol udp 49 no ip forward-protocol udp 137 no ip forward-protocol udp 138 no ip forward-protocol udp 53 no ip forward-protocol udp 69 *************************************************************** 6. Configuring DHCP Snooping for VLAN 100 *************************************************************** ========================================================================================= 1. Configure SW1 for DHCP Snooping for VLAN 100. Allow R1 to be a Trusted DHCP Server ========================================================================================= ---- SW1 ---- Ip dhcp snooping ip dhcp snooping vlan 100 ! Interface E0/0 Description Connected to the DHCP Server ip dhcp snooping trust ! Interface E0/3 Description Connected to the DHCP Relay Agent ip dhcp snooping trust ! no ip dhcp snooping information option *************************************************************** 7. Configuring NTP *************************************************************** ========================================================================================= 1. Configure Timezones on the Devices ========================================================================================= ---- R1 ---- Clock timezone GST 4 ---- R2 ---- Clock timezone CET 2 ---- R3 ---- Clock timezone EDT -4 ========================================================================================= 2. Configure NTP Server ========================================================================================= ---- R1 ---- clock set 10:30:00 3 sep 2023 ! ntp master 2 ========================================================================================= 3. Configure NTP Clients ========================================================================================= ---- R2 ---- ntp server 192.168.100.1 ---- R3 ---- ntp server 192.168.100.1 ========================================================================================= 4. Configure NTP Authentication ========================================================================================= ---- R1 ---- ntp authenticate ntp authentication-key 123 md5 Cisco123 ntp trusted-key 123 ---- R2 ---- ntp authenticate ntp authentication-key 123 md5 Cisco123 ntp trusted-key 123 ntp server 192.168.100.1 key 123 ---- R3 ---- ntp authenticate ntp authentication-key 123 md5 Cisco123 ntp trusted-key 123 ntp server 192.168.100.1 key 123 *************************************************************** 8. Configuring AAA *************************************************************** ========================================================================================= 1. Configure a relationship between the AAA Server and the Routers/Devices ========================================================================================= ---- R1 ---- aaa new-model ! tacacs server ISE1 address ipv4 192.168.100.25 key Cisco123 ! tacacs server ISE2 address ipv4 192.168.100.26 key Cisco123 ! aaa group server tacacs TAC-SVR server name ISE1 server name ISE2 ---- R2 ---- aaa new-model ! tacacs server ISE1 address ipv4 192.168.100.25 key Cisco123 ! tacacs server ISE2 address ipv4 192.168.100.26 key Cisco123 ! aaa group server tacacs TAC-SVR server name ISE1 server name ISE2 ---- R3 ---- aaa new-model ! tacacs server ISE1 address ipv4 192.168.100.25 key Cisco123 ! tacacs server ISE2 address ipv4 192.168.100.26 key Cisco123 ! aaa group server tacacs TAC-SVR server name ISE1 server name ISE2 ========================================================================================= 2. Configure a Local Administration Database to be used as a Backup to ISE ========================================================================================= ---- R1 ---- username admin1 privilege 15 password Cisco123 username admin2 privilege 15 password Cisco123 username admin3 privilege 15 password Cisco123 ---- R2 ---- username admin1 privilege 15 password Cisco123 username admin2 privilege 15 password Cisco123 username admin3 privilege 15 password Cisco123 ---- R3 ---- username admin1 privilege 15 password Cisco123 username admin2 privilege 15 password Cisco123 username admin3 privilege 15 password Cisco123 ========================================================================================= 3. Create the Authentication, Authorization & Accounting Lists ========================================================================================= ---- R1 ---- aaa authentication login T-LIST1 group TAC-SVR local aaa authorization exec T-LIST2 group TAC-SVR local aaa accounting exec T-LIST3 start-stop group TAC-SVR ---- R2 ---- aaa authentication login T-LIST1 group TAC-SVR local aaa authorization exec T-LIST2 group TAC-SVR local aaa accounting exec T-LIST3 start-stop group TAC-SVR ---- R3 ---- aaa authentication login T-LIST1 group TAC-SVR local aaa authorization exec T-LIST2 group TAC-SVR local aaa accounting exec T-LIST3 start-stop group TAC-SVR ========================================================================================= 3. Apply the Lists to the Line vty section ========================================================================================= ---- R1 ---- line vty 0 4 login authentication T-LIST1 authorization exec T-LIST2 accounting exec T-LIST3 transport input all ---- R2 ---- line vty 0 4 login authentication T-LIST1 authorization exec T-LIST2 accounting exec T-LIST3 transport input all ---- R3 ---- line vty 0 4 login authentication T-LIST1 authorization exec T-LIST2 accounting exec T-LIST3 transport input all *************************************************************** 9. Configuring IP SLA *************************************************************** ========================================================================================= 1. Configure a host route towards the Probe IP via the Primary Link ========================================================================================= ---- R3 ---- ip route 4.2.2.2 255.255.255.255 192.1.10.1 ========================================================================================= 2. Configure and enable the SLA Probe using ICMP-Echo towards 4.2.2.2 ========================================================================================= ---- R3 ---- ip sla 11 icmp-echo 4.2.2.2 source-ip 192.1.10.3 frequency 15 ip sla schedule 11 life forever start-time now ========================================================================================= 3. Create a Tracking object and link it to the IP SLA State ========================================================================================= ---- R3 ---- track 11 ip sla 11 ==================================================================================================== 4. Configure a Primary and a Backup Default Route. The Primary should be linked to the Track object ==================================================================================================== ---- R3 ---- ip route 0.0.0.0 0.0.0.0 192.1.10.1 track 11 ip route 0.0.0.0 0.0.0.0 192.1.20.2 5