NET(config)#in et 1/1
NET(config-if)#ip address 200.1.1.1 255.255.255.0
NET(config-if)#no shutdown
NET(config-if)#in lo 1
NET(config-if)#ip address 8.8.8.8 255.255.255.255
NET(config-if)#in lo 2
NET(config-if)#ip address 4.2.2.2 255.255.255.255
NET(config-if)#exit
NET(config)#ip dhcp excluded-address 200.1.1.1 200.1.1.10
NET(config)#ip dhcp pool DHCP-1
NET(dhcp-config)#dns-server 8.8.8.8
NET(dhcp-config)#domain-name ITTSM.BLOGSPOT.COM
NET(dhcp-config)#default-router 200.1.1.1
NET(dhcp-config)#network 200.1.1.0 255.255.255.0
ZBF(config)#in eth 1/1
ZBF(config-if)#no shutdown
ZBF(config-if)#description WAN
ZBF(config-if)#ip address dhcp
ZBF(config)#in eth 0/3
ZBF(config-if)#des LAN
ZBF(config-if)#no shutdown
ZBF(config-if)#ip address 10.1.1.1 255.255.255.0
ZBF(config-if)#exit
ZBF(config)#ip access-list extended NAT
ZBF(config-ext-nacl)#permit ip 10.1.1.0 0.0.0.255 any
ZBF(config-ext-nacl)#exit
ZBF(config)#in eth 0/3
ZBF(config-if)#ip nat inside
ZBF(config-if)#in eth 1/1
ZBF(config-if)#ip nat outside
ZBF(config-if)#exit
ZBF(config)#ip nat inside source list NAT interface eth 1/1 overload
PC(config)#in eth 0/3
PC(config-if)#ip address 10.1.1.10 255.255.255.0
PC(config-if)#no shutdown
PC(config-if)#exit
PC(config)#no ip routing
PC(config)#ip default-gateway 10.1.1.1
PC#ping 10.1.1.1
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 104/312/1136 ms
PC#ping 4.2.2.2
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 104/312/1136 ms
! Check NAT Service
ZBF#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 200.1.1.11:2 10.1.1.10:2 4.2.2.2:2 4.2.2.2:2
icmp 200.1.1.11:3 10.1.1.10:3 4.2.2.2:3 4.2.2.2:3
icmp 200.1.1.11:4 10.1.1.10:4 8.8.8.8:4 8.8.8.8:4
icmp 200.1.1.11:5 10.1.1.10:5 8.8.8.8:5 8.8.8.8:5
! Configure Zone Base Firewall
ZBF(config)#zone security IN
ZBF(config-sec-zone)#exit
ZBF(config)#zone security OUT
ZBF(config-sec-zone)#exit
ZBF(config)#in ethernet 1/1
ZBF(config-if)#zone-member security OUT
ZBF(config-if)#in ethernet 0/3
ZBF(config-if)#zone-member security IN
ZBF(config)#zone-pair security IN-OUT source IN destination OUT
ZBF(config-sec-zone-pair)#exit
ZBF(config)#class-map type inspect match-any ALL
ZBF(config-cmap)#match protocol tcp
ZBF(config-cmap)#match protocol udp
ZBF(config-cmap)#match protocol icmp
ZBF(config)#policy-map type inspect POLICY
ZBF(config-pmap)#class ALL
ZBF(config-pmap-c)#inspect
ZBF(config-pmap-c)#exit
ZBF(config-pmap)#exit
ZBF(config)#zone-pair security IN-OUT source IN destination OUT
ZBF(config-sec-zone-pair)#service-policy type inspect POLICY
! Check Commands
ZBF#show zone-pair security
Zone-pair name IN-OUT
Source-Zone IN Destination-Zone OUT
service-policy POLICY
ZBF#show policy-map type inspect
Policy Map type inspect POLICY
Class ALL
Inspect
Class class-default
Drop
ZBF#show policy-map type inspect zone-pair
policy exists on zp IN-OUT
Zone-pair: IN-OUT
Service-policy inspect : POLICY
Class-map: ALL (match-any)
Match: protocol tcp
1 packets, 24 bytes
30 second rate 0 bps
Match: protocol udp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol icmp
2 packets, 160 bytes
30 second rate 0 bps
Inspect
Packet inspection statistics [process switch:fast switch]
tcp packets: [0:20]
icmp packets: [0:20]
Session creations since subsystem startup or last reset 3
Current session counts (estab/half-open/terminating) [0:0:0]
Maxever session counts (estab/half-open/terminating) [2:1:1]
Last session created 00:00:11
Last statistic reset never
Last session creation rate 3
Maxever session creation rate 3
Last half-open session total 0
TCP reassembly statistics
received 0 packets out-of-order; dropped 0
peak memory usage 0 KB; current usage: 0 KB
peak queue length 0
Class-map: class-default (match-any)
Match: any
Drop
0 packets, 0 bytes
ZBF#show policy-firewall session
Session B24D87E8 (10.1.1.10:8)=>(4.2.2.2:0) icmp SIS_OPEN
Created 00:00:01, Last heard 00:00:00
ECHO request
Bytes sent (initiator:responder) [28152:28152]
Established Sessions = 1
ZBF#show policy-firewall session
Session B24D8E98 (10.1.1.10:46048)=>(200.1.1.1:23) tcp SIS_OPEN/TCP_ESTAB
Created 00:00:07, Last heard 00:00:02
Bytes sent (initiator:responder) [95:248]
Established Sessions = 1
ZBF#show policy-firewall session zone-pair
Zone-pair: IN-OUT
Service-policy inspect : POLICY
Class-map : ALL(match-any)
Established Sessions = 1
Session B24D8E98 (10.1.1.10:46048)=>(200.1.1.1:23) tcp SIS_OPEN/TCP_ESTAB
Created 00:00:45, Last heard 00:00:40
Bytes sent (initiator:responder) [95:248]
Class-map : class-default(match-any)
ZBF#show policy-firewall stats
Global Stats:
Packet inspection statistics [process switch:fast switch]
tcp packets: [0:169]
icmp packets: [0:4020]
Session creations since subsystem startup or last reset 6
Current session counts (estab/half-open/terminating) [1:0:0]
Maxever session counts (estab/half-open/terminating) [2:1:1]
Last session created 00:01:25
Last statistic reset never
Last session creation rate 0
Maxever session creation rate 3
Last half-open session total 0
ZBF#show policy-firewall config zone
Zone: self
Description: System defined zone
Zone: IN
Member Interfaces:
Ethernet0/3
Member of Zone-pairs:
Zone IN is source of Zone-pair IN-OUT
Zone: OUT
Member Interfaces:
Ethernet1/1
Member of Zone-pairs:
Zone OUT is destination of Zone-pair IN-OUT
ZBF#show policy-firewall stats drop-counters
DROP action found in policy-map 4
ZBF#show policy-firewall mib connection-statistics policy POLICY zone-pair IN-OUT L4-Protocol all
Policy Target Protocol Based Connection Summary Stats
------------------------------------------------------
Policy POLICY
Zone-Pair IN-OUT
------------------------------------------------------
Protocol icmp
Connections Attempted 4
Connections Setup Aborted 0
Connections Policy Declined 0
Connections Resource Declined 0
Connections Half Open 0
Connections Active 0
Connections Aborted 0
------------------------------------------------------
Protocol tcp
Connections Attempted 2
Connections Setup Aborted 0
Connections Policy Declined 0
Connections Resource Declined 0
Connections Half Open 0
Connections Active 0
Connections Aborted 0
------------------------------------------------------
ZBF#show policy-firewall mib connection-statistics policy POLICY zone-pair IN-OUT L7-Protocol all
Policy Target Protocol Based Connection Summary Stats
------------------------------------------------------
Policy POLICY
Zone-Pair IN-OUT
------------------------------------------------------
Protocol telnet
Connections Attempted 2
Connections Setup Aborted 0
Connections Policy Declined 0
Connections Resource Declined 0
Connections Half Open 0
Connections Active 0
Connections Aborted 0
------------------------------------------------------
ZBF#show policy-firewall config
Zone: self
Description: System defined zone
Zone: IN
Member Interfaces:
Ethernet0/3
Zone: OUT
Member Interfaces:
Ethernet1/1
Zone-pair : IN-OUT
Source Zone : IN
Destination Zone : OUT
Service-policy inspect : POLICY
Class-map : ALL(match-any)
Action : inspect
Class-map : class-default(match-any)
Action : drop log
Parameter-map Config:
Global:
alert on
sessions maximum 2147483647
waas disabled
l2-transparent dhcp-passthrough disabled
log dropped-packets disabled
log summary disabled
max-incomplete low 2147483647
max-incomplete high 2147483647
one-minute low 2147483647
one-minute high 2147483647
tcp reset-PSH disabled
Default:
audit-trail off
alert on
max-incomplete low 2147483647
max-incomplete high 2147483647
one-minute low 2147483647
one-minute high 2147483647
udp idle-time 30
icmp idle-time 10
dns-timeout 5
tcp idle-time 3600
tcp finwait-time 5
tcp synwait-time 30
tcp max-incomplete host 4294967295 block-time 0
sessions maximum 2147483647
