Part $6$: Test Firewall Functionality from IN$-$ZONE to OUT$-$ZONE

Verify that internal hosts can still access external resources after configuring the ZPF$.$

Step $1$: From internal PC$-$C$,$ ping the external PC$-$A server.

From the PC$-$C command prompt, ping PC$-$A at $192\mathrm{.}168\mathrm{.}1\mathrm{.}3.$ The ping should succeed.

Step $2$: From internal PC$-$C$,$ SSH to the R$2$ S$0/0/1$ interface.

a$.$ From the PC$-$C command prompt, SSH to R$2$ at $10\mathrm{.}2\mathrm{.}2\mathrm{.}2.$ Use the username Admin and the password Adminpa$55$ to access R$2.$ The SSH session should succeed.

b$.$ While the SSH session is active, issue the command show policy$-$map type inspect zone$-$pair sessions on R$3$ to view established sessions.

R$3$# show policy$-$map type inspect zone$-$pair sessions

policy exists on zp IN$-2-$OUT$-$ZPAIR

Zone$-$pair: IN$-2-$OUT$-$ZPAIR

Service$-$policy inspect : IN$-2-$OUT$-$PMAP

Class$-$map: IN$-$NET$-$CLASS$-$MAP $($match$-$all$)$

Match: access$-$group $101$

Inspect

Number of Established Sessions $=1$

Established Sessions

Session $175216232(192\mathrm{.}168\mathrm{.}3\mathrm{.}3$:$1028)=>(10\mathrm{.}2\mathrm{.}2\mathrm{.}2$:$22)$ tcp SIS$\_$OPEN$/$TCP$\_$ESTAB

Created $00$:$00$:$25,$ Last heard $00$:$00$:$20$

Bytes sent $($initiator:responder$)[1195$:$1256]$

Class$-$map: class$-$default $($match$-$any$)$

Match: any

Drop $($default action$)$

$0$ packets, $0$ bytes

What is the source IP address and port number?

$\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_$

$192\mathrm{.}168\mathrm{.}3\mathrm{.}3$:$1028($port $1028$ is random$)$

What is the destination IP address and port number?

$\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_$

$10\mathrm{.}2\mathrm{.}2\mathrm{.}2$:$22($SSH $=$ port $22)$

Step $3$: From PC$-$C$,$ exit the SSH session on R$2$ and close the command prompt window.

Step $4$: From internal PC$-$C$,$ open a web browser to the PC$-$A server web page.

Enter the server IP address $192\mathrm{.}168\mathrm{.}1\mathrm{.}3$ in the browser URL field, and click Go$.$ The HTTP session should succeed. While the HTTP session is active, issue the command show policy$-$map type inspect zone$-$pair sessions on R$3$ to view established sessions.

Note: If the HTTP session times out before you execute the command on R$3,$ you will have to click the Go button on PC$-$C to generate a session between PC$-$C and PC$-$A$.$

R$3$# show policy$-$map type inspect zone$-$pair sessions

policy exists on zp IN$-2-$OUT$-$ZPAIR

Zone$-$pair: IN$-2-$OUT$-$ZPAIR

Service$-$policy inspect : IN$-2-$OUT$-$PMAP

Class$-$map: IN$-$NET$-$CLASS$-$MAP $($match$-$all$)$

Match: access$-$group $101$

Inspect

Number of Established Sessions $=1$

Established Sessions

Session $565266624(192\mathrm{.}168\mathrm{.}3\mathrm{.}3$:$1031)=>(192\mathrm{.}168\mathrm{.}1\mathrm{.}3$:$80)$ tcp SIS$\_$OPEN$/$TCP$\_$ESTAB

Created $00$:$00$:$01,$ Last heard $00$:$00$:$01$

Bytes sent $($initiator:responder$)[284$:$552]$

Class$-$map: class$-$default $($match$-$any$)$

Match: any

Drop $($default action$)$

$0$ packets, $0$ bytes

What is the source IP address and port number?

$\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_$

$192\mathrm{.}168\mathrm{.}3\mathrm{.}3$:$1031($port $1031$ is random$)$

What is the destination IP address and port number?

$\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_$

$192\mathrm{.}168\mathrm{.}1\mathrm{.}3$:$80($HTTP web $=$ port $80)$

Step $5$: Close the browser on PC$-$C$.$

Part $7$: Test Firewall Functionality from OUT$-$ZONE to IN$-$ZONE

Verify that external hosts CANNOT access internal resources after configuring the ZPF$.$

Step $1$: From the PC$-$A server command prompt, ping PC$-$C$.$

From the PC$-$A command prompt, ping PC$-$C at $192\mathrm{.}168\mathrm{.}3\mathrm{.}3.$ The ping should fail.

Step $2$: From R$2,$ ping PC$-$C$.$

From R$2,$ ping PC$-$C at $192\mathrm{.}168\mathrm{.}3\mathrm{.}3.$ The ping should fail.

Step $3$: Check results.

Your completion percentage should be $100\%.$ Click Check Results to see feedback and verification of which required components have been completed.