NetVanta 3448
Firewall Configuration

Instructor Led Exercise

THE CHALLENGE

Company XYZ would like Internet access. They would also like to set up a company web server that can be reached from the Internet.

THE SOLUTION

Using the NetVanta 3448, enable the firewall to translate (NAT) the private IP addresses of the Administration, Staff, and Clients VLAN to the public WAN IP address. You will also create a DMZ where the company web server will be located.

NetVanta 3448 Firewall Configuration

In this exercise you will add a DMZ VLAN to the NetVanta 3448. You will then use the Firewall Wizard to set up Internet access for the Administration, Staff, and Clients VLANs. The Firewall Wizard will also be used to create a Port Forwarding policy to allow traffic in to a web server. Finally, you will create a DMZ security zone to block traffic from leaving the DMZ VLAN.

SETUP

q  This exercise builds on the NetVanta 3448 ‘WAN/Router Configuration’ exercise.

q  Connect one end of an Ethernet cable to the Ethernet port of the PC and the other end to Switchport 1 on the NetVanta 3448.

q  Connect the T1 circuit specified by the instructor to the ‘WAN-T1’ port of the NetVanta 3448. Use the cable specified by the instructor.

q  From your PC, open the installed browser (if not already open) and enter 10.10.10.1 in the Address field.

The NetVanta login window appears. Enter admin as the username, password as the password, then click the OK button.

Configure DMZ Router Interface

From the NetVanta 3448 System / Physical Interfaces screen, enable and configure eth 0/2 with an IP address. This network will be used as the DMZ

DMZ eth 0/2 10.10.50.1 /24











Initial Firewall Configuration

Using the Firewall Wizard, configure the NetVanta 3448 to translate (NAT) Internet bound private IP addresses of VLANs 1, 2, and 3 to the public WAN IP address. You will also configure a Port Forwarding policy to allow traffic from the Internet to have access to the company web server.

Public Interface: PPP 1

Private Interfaces: VLAN 1, 2, and 3

Web Server: 10.10.50.2

1) Select the Firewall Wizard and then click Next. Choose interface ppp 1 as the interface connected to the Internet.
/ 2) Select VLANs 1, 2, and 3 as the Private interfaces that will share the address of the ppp 1 interface when accessing the Internet.

3) Select Web server as the type of server that you want to allow access to from the Internet.
/ 4) Type 10.10.50.2 as the private Web server.
Click Next, and then Apply to complete the Wizard.

Create a new Security Zone for the DMZ


Configure a new Security Zone to be used as the DMZ. This security zone will have a filter policy that will block all the traffic that originates in the DMZ.









By default, the DMZ security zone will block all traffic that originates in the DMZ. If someone breaks into the server in the DMZ, this will help stop them from launching attacks from your network.

Assign Router Interface Eth 0/2 to the DMZ Security Zone

From the Firewall / Security Zones screen, place interface DMZ (VLAN #5) in the new DMZ security zone. All traffic originating in the DMZ VLAN will be blocked from entering the NetVanta 3448.






TEST THE ACCESSIBILITY OF YOUR ROUTER

1.  Select Telnet To Unit from the Utilities menu and then log in to the Telnet session.

2.  Can you ping the host router (172.16.100.1)? Y/N ______

3.  Enter the Enable mode and then the Global Configuration mode.

4.  Set the firewall policy logging threshold to one.

NV3448(config)# ip firewall policy-log threshold 1

This will cause the firewall to log one event for every policy use, which may be useful while troubleshooting. Change back to a higher threshold when finished troubleshooting.

5.  From the current mode, enable firewall debug messages.

NV3448(config)# do debug firewall

You may have to wait for others to finish steps above before continuing

6.  Have someone ping your WAN interface (172.16.X.1).

Could they? Y/N ______

What messages displayed when someone pinged your WAN interface?

______

7.  Set the firewall policy logging threshold back to one hundred.

NV3448(config)# ip firewall policy-log threshold 100

8.  From the Enable mode, turn off debug messages.

NV3448# undebug all

9.  Exit the Telnet session.

NV3448# exit

Lab Exercise Complete!