Scribd Logo
Unggah

Selamat datang di Scribd!

  • Case Study 2

    Diunggah oleh

    LêTrungĐức
    16 tayangan4 halaman
    w

    Hak Cipta

    © © All Rights Reserved

    Format Tersedia

    PDF, TXT atau baca online dari Scribd

    Apakah menurut Anda dokumen ini bermanfaat?

    Apakah konten ini tidak pantas?

    Laporkan Dokumen Ini
    w

    Hak Cipta:

    © All Rights Reserved
    Unduh sebagai PDF, TXT atau baca online dari Scribd
    Tandai sebagai konten tidak pantas
    16 tayangan4 halaman

    Case Study 2

    Diunggah oleh

    LêTrungĐức
    w

    Hak Cipta:

    © All Rights Reserved
    Unduh sebagai PDF, TXT atau baca online dari Scribd
    Tandai sebagai konten tidak pantas
    dari 4

    Next Generation Firewalls TX00CS29-3001 Case Study 2

    This case study is done in max of 3 students per group/pod. If you dont manage to complete the case
    study during the lab hours, you can return a report with the configuration file including some
    screenshots via email either to marko.uusitalo(at)metropolia.fi or bruk.yirdaw(at)metropolia.fi along
    with the group members names.
    Refer to the topology 1 below and connect and configure the devices to build a site-to-site VPN
    between Palo Alto 200 and either Cisco ASA 5505 or Juniper SRX 210 within the same pod.
    Refer to the table 1 and 2 for the address table and IP Subnet per pod respectively.

    Topology 1

    Note: the IP address you configure to the E0/3 on the PA 200 connecting to the Test Network is
    10.94.33.pod#. The IP address you will configure on the Routers FastEthernet 0/0 connecting to the
    Test Network is 10.94.33.1pod#.
    Tasks
    Part I: Basic setup
    Cable the network as shown in topology 1
    Configure all the PCs to obtain IP address from the DHCP from the directly connected
    security devices
    Once you have outside access from PC 2 in the DMZ, download run a web server
    (SimpleServer) on PC 2
    Run the Kiwi Syslog from the Desktop of PC2
    Configure basic configurations on the router (host names, interface IP addresses)
    Configure a static default route pointing to 10.94.33.254
    Verify connectivity by pinging outside world 8.8.8.8

    Part II: Palo Alto 200 configuration


    Default login for the PA200 is admin/admin and change the admin password to
    paloalto1.
    It a good practice to erase any configuration. Refer to PA 200 factory default settings
    guide before you continue to work on the lab.
    Default management IP address for the PA200 is 192.168.1.1 connect any PC to the
    MGT port in the same subnet for the basic setup.
    Configure the PA 200 with the Ethernet interfaces, virtual routers and zones properly.
    Configure the correct time zone for the PA200 and sync with the NTP server
    Configure DHCP server on PA200 for DMZ and Trust Zones. Make sure that PC 2 is
    assigned the same IP address (128.16.x.2) always
    Configure default route pointing to 10.94.33.254
    Configure Dynamic IP and Port NAT for Trust Zone
    Configure Destination NAT with Port Translation for PC 2 so that the web server (port
    80) can be accessed from outside
    Allow HTTP, HTTPS, SSH and DNS traffic from the Trust zone to anywhere
    Configure Antivirus for web traffic
    Define IKE gateways at the end of the VPN tunnel and define a profile that specifies the
    necessary protocols and algorithms
    Configure a parameter to establish IPSec connection for the data across the VPN
    between the Palo Alto and either Cisco ASA or Juniper SRX to allow traffics between
    the trust zones
    Allow windows file sharing through this tunnel
    Configure the PA200 to send log traffics to PC3 and monitor the logs using the Kiwi
    Syslog Server
    Part III: Cisco ASA 5505/Juniper SRX210
    Reset to the factory default on either of the security appliances (Cisco ASA or Juniper
    SRX)
    If you choose to use the Cisco ASA 5505, ASDM is already available on any of the lab
    PCs desktop
    Configure the interfaces with the IP address as shown in Table 1 and 2
    Configure a DHCP for the Trust Zone
    Configure default route pointing to the routers interface Fa0/1
    Configure port address translation (PAT) for the Trust zone
    Allow HTTP, HTTPS, SSH and DNS traffic from the Trust zone to anywhere.
    Configure IPSec site-to-site VPN to the PA 200
    Allow windows file sharing through this tunnel

    Part IV: Monitoring


    Monitor the IPSec tunnels
    Filter and inspect the traffic

    Device Interface Zone IP Address Subnet Mask Default Switch Port


    Gateway
    Router 1 Fa0/0 10.94.33.1pod# 255.255.255.0 N/A Test
    Network
    Fa0/1 Untrust
    Zone
    PA 200 E0/1 Trust Zone 128.17.x.1 255.255.255.0 N/A
    E0/2 DMZ 128.16.x.1 255.255.255.0 N/A
    E0/3 Untrust 10.94.33.pod# 255.255.255.0 N/A
    Zone
    ASA/SRX Et0/0 Untrust
    Zone
    Et0/1 Trust Zone 128.18.x.1 255.255.255.0 N/A
    PC 1 NIC Trust Zone DHCP
    PC 2 NIC DMZ DHCP
    PC 3 NIC Trust Zone DHCP
    Laptop NIC DHCP Labnet
    NTP 10.94.1.3
    Server
    DNS 10.94.1.4
    Server

    Table 1: IP Address Table


    Pod Number Network Subnet Mask
    1 10.94.24.0 255.255.255.0
    2 10.94.25.0 255.255.255.0
    3 10.94.26.0 255.255.255.0
    4 10.94.27.0 255.255.255.0
    5 10.94.28.0 255.255.255.0
    6 10.94.29.0 255.255.255.0
    7 10.94.30.0 255.255.255.0
    8 10.94.31.0 255.255.255.0
    9 10.94.32.0 255.255.255.0

    Table 2: IP Subnet Allocation

    Anda mungkin juga menyukai