Network Security Zone Configuration with Firewall Policies
Network Topology Design
Security Requirements
- DMZ servers are accessible by office zone only during business hours (9:00-18:00), while production zone has 24/7 access
- Production zone devices cannot access the internet; office and guest zones have internet access
- Office device 10.0.2.10 cannot access DMZ FTP and HTTP servers, but can ping 10.0.3.10
- Office zone is divided into Marketing and R&D departments:
- Marketing uses fixed IP addresses with anonymous authentication for DMZ access
- R&D requires IP-MAC binding with certificate-based authentication for DMZ access
- Guest zone users cannot access DMZ or production zones, using Guest account with password Admin@123
- Production zone requires portal authentication for DMZ access with departmental structure:
- Minimum three departments with three users each
- Default password: openlab123
- First login requires password change
- User expiration: 10 days
- No shared accounts allowed
VLAN Configuration
Configure VLANs on switch LSW3 to separate network zones:
vlan batch 2 3
Assign VLAN 2 to production zone and VLAN 3 to office zone.
Interface Configuration
Production Zone Interface (G0/0/2)
interface GigabitEthernet0/0/2
port link-type access
port default vlan 2
Office Zone Interface (G0/0/3)
interface GigabitEthernet0/0/3
port link-type access
port default vlan 3
Firewall Connection (G0/0/1)
interface GigabitEthernet0/0/1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 2 3 10 20
port discard tagged-packet
Firewall Setup
Web Interface Access
Configure cloud binding with appropriate port settings. Set interface 0/0/0 IP address to match the bound network card segment:
interface GigabitEthernet0/0/0
ip address [assigned-ip] [subnet-mask]
service-manage all permit
Access the firewall web interface via browser using the configured IP address.
Interface Configuration
Create sub-interfaces on G1/0/1 for different zones:
- G1/0/1.1: Production zone interface
- G1/0/1.2: Office zone interface
Security Zone Creation
Define security zones and assign corresponding interfaces:
- Production Zone: Assign G1/0/1.1
- Office Zone: Assign G1/0/1.2
- DMZ Zone: Assign relevant DMZ interfaces
- Guest Zone: Assign guest network interfaces
Security Policy Implementation
Policy Groups
Create policy groups for DMZ and ISP access:
- Office to DMZ access policies
- Production to DMZ access policies
- Specific rules for 10.0.2.10 device restrictions
- Guest zone access limitations to 10.0.3.10 only
- Internet access policies for office and guest zones
NAT Configuration
Implement NAT policies for internet connectivity:
nat-policy
rule name "Office-Internet"
source-zone office
destination-zone isp
action source-nat address-group internet-pool
User Management
Departmental User Groups
Create user groups for organizational structure:
- Marketing Department group
- R&D Department group
- Production Department groups (minimum three)
- Guest user group
Authentication Policies
Configure authentication strategies for each user group:
authentication-policy
rule name "Marketing-Auth"
user-group marketing
authentication-method anonymous
rule name "R&D-Auth"
user-group rd
authentication-method certificate
ip-mac-binding enable
Production Zone Users
Batch create users for production departmants:
user-batch production-dept1
user-template password openlab123 force-change
users user1 user2 user3
expiration 10
Portal Authentication
Configure portal authentication for production zone:
portal-server
server-name production-portal
url https://[firewall-ip]/portal
authentication-method portal
System Administration
Administrator Account Creation
Create system administrator acounts with appropriate roles:
system-user
user admin-new
password [encrypted-password]
service-type web ssh
level admin
role network-admin
Assign newly created administrator roles to appropriate user identities.
