FIT9137 Network Designing Assignment Sample

• Subject Code : FIT9137
• University : Monash University My Assignment Services is not sponsored or endorsed by this college or university.
• Subject Name : Networking

Introduction to Computer Architecture and Networks

Table of Contents

A) Configuration of static router

B) Errors in the Network Configuration.

C) Default router

D) Subnet

E) Configuration of DMZ:

Configuration of DMZ:

A) Configuration of Static Router

Static routing tables are not flexible, but are manually configured and modified while updated by propagating information from other routers. The configuration of three networks with static router is given below:

For static routing table of R3, the following configuration is given.

R3# show ip route static begin Gateway

The output of the static routing table after removing all static routers is given as:

R3(config)# no ip route 172.16.1.0 255.255.255.0 s0/0/1

B) Errors in the Network Configuration

Three errors in the network configuration are:

• R3(config) #ip address 192.168.1.1 255.255.251

The above-mentioned command will solve the Subnet Error Message

R3(config) #ip address 192.168.1.1. 255.255.2555.252

The above mentioned command will not show any error during command firting. (Solution)

• R3(config)# ip route 0.0.0.0 0.0.0.0 0.0.0.0

The above command will show the “invalid gateway” or “invalid route exit interface” ----error message

R3(config)#ip route 0.0.0.0 0.0.0.0 192.168.0.1

The above mentioned command won’t show any error as the right gateway is given ----Rectification

• R3# Show ip route [Command]

if there is no path is shown in the routing table ,then there is no route for destination or wrong IP address has been configured in the router interface.

C) Default Router

Put the default route to the router:

• R(config) #ip route 0.0.0.0 0.0.0 (IP Address of the R3) we can use Loopback address.

D) Subnet

The four subnets are:

The addresses of four subnets are:

192.168.200.0/30

192.168.200.4/30

192.168.200.8/30

192.168.200.12/30

As no details of customer network is given, so point to point subnet is selected.

E) Configuration of DMZ:

• A firewall has 3 zones such as: Trusted zone, 2. DMZ, 3. Untrusted zone. The Demilitarised Zone (Zone) is configured between the Trusted and Untrusted zones based on security policy.
• The trusted zone is the most secured zone, DMZ zone is used as in server which is accessed by external network, untrusted zone is basically an internet.
• It improves the security of an organization by segregating devices such as computers servers on other sides of firewalls.
• For example, in an organization, behind company’s firewall, there are private networks inside it, for business through an untrusted internet are connected from behind the firewall into company’s private network.
• People are accessing these servers, and hackers could use this as an opening to cause tremendous harm on the company’s network.
• They can access sensitive data from other devices that are behind the firewall such as a database server. It can also act like a screened network to detect any malicious activity before it can get behind the firewall and into the company’s internal network.
• The public internet and the private network are installed with a DMZ between these two. All intermediate packets between these two trusted and untrusted firewalls are screened by deployment of a DMZ before they can reach the server of an organization.

Therefore there are two DMZ networks, one is inside the firewall another is outside and that extra DMZ make obstacle to hackers (wang, 2015).

Configuration of DMZ:

By using a typical home router, we can configure DMZ network. In the Advanced settings of (wang, 2015).

In CISCO ASA version 8.4(3)9: Setting up DMZ (configuring a host behind a firewall)

Let’s take an example there is a web server in the DMZ, therefore we poke a host to the firewall port 80 or port 443 traffic to be initiated from the internet coming to the D. So, ,the DMZ can initiate traffic on the internet, the office LAN can initiate traffic a DMZ or on the internet.

Rules for DMZ in Firewall:

Step 1: Assigning security level to DMZ on ASA Interface

The security levels of DMZ network are as: dmz1, dmz2, inside, outside

interface GigabitEthernet0/0

description to WAN

nameif outside

security-level 0

ip address 10.1.1.1 255.255.255.0

!

interface GigabitEthernet0/1

description to LAN

nameif inside

security-level 100

ip address 192.168.0.1 255.255.255.0

!

interface GigabitEthernet0/2

description to DMZ1

nameif dmz1

security-level 50

ip address 192.168.1.1 255.255.255.0

!

interface GigabitEthernet0/3

description to DMZ2

nameif dmz2

security-level 20

ip address 192.168.2.1 255.255.255.0

Step 2: Configuring internet gateway at ASA interface

Network address Translation is configured to enable internet hosts. It will forward packets in traffic to the ISP (TCP/IP, 2020). From higher security like inside, dmz1, dmz2, all outbound traffic is traversing outside or lower security. The commands are:

• nat (inside,outside) after-auto source dynamic any interface
• nat (dmz1,outside) after-auto source dynamic any interface
• nat (dmz2,outside) after-auto source dynamic any interface

The above configuration indicates that the source IP is translated by the traffic from security levels inside, dmz1, dmz3 to outside IP. It restricts the internal traffic by this.

Configuration of default gateway: ISP. 10.1.1.2 gateway all traffic is routed.

• route outside 0.0.0.0 0.0.0.0 10.1.1.2

Configure “inspect icmp” under a global policy to permit ICMP packets to return traffic to allow the ASA when ping is initiated from the hosts inside.

• policy-map global_policy
• class inspection_default
• inspect icmp

Then ping the host with IP 10.1.1.200 on the Internet from subnet.

Step 3: Configuration of static NAT to grant access to web server.

There are two objectives:

• object network WWW-EXT
• host 10.1.1.10
• !
• object network WWW-INT
• host 192.168.1.10

Configuring NAT

• nat (dmz1,outside) static WWW-EXT service tcp www www

Manual IP is configured

• object service WEB-SERVICE
• service tcp source eq www
• !
• nat (dmz1,outside) source static WWW-INT WWW-EXT service WEB-SERVICE WEB-SERVICE

DMZ Segment builds a connection on TCP port when a host with IP address 192.168.1.10 on dmz1 is arrived from outside, then we translate that IP to be 10.1.1.10.

Step 4: Access control of Inter-Security segment

For our case study here:

• From “inside” traffic can go to “dmz1”, “dmz2” and “outside”.
• Initiating from “dmz1” traffic can go to “dmz2”, “outside” but can’t go to “inside”.
• Initiating from “dmz2” traffic can go to “outside”. But for other segments traffic is not allowed.

 ACLs can overwrite these default rules. For this case study, the guests in dmz2 are able to use the DNS servers in dmz1. Configuration of ACLs:.

! define network objects

object network INSIDE-NET

subnet 192.168.0.0 255.255.255.0

!

object network DMZ1-NET

subnet 192.168.1.0 255.255.255.0

!

! define DNS server object

object network DNS-SERVER

host 192.168.1.10

!

access-list DMZ2-ACL extended permit udp any object DNS-SERVER eq domain

access-list DMZ2-ACL extended deny ip any object INSIDE-NET

access-list DMZ2-ACL extended deny ip any object DMZ1-NET

access-list DMZ2-ACL extended permit ip any any

!

access-group DMZ2-ACL in interface dmz2

Step 5: Troubleshooting and Verification

Validation for configuration and identification of problems are necessary .

CMP Ping command is used for verification the connection(InformIT, 2014). By this command, then a packet can be tested whether the packet can reach a point A to a point B. In this study, the hosts are verified for subnet of DMZ segments like inside, dmz1 and dmz2.

• ASA1# debug icmp trace
• ASA1# terminal monitor
• Host with IP 192.168.0.200 initiates Ping and responses are coming from dmz1 host 192.168.1.10 and dmz2 host.
• We used pack tracer for dmz2 and dmz1to test the dmz2 host to DNS server of dmz1 DMZ.

ASA1# packet-tracer input dmz2 udp 192.168.2.10 1234 192.168.1.10 domain detailed

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in id=0x7fffd1a76710, priority=1, domain=permit, deny=false

hits=12, user_data=0x0, cs_id=0x0, l3_type=0x8

src mac=0000.0000.0000, mask=0000.0000.0000

dst mac=0000.0000.0000, mask=0100.0000.0000

input_ifc=dmz2, output_ifc=any

Phase: 2

Type: ROUTE-LOOKUP

Subtype: Resolve Egress Interface

Result: ALLOW

Config:

Additional Information:

found next-hop 192.168.1.10 using egress ifc dmz1

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group DMZ2-ACL in interface dmz2

access-list DMZ2-ACL extended permit udp any object DNS-SERVER eq domain

Additional Information:

Forward Flow based lookup yields rule:

in id=0x7fffd1cdad10, priority=13, domain=permit, deny=false

hits=0, user_data=0x7fffd8eb9b80, cs_id=0x0, use_real_addr, flags=0x0, protocol=17

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

dst ip/id=192.168.1.10, mask=255.255.255.255, port=53, tag=any, dscp=0x0

input_ifc=dmz2, output_ifc=any

output omitted for brevity

Result:

input-interface: dmz2

input-status: up

input-line-status: up

output-interface: dmz1

output-status: up

output-line-status: up

Action: allow

Remember, at the center of any academic work, lies clarity and evidence. Should you need further assistance, do look up to our Networking Assignment Help