Hey guys,

Can a dmz be created with packet tracer?

Sorta - the "firewalls" are routers with ACLs so:



The Packet Tracer Activity at page 8.2.2.3 of the CCNA Discovery: Working at a Small-to-Medium Business or ISP curriculum has a look at this.

Which Networking Academy course are you doing?

Aubrey

_________________
The illiterate of the 21st century will not be those who cannot read and write, but those who cannot learn, unlearn, and relearn. Alvin Toffler, "Future Shock" 1970

Ok there is a picture of my "DMZ" lab that I am practicing with. I am not too good with access lists. . . so can somebody kind of help me out and shot me how to add the access lists?

Here is the information

RT1:
fa0/0 192.168.1.1 /26
fa0/1 172.16.1.1 /30
eth0/2/0 192.168.2.1 /24 **(DMZ ZONE)**

RT2:
fa0/0 172.16.1.2 /30
fa0/1 172.16.2.2 /30

RT3 :
fa0/0 172.16.2.1 /30
fa0/1 192.168.3.1 /25

I am running RIP v2 so that the different subnets can communicate.

RT2 is kind of like the "internet", so I just want the dmz to see the internet, nothing else.

EDIT:

SORRY, the router on the LEFT is RT1, the middle/top router is RT2 and the router all the way on the right is RT3.

Ok I think I got it, because the PC on the "dmz" is not able to see the pc on the RT1 or RT3 LAN.

Here is sho run on RT1:

RT1#sho run
Building configuration...

Current configuration : 647 bytes
!
version 12.3
no service password-encryption
!
hostname RT1
!
!
!
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.192
ip access-group 101 in
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 172.16.1.1 255.255.255.252
duplex auto
speed auto
!
interface Ethernet0/2/0
ip address 192.168.2.1 255.255.255.0
duplex auto
speed auto
!
interface Vlan1
no ip address
shutdown
!
router rip
version 2
network 172.16.0.0
network 192.168.1.0
network 192.168.2.0
network 192.168.3.0
!
ip classless
!
access-list 101 deny icmp 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.63
!
!
!
line con 0
line vty 0 4
login
!
!
end






******************

Here is RT3 sho run:

RT3#sho run
Building configuration...

Current configuration : 529 bytes
!
version 12.2
no service password-encryption
!
hostname RT3
!
!
!
!
interface FastEthernet0/0
ip address 172.16.2.1 255.255.255.252
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.3.1 255.255.255.128
ip access-group 101 in
duplex auto
speed auto
!
router rip
version 2
network 172.16.0.0
network 192.168.1.0
network 192.168.2.0
network 192.168.3.0
!
ip classless
!
access-list 101 deny icmp 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.127
!
!
!
no cdp run
!
line con 0
line vty 0 4
login
!
!
end




***********************

Its working this way, but how can I get it so that I ONLY have access lists on RT1, if thats possible.

I can't really follow your topology - if PC1 represents servers in the DMZ which of PC0 and PC2 represent your inside (secure) network, and what does the other represent?

You don't seem to have followed what I suggested - well if you did I can't relate the two.

A DMZ is as much about policy and topology as it is about ACLs from a design perspective.

PT 4.11 has a server model that delivers HTTP, TFTP, DNS and DHCP so you can make your rules a bit more realistic instead of just filtering ping too.

Aubrey

_________________
The illiterate of the 21st century will not be those who cannot read and write, but those who cannot learn, unlearn, and relearn. Alvin Toffler, "Future Shock" 1970