Lab: Designing a Secure Network Topology

A Small Office Network with a DMZ and Firewall

1. Project Objective

This project demonstrates the design and implementation of a secure network topology for a small office using Cisco Packet Tracer. The primary goal was to segment the network into distinct security zones (Office, Guest, and DMZ) and enforce a strict access control policy using a Cisco ASA firewall to protect internal resources while safely exposing a public-facing web server.

2. Network Segmentation and Design

The network is segmented into three logical zones, each assigned to a specific VLAN and IP subnet to isolate traffic and enforce security policies.

Zone VLAN ID IP Range Purpose
Office Zone 10 192.168.10.0/24 Internal trusted network for employee PCs.
Guest Zone 20 192.168.20.0/24 Isolated network for guest WiFi access, with no access to internal resources.
DMZ Zone 30 192.168.30.0/24 Demilitarized Zone to host the public-facing web server, accessible from the internet.

3. Firewall Configuration (Cisco ASA 5506)

Security Levels

Security levels are assigned to each interface to create an implicit security policy where traffic is allowed from a higher level to a lower level, but not vice-versa without an explicit rule.

  • Office (g1/1): security-level 100 (Most Trusted)
  • Guest (g1/2): security-level 50
  • DMZ (g1/3): security-level 25
  • Outside (g1/8): security-level 0 (Least Trusted)

Access Control Rules

Explicit access rules were configured to enforce the security policy.

! Allow Office zone full outbound access
permit ip 192.168.10.0 255.255.255.0 any

! Block Guest zone from accessing Office zone
deny ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0

! Allow external traffic to the Web Server on HTTP/HTTPS
permit tcp any host 192.168.30.2 eq 80
permit tcp any host 192.168.30.2 eq 443

4. Security Testing and Verification

The firewall policy was tested by attempting to ping between zones to verify that the access rules were working as intended.

# Test from Guest PC (192.168.20.10) to Office PC (192.168.10.10)
C:\>ping 192.168.10.10

Pinging 192.168.10.10 with 32 bytes of data:
Request timed out.
Request timed out.

Ping statistics for 192.168.10.10:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss)

Result: Success. Traffic from Guest to Office is blocked by the firewall as intended.

5. Conclusion

Effective Network Segmentation

This lab successfully demonstrates a defense-in-depth approach to network design. By segmenting the network into zones with varying levels of trust and enforcing a strict firewall policy, we can significantly reduce the attack surface. The Guest network is isolated from critical internal resources, and the public-facing web server is placed in a secure DMZ, protecting the internal Office network from direct external threats.