Lab 3.1: Segmentation

Summary

In this lab, we setup segmentation into our network by adding a new firewall and a new network (MGMT). We retired our log01 server and replace it with a new server (WAZUH) on the MGMT network.

Firewall Configs

Setup Export Script

  1. make a new file and add the lines below
#!/bin/vbash
source /opt/vyatta/etc/functions/script-template
run show configuration commands | grep -v "syslog\|ntp\|login\|console\|config\|hw-id\|loopback\|conntrack"
  1. Make that file executable

FW1-Paul

set interfaces ethernet eth0 address '10.0.17.127/24'
set interfaces ethernet eth0 description 'SEC350-WAN'
set interfaces ethernet eth1 address '172.16.50.2/29'
set interfaces ethernet eth1 description 'PAUL-DMZ'
set interfaces ethernet eth2 address '172.16.150.2/24'
set interfaces ethernet eth2 description 'PAUL-LAN'
set nat source rule 10 description 'NAT FROM DMZ to WAN'
set nat source rule 10 outbound-interface 'eth0'
set nat source rule 10 source address '172.16.50.0/29'
set nat source rule 10 translation address 'masquerade'
set nat source rule 20 description 'NAT FROM LAN to WAN'
set nat source rule 20 outbound-interface 'eth0'
set nat source rule 20 source address '172.16.150.0/24'
set nat source rule 20 translation address 'masquerade'
set nat source rule 30 description 'NAT FROM MGMT to WAN'
set nat source rule 30 outbound-interface 'eth0'
set nat source rule 30 source address '172.16.200.0/28'
set nat source rule 30 translation address 'masquerade'
set protocols rip interface eth2
set protocols rip network '172.16.50.0/29'
set protocols static route 0.0.0.0/0 next-hop 10.0.17.2
set service dns forwarding allow-from '172.16.50.0/29'
set service dns forwarding allow-from '172.16.150.0/24'
set service dns forwarding listen-address '172.16.50.2'
set service dns forwarding listen-address '172.16.150.2'
set service dns forwarding system
set service ssh listen-address '0.0.0.0'
set system host-name 'fw1-paul'
set system name-server '10.0.17.2'

FW-MGMT

set interfaces ethernet eth0 address '172.16.150.3/24'
set interfaces ethernet eth0 description 'SEC350-LAN'
set interfaces ethernet eth1 address '172.16.200.2/28'
set interfaces ethernet eth1 description 'SEC350-MGMT'
set nat source
set protocols rip interface eth0
set protocols rip network '172.16.200.0/28'
set protocols static route 0.0.0.0/0 next-hop 172.16.150.2
set service dns forwarding allow-from '172.16.200.0/28'
set service dns forwarding listen-address '172.16.200.2'
set service ssh listen-address '0.0.0.0'
set system host-name 'fw-mgmt-paul'
set system name-server '172.16.150.2'