lotte/ChamplainTechJournals
1
Code Activity
ChamplainTechJournals/net-sec-controls-sec350/labs/week03/lab3.1-segmentation-1.md
Charlotte Croce fbd588721e migrate to git.charlotte.sh
2025-04-19 23:42:08 -04:00

2.5 KiB
Raw Permalink Blame History

Lab 3.1 Segmentation 1

In this lab, we are going to segment our network by adding a new firewall and a new network (MGMT). We will retire our log01 server and replace it with a new server on the MGMT network.

if you got this far...you can shutdown log01. this machine is no longer needed

  • shutdown log01
  • On web01, remove your rsyslog dropin configuration from /etc/rsyslog.d (comment out the user.notice and authpriv.* lines)
  • On fw01, remove syslog host setting from configuration: delete system syslog host 172.16.50.5

configure wks01 (LAN)

  • IP Address: 172.16.150.50\24
  • Gateway: 172.16.150.2
  • DNS: 172.16.150.2

fw01 - create a rule for NAT from MGMT to WAN

set nat source rule 30 description "NAT FROM MGMT to WAN"
set nat source rule 30 outbound-interface eth0
set nat source rule 30 source address 172.16.200.0/28
set nat source rule 30 translation address masquerade

fw-mgmt

image
Configure your fw-mgmt firewall's hostname with interface descriptions and interface addresses:

  • eth0: LAN- 172.16.150.3/24
  • eth1: MGMT- 172.16.200.2/28 (NOTE: MGMT is using a /28!)
set interfaces ethernet eth0 description LAN
set interfaces ethernet eth1 description MGMT
set interfaces ethernet eth0 address 172.16.150.3/24
set interfaces ethernet eth1 address 172.16.200.2/28

image

Set the following:

  • gateway next-hop: set protocols static route 0.0.0.0/0 next-hop 172.16.150.2
  • name server to your fw01s LAN interface address: set system name-server 172.16.150.2
  • dns forwarding such that requests are allowed from your management subnet and management interface.
set service dns forwarding listen-address 172.16.200.2
set service dns forwarding allow-from 172.16.200.0/28
set service dns forwarding system

configure mgmt02 (MGMT)

  • IP Address: 172.16.200.11/28
  • Gateway: 172.16.200.2
  • DNS: 172.16.200.2

RIP on FW1 and FW-MGMT

fw01

set protocols rip interface eth2
set protocols rip network '172.16.50.0/29'

fw-mgmt

set protocols rip interface eth0
set protocols rip network '172.16.200.0/28'

configure jump | wazuh-charlotte (MGMT)

  • IP: 172.16.200.10/28
  • Gateway: 172.16.200.2
  • DNS: 172.16.200.2

netplan configuration (an alternative to nmtui)

/etc/netplan/00-installer-config.yaml is the config file image

sudo netplan apply sudo hostnamectl hostname wazuh-charlotte