By @vanemorocho and other contributors at 4Geeks Academy
These instructions are available in 🇪🇸 Spanish 🇪🇸
This lab is designed for students to acquire fundamental skills in defensive cybersecurity by configuring a Demilitarized Zone (DMZ) in Cisco Packet Tracer. The objectives are:
- Isolate critical services (DMZ)
- Control traffic using ACLs
- Expose web services in a controlled manner
- Secure NAT configuration
This exercise is structured step by step to help you understand how to correctly and securely configure and protect a network with a DMZ. It is very important that you follow the provided instructions precisely, especially the IP addressing plan and the indicated commands.
Using other IPs or changing the configuration order may break connectivity, prevent NAT from working, or invalidate the ACLs.
Later, you will be able to practice creating a free-form DMZ, designing your own topology and access rules. But in this lab, the goal is to first understand the logic and fundamentals by following a controlled model.
Download the file here and open it with Packet Tracer.
Once you have opened the file in Packet Tracer, you will see a floating window with instructions to follow.
At the start of this lab, you do not need to create or cable the network from scratch. A prebuilt functional topology is already provided in Packet Tracer so you can focus on what matters most: security configuration.
Central Router (Router_FW): Cisco ISR 2911
GigabitEthernet0/0connected toSW_Internal(LAN network)GigabitEthernet0/1connected toSW_DMZ(DMZ network)GigabitEthernet0/2connected toSW_External(external/internet network)
Cisco 2960 Switches:
SW_Internalconnects toPC_InternalSW_DMZconnects toServer-PT Web_DMZSW_Externalconnects toPC_External
End Devices:
PC_Internal(user in LAN)Server-PT Web_DMZ(web server in the DMZ)PC_External(external user simulating the internet)
Your task will be to complete the logical configuration of this prebuilt network. You must:
-
Assign IP addresses to all end devices and the router.
This ensures that each zone (LAN, DMZ, External) has basic connectivity. -
Configure static NAT on the router so that the DMZ server can be accessed from outside.
Using NAT is a key technique to hide private addresses and expose public services in a controlled way.
-
Apply Access Control Lists (ACLs) to restrict traffic between zones.
ACLs simulate a firewall, blocking unauthorized access and allowing only what is necessary for each role.
-
Perform functional validation tests:
- Pings from different points in the network
- HTTP access from the external network to the server
- Verify that certain accesses are blocked, such as attempts to connect from the DMZ to the LAN (INTERNAL_NETWORK)
These tests simulate real security situations, where you verify that only legitimate traffic is allowed and malicious or unnecessary traffic is blocked.
Once you have completed the Packet Tracer instructions, you must save your file and prepare a technical report following the official template provided report template. Important! Use the template as a guide to write your report. Submissions without structure or incomplete will not be accepted.
- Create a public repository in your GitHub account named
dmz-lab(or similar). - Upload the following files:
- Your final Packet Tracer file.
informe/Informe_DMZ_Laboratorio.md: the completed report using the template.evidencias/: screenshots of the tests performed.
- Add a
README.mdthat briefly explains the objective of the lab and the contents of the repository. - Submit the repository link on the 4Geeks platform.
Thanks to these wonderful people (emoji key):
-
Vanessa Morocho (vanemorocho) contribution: (tutorial building) ✅, (documentation) 📖
-
Alejandro Sanchez (alesanchezr), contribution: (bug reports) 🐛
This and many other exercises are created by students as part of the Cybersecurity Bootcamp at 4Geeks Academy by Alejandro Sánchez and many other contributors. Discover more about our Full Stack Developer Course and the Data Science Bootcamp.