Packet Tracer DMZ ASA Lab

The purpose of this lab is to provide a more advanced understanding of Cisco’s ASA 5505 Adaptive Security Appliance; The Cisco ASA is a security device that combines firewall, antivirus, intrusion prevention, and virtual private network (VPN) capabilities. In this lab we will Packet Tracer 6.1 to learn how to configure the ASA as a basic Firewall with the addition of a third zone referred to as a DMZ. This knowledge is essential to passing the CCNA Security exam and will be used in daily in your position as a Cisco network engineer.


In computer security, a DMZ or demilitarized zone (sometimes referred to as a perimeter network) is a physical or logical sub network that contains and exposes an organization’s external-facing services to a larger and untrusted network, usually the Internet. The purpose of a DMZ is to add an additional layer of security to an organization’s local area network (LAN); an external attacker only has direct access to equipment in the DMZ, rather than any other part of the network.

The ASA 5505 implemented in Cisco’s Packet Tracer is the smallest model in the newest 5500 series of Cisco firewalls. It is a great product for small businesses (5-10 employees) or even for home network use. However, if you need to create a DMZ zone (in addition to your Inside and Outside zones) in order to install a publicly accessible server (e.g. WEB server, MAIL server etc.), then the default basic license provided by Packet Tracer 6.1 won’t work for you. The basic license does not allow more than 2 security zones. You will need to upgrade to “Security Plus” license which also enhances some other firewall parameters (more firewall connections, more remote access VPN sessions, and trunking with 20 VLANs).

Due to the above limitations in our lab we will use Packet Tracer to configure a small security network with the following requirements:
Computers on the inside interface will be allowed to access the web server in the internet.
Computers on the inside will also have access to the SarePoint server in the dmz.
Remote computers will also be allowed to access the internet but will not be allowed to access computers on the inside or dmz interface.
The dmz will also act as a guest hotspot allowing guest to connect to the internet and the SharePoint server via a wireless interface.
Guest computers will not have access to computers or servers on the inside interface.

Learning Objectives:

Configure interfaces and vlans.
Configure dhcp.
Configure Objects and object-groups.
Configure NAT rules.
Configure class-map.
Configure policy-map.
Configure service-policy.

  ASA DMZ Lab (172.6 KiB, 13,045 hits)

  Packet Tracer 6.2 (54.9 MiB, 1,328 hits)
You do not have permission to download this file.

If you have found this lab helpful please help us keep this site running.

You can leave a response, or trackback from your own site.

One Response to “Packet Tracer DMZ ASA Lab”

  1. sajjad says:

    Great and informative post
    thank you

Leave a Reply

What is 12 + 4 ?
Please leave these two fields as-is:
IMPORTANT! To be able to proceed, you need to solve the following simple math (so we know that you are a human) :-)


Powered by WordPress | Designed by: backlinks | Thanks to internet marketing, etiketten drucken and index backlink