This lab is designed for students to acquire fundamental skills in defensive cybersecurity by configuring a Demilitarized Zone (DMZ) in Cisco Packet Tracer. The objectives are:
This exercise is structured step by step to help you understand how to correctly and securely configure and protect a network with a DMZ. It is very important that you follow the provided instructions precisely, especially the IP addressing plan and the indicated commands.
Using other IPs or changing the configuration order may break connectivity, prevent NAT from working, or invalidate the ACLs.
Later, you will be able to practice creating a free-form DMZ, designing your own topology and access rules. But in this lab, the goal is to first understand the logic and fundamentals by following a controlled model.
Download the file here and open it with Packet Tracer.
Once you have opened the file in Packet Tracer, you will see a floating window with instructions to follow.
At the start of this lab, you do not need to create or cable the network from scratch. A prebuilt functional topology is already provided in Packet Tracer so you can focus on what matters most: security configuration.
Central Router (Router_FW
): Cisco ISR 2911
GigabitEthernet0/0
connected to SW_Internal
(LAN network)GigabitEthernet0/1
connected to SW_DMZ
(DMZ network)GigabitEthernet0/2
connected to SW_External
(external/internet network)Cisco 2960 Switches:
SW_Internal
connects to PC_Internal
SW_DMZ
connects to Server-PT Web_DMZ
SW_External
connects to PC_External
End Devices:
PC_Internal
(user in LAN)Server-PT Web_DMZ
(web server in the DMZ)PC_External
(external user simulating the internet)Your task will be to complete the logical configuration of this prebuilt network. You must:
Assign IP addresses to all end devices and the router.
This ensures that each zone (LAN, DMZ, External) has basic connectivity.
Configure static NAT on the router so that the DMZ server can be accessed from outside.
Using NAT is a key technique to hide private addresses and expose public services in a controlled way.
Apply Access Control Lists (ACLs) to restrict traffic between zones.
ACLs simulate a firewall, blocking unauthorized access and allowing only what is necessary for each role.
Perform functional validation tests:
These tests simulate real security situations, where you verify that only legitimate traffic is allowed and malicious or unnecessary traffic is blocked.
Once you have completed the Packet Tracer instructions, you must save your file and prepare a technical report following the official template provided report template. Important! Use the template as a guide to write your report. Submissions without structure or incomplete will not be accepted.
dmz-lab
(or similar).informe/Informe_DMZ_Laboratorio.md
: the completed report using the template.evidencias/
: screenshots of the tests performed.README.md
that briefly explains the objective of the lab and the contents of the repository.