This is a topology that I have used in this lab.
![](https://tungle.ca/wp-content/uploads/2022/02/123.png)
+ Set up IPSEC site to site between both PAs.
+ Configure Switch support multiple VLANs.
+ Configure DHCP service to multiple VLANs.
+ Configure DNAT on PA2 (192.168.20.1) to NAT to Webserver on Kali (192.168.30.2), then change to configure DNAT on PA2 (192.168.20.1:8888) to NAT to Webserver on Kali (192.168.30.2:80).
+ Configure DNAT on PA2 to SSH server on 192.168.40.2:22, and change (192.168.20.1:2222) to NAT to SSH server on Kali (192.168.40.2:22).
+ Configure DNAT to allow traffic from the Internet to the local Web server (DNAT).
+ Configure SNAT to allow Trust on PA1 to access the Internet.
+ Ban on accessing pdf files, and block on accessing to tungle.ca domain (URF filtering).
+ Set up Global Protect on Windows and Kali machines. Then, we are able to access the local network on the Global Protect VPN connection.
+ Enable Zone Protection on e1/3 to prevent DoS on this zone.
+ Set up Captive Portal on Trust interface on PA1.
Configure the basic switch for support of multiple VLANs.
![](https://tungle.ca/wp-content/uploads/2022/02/27.png)
Configure PA1.
![](https://tungle.ca/wp-content/uploads/2022/02/2.png)
Configure DHCP.
![](https://tungle.ca/wp-content/uploads/2022/02/14.png)
![](https://tungle.ca/wp-content/uploads/2022/02/28.png)
![](https://tungle.ca/wp-content/uploads/2022/02/15.png)
Check client on the local network has received IP address from DHCP Pool for VLAN30, VLAN40, and VLAN50.
![](https://tungle.ca/wp-content/uploads/2022/02/29.png)
![](https://tungle.ca/wp-content/uploads/2022/02/30.png)
![](https://tungle.ca/wp-content/uploads/2022/02/31.png)
Webterm2 on PA2.
![](https://tungle.ca/wp-content/uploads/2022/02/32.png)
![](https://tungle.ca/wp-content/uploads/2022/02/3.png)
![](https://tungle.ca/wp-content/uploads/2022/02/5.png)
![](https://tungle.ca/wp-content/uploads/2022/02/6.png)
Configure tunnel 1 for IPSEC site to site from PA1 to PA2.
![](https://tungle.ca/wp-content/uploads/2022/02/8-1.png)
Configure tunnel 12 for Remote VPN via GlobalProtect.
![](https://tungle.ca/wp-content/uploads/2022/02/9-1.png)
![](https://tungle.ca/wp-content/uploads/2022/02/16-1.png)
Setup IPSEC tunnel on PA1.
![](https://tungle.ca/wp-content/uploads/2022/02/17.png)
Configure default route to route traffic to the Internet.
![](https://tungle.ca/wp-content/uploads/2022/02/18.png)
Configure another route to allow traffic from the local network on PA1 to access the local network on PA2.
![](https://tungle.ca/wp-content/uploads/2022/02/19.png)
![](https://tungle.ca/wp-content/uploads/2022/02/20.png)
Configure access rules to allow traffic from the local network on PA1 to access the local network on PA2 and the Internet.
![](https://tungle.ca/wp-content/uploads/2022/02/23.png)
Configure SNAT to allow traffic from the Trust zone to the Internet.
![](https://tungle.ca/wp-content/uploads/2022/02/26.png)
![](https://tungle.ca/wp-content/uploads/2022/02/24.png)
![](https://tungle.ca/wp-content/uploads/2022/02/25.png)
Setup IKETunnel on PA2.
![](https://tungle.ca/wp-content/uploads/2022/02/10.png)
Set up IPSEC tunnel on PA2.
![](https://tungle.ca/wp-content/uploads/2022/02/11.png)
Configure default route from Local network on PA1 to the local network on PA1 via IPSEC tunnel 1.
![](https://tungle.ca/wp-content/uploads/2022/02/12.png)
Create access rules to allow traffic from the local network on PA2 to the local network on PA1
![](https://tungle.ca/wp-content/uploads/2022/02/13.png)
Test IPSEC site to site.
![](https://tungle.ca/wp-content/uploads/2022/02/33.png)
Access Apache website on VLAN 30 (service apache2 start).
![](https://tungle.ca/wp-content/uploads/2022/02/34.png)
The IPSEC tunnel is up.
![](https://tungle.ca/wp-content/uploads/2022/02/35-1.png)
Configure DNAT on PA2 to allow port 8888 to be translated to port 80 on the Apache Web server.
![](https://tungle.ca/wp-content/uploads/2022/02/36.png)
![](https://tungle.ca/wp-content/uploads/2022/02/37.png)
![](https://tungle.ca/wp-content/uploads/2022/02/38.png)
![](https://tungle.ca/wp-content/uploads/2022/02/39.png)
SSH 2222 to 22.
![](https://tungle.ca/wp-content/uploads/2022/02/40.png)
![](https://tungle.ca/wp-content/uploads/2022/02/41.png)
![](https://tungle.ca/wp-content/uploads/2022/02/42.png)
Create a Security Policy.
![](https://tungle.ca/wp-content/uploads/2022/02/43.png)
![](https://tungle.ca/wp-content/uploads/2022/02/44.png)
Access Apache2.
![](https://tungle.ca/wp-content/uploads/2022/02/45.png)
And SSH via 2222.
![](https://tungle.ca/wp-content/uploads/2022/02/46.png)
+ Set up GlobalProtect on PA1.
![](https://tungle.ca/wp-content/uploads/2022/02/47.png)
Enable User Authentication on Internet interface for GP.
![](https://tungle.ca/wp-content/uploads/2022/02/48.png)
![](https://tungle.ca/wp-content/uploads/2022/02/49.png)
![](https://tungle.ca/wp-content/uploads/2022/02/50.png)
Create a new user/password.
![](https://tungle.ca/wp-content/uploads/2022/02/51.png)
![](https://tungle.ca/wp-content/uploads/2022/02/52.png)
![](https://tungle.ca/wp-content/uploads/2022/02/53.png)
![](https://tungle.ca/wp-content/uploads/2022/02/54.png)
![](https://tungle.ca/wp-content/uploads/2022/02/55.png)
![](https://tungle.ca/wp-content/uploads/2022/02/56.png)
![](https://tungle.ca/wp-content/uploads/2022/02/57.png)
Set IP Pool for Global Protect VPN.
![](https://tungle.ca/wp-content/uploads/2022/02/58.png)
![](https://tungle.ca/wp-content/uploads/2022/02/59.png)
![](https://tungle.ca/wp-content/uploads/2022/02/61.png)
![](https://tungle.ca/wp-content/uploads/2022/02/62.png)
![](https://tungle.ca/wp-content/uploads/2022/02/63.png)
![](https://tungle.ca/wp-content/uploads/2022/02/65.png)
Create a new Security Rule to allow traffic from Global Protect to local networks.
![](https://tungle.ca/wp-content/uploads/2022/02/67.png)
![](https://tungle.ca/wp-content/uploads/2022/02/68.png)
![](https://tungle.ca/wp-content/uploads/2022/02/69.png)
Access Global Protec VPN on Windows machine.
![](https://tungle.ca/wp-content/uploads/2022/02/66.png)
![](https://tungle.ca/wp-content/uploads/2022/02/70.png)
![](https://tungle.ca/wp-content/uploads/2022/02/71.png)
![](https://tungle.ca/wp-content/uploads/2022/02/72.png)
![](https://tungle.ca/wp-content/uploads/2022/02/73.png)
![](https://tungle.ca/wp-content/uploads/2022/02/74.png)
Set up GlobalProtect on Kali. Search to download Global Protect VPN on Google.
![](https://tungle.ca/wp-content/uploads/2022/02/75.png)
![](https://tungle.ca/wp-content/uploads/2022/02/76.png)
Creating a VPN tunnel via GlobalProtect.
![](https://tungle.ca/wp-content/uploads/2022/02/77.png)
![](https://tungle.ca/wp-content/uploads/2022/02/78.png)
![](https://tungle.ca/wp-content/uploads/2022/02/79.png)
![](https://tungle.ca/wp-content/uploads/2022/02/80.png)
![](https://tungle.ca/wp-content/uploads/2022/02/81.png)
+ Block TungBlog on PA1.
![](https://tungle.ca/wp-content/uploads/2022/02/82.png)
![](https://tungle.ca/wp-content/uploads/2022/02/83.png)
![](https://tungle.ca/wp-content/uploads/2022/02/84.png)
![](https://tungle.ca/wp-content/uploads/2022/02/85.png)
![](https://tungle.ca/wp-content/uploads/2022/02/86.png)
![](https://tungle.ca/wp-content/uploads/2022/02/87.png)
+ Setup Captive Portal on PA1.
![](https://tungle.ca/wp-content/uploads/2022/02/88.png)
![](https://tungle.ca/wp-content/uploads/2022/02/89.png)
![](https://tungle.ca/wp-content/uploads/2022/02/90.png)
![](https://tungle.ca/wp-content/uploads/2022/02/91.png)
![](https://tungle.ca/wp-content/uploads/2022/02/92.png)
![](https://tungle.ca/wp-content/uploads/2022/02/93.png)
![](https://tungle.ca/wp-content/uploads/2022/02/94.png)
![](https://tungle.ca/wp-content/uploads/2022/02/95.png)
![](https://tungle.ca/wp-content/uploads/2022/02/97.png)
![](https://tungle.ca/wp-content/uploads/2022/02/122-1024x767.png)
![](https://tungle.ca/wp-content/uploads/2022/02/98.png)
+ Ban PDF on PA1.
![](https://tungle.ca/wp-content/uploads/2022/02/100.png)
![](https://tungle.ca/wp-content/uploads/2022/02/101.png)
![](https://tungle.ca/wp-content/uploads/2022/02/102.png)
![](https://tungle.ca/wp-content/uploads/2022/02/103.png)
![](https://tungle.ca/wp-content/uploads/2022/02/104.png)
+ Configure DNAT on PA1.
![](https://tungle.ca/wp-content/uploads/2022/02/105.png)
![](https://tungle.ca/wp-content/uploads/2022/02/106.png)
![](https://tungle.ca/wp-content/uploads/2022/02/107.png)
![](https://tungle.ca/wp-content/uploads/2022/02/108.png)
![](https://tungle.ca/wp-content/uploads/2022/02/109.png)
![](https://tungle.ca/wp-content/uploads/2022/02/110.png)
![](https://tungle.ca/wp-content/uploads/2022/02/111.png)
![](https://tungle.ca/wp-content/uploads/2022/02/112.png)
![](https://tungle.ca/wp-content/uploads/2022/02/113.png)
Scan ports by using Nmap tool.
![](https://tungle.ca/wp-content/uploads/2022/02/114.png)
Scanned port traffic has been blocked by PA1.
![](https://tungle.ca/wp-content/uploads/2022/02/115.png)
![](https://tungle.ca/wp-content/uploads/2022/02/117.png)
![](https://tungle.ca/wp-content/uploads/2022/02/118.png)
![](https://tungle.ca/wp-content/uploads/2022/02/120.png)
![](https://tungle.ca/wp-content/uploads/2022/02/121.png)
+ NAT port 9999 to port 7777 on 10.10.10.1 (PA1), then NAT again from port 7777 to 192.168.30.2:80 on Web Server.
![](https://tungle.ca/wp-content/uploads/2022/02/124.png)
![](https://tungle.ca/wp-content/uploads/2022/02/125.png)
![](https://tungle.ca/wp-content/uploads/2022/02/126.png)
PA1:
![](https://tungle.ca/wp-content/uploads/2022/02/128.png)
![](https://tungle.ca/wp-content/uploads/2022/02/129.png)
![](https://tungle.ca/wp-content/uploads/2022/02/130.png)
![](https://tungle.ca/wp-content/uploads/2022/02/131.png)
![](https://tungle.ca/wp-content/uploads/2022/02/132.png)
![](https://tungle.ca/wp-content/uploads/2022/02/133.png)
![](https://tungle.ca/wp-content/uploads/2022/02/134.png)
![](https://tungle.ca/wp-content/uploads/2022/02/135-1024x570.png)
![](https://tungle.ca/wp-content/uploads/2022/02/136.png)