jump to navigation

Zone-Based Firewall August 6, 2010

Posted by ZoeL in Cisco, Security.
Tags: ,
trackback

Cisco Router has capability to act as Zoned Firewall. The concept itself is not very far with the real PIX or ASA box. These are 3 important things to remember if we want to setup ZBFW on Cisco Routers.

  1. Zones
    Just like ASA or PIX, we must define which interface would be the Outside (untrusted) zone, or Inside (trusted) Zone. Or u can setup other zone. lets say : DMZ.
  2. Inspect type for Class-maps and Policy-Maps.
    There is one special type for Class-Map and Policy-Map for ZBFW. And this type is called INSPECT. This type must be used each time we create Class or Policy-Map. Otherwise, we wont be able to setup zone-pair.
  3. Zone-Pair
    This command binds Zones/Areas with policy-map and define the flow of packet between areas. For example : from outside to inside, inside to outside or from DMZ to outside, etc etc.

And here is a simple scenario,

Create 2 Zones on R1, outside and inside. Internet User must not able to telnet and ping inside Router (R2). R2 is not allowed to telnet into internet area. Let any other packet flows.

Steps :

  1. Create Zones, inside and outside
    !
    zone security inside
    description Internal LAN
    zone security outside
    description to Internet

    !
  2. Create Inspect type of Class-maps, and define protocol telnet and icmp respectively.
    !
    class-map type inspect telnet
    match protocol telnet
    class-map type inspect ping
    match protocol icmp
    !
  3. Create Inspect type of policy-map, create 2 policy-map for outside to inside path and Inside to Outside path. Add default class on each policy map so any other packet may pass.
    !
    policy-map type inspect outside_to_inside_pmap
    class type inspect telnet
    drop
    class type inspect ping
    drop
    class class-default
    pass
    !

    !
    policy-map type inspect inside_to_outside_pmap
    class type inspect telnet
    drop
    class class-default
    pass
    !
  4. Create zone-pair, associate the policy-map and define source and destination.
    !
    !
    ! — Inbound from Internet —
    zone-pair security outside_to_inside_pmap source outside destination inside
    service-policy type inspect outside_to_inside_pmap
    !
    !— Outbound to Internet —
    zone-pair security inside_to_outside_pmap source inside destination outside
    service-policy type inspect
    inside_to_outside_pmap
    !
    !
  5. Apply the Zones to Router Interfaces
    !
    ! — apply outside zone to interface facing internet —
    interface FastEthernet0/0
    zone-member security outside
    !
    ! — apply inside zone to interface facing R2 —
    interface FastEthernet0/1
    zone-member security inside
    !
    !

verification :

Verify Zones
R1#show zone security
zone self
Description: System defined zone

zone inside
Description: Internal LAN
Member Interfaces:
FastEthernet0/1

zone outside
Description: to Internet
Member Interfaces:
FastEthernet0/0
R1#


Verify Zone Pair
RSRack1R5#sh zone-pair security
Zone-pair name outside_to_inside
Source-Zone outside  Destination-Zone inside
service-policy outside_to_inside_pmap
Zone-pair name inside_to_outside_pmap
Source-Zone inside  Destination-Zone outside
service-policy inside_to_outside_pmap

.end.

Comments»

No comments yet — be the first.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: