Wednesday, March 20, 2013

Zone Based Firewall Example, Part 1 - Inside/Outside Zones

Zone Based Firewalls (ZBF) are an easy way to turn your Security licensed Cisco ISR G2 Router into a firewall. In this multi-part example, I'll create a 5 zone firewall which will include an Inside, Outside, DMZ, Guest and Self zones. This is a basic example to demonstrate the the structure of a ZBF, not a study in firewall design.

Just to clarify:

DMZ - Your Demilitarized Zone for web servers and FTP servers

Guest - Wireless guest access to outside

Inside - Your inside LAN

Outside - Represents the Internet

Self - This is the router itself, traffic generated by the router and traffic destined to the router, e.g. TACACS+, SSH, Telnet, TFTP, etc.


In Part 1, we'll create the foundation of our ZBF, the inside and outside zones which will allow your users to access the Internet and allow ICMP traffic into your LAN.



! Define Zones for Zone Based Firewall

Zone security INSIDE
Zone security OUTSIDE

! Class-Map that matches criteria specified in the IN-TO-OUT-ACL

Class-map type inspect IN-TO-OUT-CLASS
 Match access-group name IN-TO-OUT-ACL

! Class-Map that matches criteria specified in the OUT-TO-IN-ACL

Class-map type inspect OUT-TO-IN-CLASS
 Match access-group name OUT-TO-IN-ACL

! Policy-Map to inspect inside traffic going outbound, dropped traffic is logged

Policy-map type inspect IN-TO-OUT-POLICY
 Class type inspect IN-TO-OUT-CLASS
  Inspect
 Class class-default
  Drop log

! Policy-Map to pass (not inspect) outside traffic coming in, dropped traffic is logged

Policy-map type inspect OUT-TO-IN-POLICY
 Class type inspect OUT-TO-IN-CLASS
  Pass
 Class class-default
  Drop log

! Policy-Map to deny all traffic

Policy-map type inspect DENY-ALL-POLICY
 Class class-default
  Drop log

! Create Zone Pairs and Apply Service-Policies (Policy-Maps)

Zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
 Service-policy type inspect IN-TO-OUT-POLICY
Zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
 Service-policy type inspect OUT-TO-IN-POLICY

! Assign Zones to router interfaces

Interface GigabitEthernet0/0
 Zone-member security INSIDE
Interface GigabitEthernet0/1
 Zone-member security OUTSIDE

! ACL allows inside network to access the web and to allow pings to the outside

Ip access-list extended IN-TO-OUT-ACL
 Permit tcp 10.10.1.0 255.255.255.0 any eq www
 Permit icmp 10.10.1.0 255.255.255.0 any echo

! ACL allows pings from the outside to the 10.10.1.0 network

Ip access-list extended OUT-TO-IN-ACL
 Permit icmp any 10.10.1.0 255.255.255.0 unreachable 






No comments:

Post a Comment