Wednesday, March 20, 2013

Zone Based Firewall Example, Part 1 - Inside/Outside Zones

Zone Based Firewalls (ZBF) are an easy way to turn your Security licensed Cisco ISR G2 Router into a firewall. In this multi-part example, I'll create a 5 zone firewall which will include an Inside, Outside, DMZ, Guest and Self zones. This is a basic example to demonstrate the the structure of a ZBF, not a study in firewall design.

Just to clarify:

DMZ - Your Demilitarized Zone for web servers and FTP servers

Guest - Wireless guest access to outside

 Inside - Your inside LAN

 Outside - Represents the Internet

 Self - This is the router itself, traffic generated by the router and traffic destined to the router, e.g. TACACS+, SSH, Telnet, TFTP, etc.


In Part 1, we'll create the foundation of our ZBF, the inside and outside zones which will allow your users to access the Internet and allow ICMP traffic into your LAN.



! Define Zones for Zone Based Firewall

Zone security INSIDE
Zone security OUTSIDE

! Class-Map that matches criteria specified in the IN-TO-OUT-ACL

Class-map type inspect IN-TO-OUT-CLASS
 Match access-group name IN-TO-OUT-ACL

! Class-Map that matches criteria specified in the OUT-TO-IN-ACL

Class-map type inspect OUT-TO-IN-CLASS
 Match access-group name OUT-TO-IN-ACL

! Policy-Map to inspect inside traffic going outbound, dropped traffic is logged

Policy-map type inspect IN-TO-OUT-POLICY
 Class type inspect IN-TO-OUT-CLASS
  Inspect
 Class class-default
  Drop log

! Policy-Map to pass (not inspect) outside traffic coming in, dropped traffic is logged

Policy-map type inspect OUT-TO-IN-POLICY
 Class type inspect OUT-TO-IN-CLASS
  Pass
 Class class-default
  Drop log

 ! Policy-Map to deny all traffic

Policy-map type inspect DENY-ALL-POLICY
 Class class-default
  Drop log

! Create Zone Pairs and Apply Service-Policies (Policy-Maps)

Zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
 Service-policy type inspect IN-TO-OUT-POLICY
Zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
 Service-policy type inspect OUT-TO-IN-POLICY

 ! Assign Zones to router interfaces

Interface GigabitEthernet0/0
 Zone-member security INSIDE
Interface GigabitEthernet0/1
 Zone-member security OUTSIDE

! ACL allows inside network to access the web and to allow pings to the outside

Ip access-list extended IN-TO-OUT-ACL
 Permit tcp 10.10.1.0 255.255.255.0 any eq www
 Permit icmp 10.10.1.0 255.255.255.0 any echo

! ACL allows pings from the outside to the 10.10.1.0 network

Ip access-list extended OUT-TO-IN-ACL
 Permit icmp any 10.10.1.0 255.255.255.0 unreachable 






Posted by at No comments:

Friday, February 15, 2013

Cisco Router ROMMON Upgrade

Besides keeping your IOS code up to date, you may want to also update your router's ROMMON version. The first thing to do is download the ROMMON image from Cisco for you specific router. Once downloaded, you'll need to place it in your TFTP server folder so that it can be downloaded by your router. Next, go to your router and type in the following command:

 Router#upgrade rom-monitor file tftp://192.168.30.10/C2800NM_RM2.srec.124-13r.T11

 You should change C2800NM_RM2.srec.124-13r.T11 to the actual file name that you downloaded from Cisco. Execute the command, the router will download the image and prompt you to allow it to reboot.

 Router#upgrade rom-monitor file tftp://192.168.30.10/C2800NM_RM2.srec.124-13r.T11
 Loading C2800NM_RM2.srec.124-13r.T11 from 192.168.30.10 (via GigabitEthernet0/0): !!!!!!!
 [OK - 1626367 bytes]

 This command will result in a  'power-on reset' of the router!
 Continue? [yes/no]: yes

 System configuration has been modified. Save? [yes/no]: no
 ROMMON image upgrade in progress.
 Erasing boot flash  eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
 Programming boot flash ppppppppppp
            
 Now Reloading

Select Yes and the router will erase the current boot flash and program the new image and reload.
Posted by at No comments:

Monday, August 20, 2012

Automatic Configuration Archiving for Cisco Routers

Cisco routers provide a simple CLI based archiving feature which allows you to archive the router's configuration to an FTP server on a periodic basis. Below is a sample configuration:

  conf t                       
  archive                                                          ! Setup archive mode
   path ftp://username:password@192.16.1.1/Folder/$h-filename-$t   ! Archive location
   time-period 1440                                                ! Frequency of archive in minutes
   maximum 14                                                      ! max number of archives to keep
   write-memory                                                    ! create archive before write-memory occurs

 The sample configuration will create an archive copy of you router's configuration every 24 hours and keep up to 14 previous versions. The $h value represents the hostname and $t represents the time the archive occurred. This configuration also creates an archive of the previous configuration anytime a write-memory is performed.
Posted by at No comments:
Subscribe to: Posts (Atom)