Pages

Wednesday, August 17, 2011

Zone-based policy Firewall

Zone based policy firewall is one of the feature of the Cisco router to act as if it is a firewall. The way zone based policy firewall works is that it creates zones for the interfaces. When there is a traffic go across zones, the zone-based policy firewall comes to play.

Here is the guideline how to configure the zone-based policy firewall in the Cisco router.
1. Create Zone security
2. Create Zone pair to pair two zone together. The zone pair will be unidirectional. Therefore, if you need to have bi-directional traffic you can do both ways back and forth or do a traffic inspection in the policy
3  Create Policy map to allow / deny the traffic matching the criteria specified in the class-map

Example


We have R1 - R2 -R3. We will setup a zone-based firewall allowing only host 1.1.1.1 from R1 to ping host 3.3.3.3 on R3. Other traffic is not allowed.


Configuration Example
R2


class-map type inspect match-all ICMP
 match access-group 100
!
!
policy-map type inspect R1_R3_RULE
 class type inspect ICMP
  inspect
   // inspect the out going traffic and permit the return of this traffic back to R1
 class class-default
  drop
   // drop all other traffic.
!
zone security INSIDE
 description R1_SIDE
zone security OUTSIDE
 description R3_SIDE
zone-pair security R1-R3 source INSIDE destination OUTSIDE
 service-policy type inspect R1_R3_RULE
 // Create zone pair which has f0/0 (to R1)  as an inside interface and f0/1 (to R3) as an outside interface.
!

interface FastEthernet0/0
 ip address 192.168.1.2 255.255.255.0
 zone-member security INSIDE
   // assign the interface to the zone.
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 192.168.2.1 255.255.255.0
 zone-member security OUTSIDE
 duplex auto
 speed auto


access-list 100 permit icmp host 1.1.1.1 host 3.3.3.3
access-list 100 permit ospf any any


Verification


Ping with the f0/0 source address ( 192.168.1.1)
R1#ping 3.3.3.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R1#


Ping with the lo0 source address (1.1.1.1)
R1#
R1#
R1#ping 3.3.3.3 source lo0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/40/76 ms
R1#

at

No comments:

Post a Comment