IOS zone based firewall configuration in CLI (has not been tested yet)
Policy action:
1. inspect, inspect the payload and record into the state table, if you want your traffic to be returned you have to use this action.
2. pass, let the payload passes but layer4 and 3 header not recorded into the state table, so when the traffic returned firewall will drop the packet if there’s no info in its state table.
3. drop, self explanatory. Drop is implicit in zone firewall.
This firewall is stateful hence it might have problem with vpn. To disable the firewall disable the interface from the zone membership.
R1#sh class-map type insp
Class Map type inspect match-any cls-interested-traffic (id 1)
Description: Traffic that should be allowed
Match protocol http
Match protocol https
Match protocol icmp
Match protocol ssh
Match protocol telnet
Match protocol isakmp
match protocol ipsec-msft
match protocol udp
match protocol tcp
Class Map type inspect match-any cls-icmp-reply (id 2)
Description: ICMP reply
Match protocol icmp
Match protocol tcp
Match protocol udp
Class Map type inspect match-all cls-deny-invalid-source-ip (id 3)
Description: Deny all invalid source ip from inside
Match access-group name invalid-source-ip
Class Map type inspect match-all cls-isakmp (id 16)
Match protocol udp
Match protocol ipsec-msft
Match protocol isakmp
Class Map type inspect match-all cls-remote-access (id 17)
Description: Allow outside ssh to router
Match protocol ssh
R1#sh policy-map type inspect
Policy Map type inspect pol-inside-outside
Description: Policy for inside network to outside network
Class cls-deny-invalid-source-ip
Drop log
Class cls-interested-traffic
Inspect
Class class-default
Pass
Policy Map type inspect pol-self-outside
Description: Router to outside network
Class cls-icmp-reply
Inspect
Class cls-isakmp
Pass
Class class-default
Drop
Policy Map type inspect pol-outside-self
Class cls-remote-access
Inspect
Class cls-isakmp
Pass
Class class-default
R1#sh zone-pair security
Zone-pair name zp-in-out
Description: Inside network to outside network
Source-Zone in-zone Destination-Zone out-zone
service-policy pol-inside-outside
Zone-pair name zp-self-out
Description: Router to outside network
Source-Zone self Destination-Zone out-zone
service-policy pol-self-outside
Zone-pair name zp-out-self
Description: Outside network to router itself
Source-Zone out-zone Destination-Zone self
service-policy not configured
R1#sh zone security
zone self
Description: System defined zone
zone in-zone
Description: Inside network
Member Interfaces:
FastEthernet1/0
zone out-zone
Description: Outside untrusted network
Member Interfaces:
FastEthernet0/0
R1#sh run interface fa0/0
Building configuration…
Current configuration : 157 bytes
!
interface FastEthernet0/0
description Outside zone
ip address 172.16.1.1 255.255.255.252
zone-member security out-zone
duplex auto
speed auto
!
end
R1#sh run interface fa1/0
Building configuration…
Current configuration : 154 bytes
!
interface FastEthernet1/0
description Inside network
ip address 10.0.0.1 255.255.255.0
zone-member security in-zone
duplex auto
speed auto
!
end
cyruslab 