IOS zone based firewall configuration in CLI (has not been tested yet)

IOS zone based firewall configuration in CLI (has not been tested yet)

by Cyrus Lok on Monday, March 29, 2010 at 9:31pm
It is easier to see if I use SDM, however except for invalid-source-ip ACL the configurations are here.
Policy action:
1. inspect, inspect the payload and record into the state table, if you want your traffic to be returned you have to use this action.

2. pass, let the payload passes but layer4 and 3 header not recorded into the state table, so when the traffic returned firewall will drop the packet if there’s no info in its state table.

3. drop, self explanatory. Drop is implicit in zone firewall.

This firewall is stateful hence it might have problem with vpn. To disable the firewall disable the interface from the zone membership.

R1#sh class-map type insp
Class Map type inspect match-any cls-interested-traffic (id 1)
Description: Traffic that should be allowed
Match protocol http
Match protocol https
Match protocol icmp
Match protocol ssh
Match protocol telnet
Match protocol isakmp
match protocol ipsec-msft
match protocol udp
match protocol tcp

Class Map type inspect match-any cls-icmp-reply (id 2)
Description: ICMP reply
Match protocol icmp
Match protocol tcp
Match protocol udp

Class Map type inspect match-all cls-deny-invalid-source-ip (id 3)
Description: Deny all invalid source ip from inside
Match access-group name invalid-source-ip

Class Map type inspect match-all cls-isakmp (id 16)
Match protocol udp
Match protocol ipsec-msft
Match protocol isakmp

Class Map type inspect match-all cls-remote-access (id 17)
Description: Allow outside ssh to router
Match protocol ssh

R1#sh policy-map type inspect
Policy Map type inspect pol-inside-outside
Description: Policy for inside network to outside network
Class cls-deny-invalid-source-ip
Drop log
Class cls-interested-traffic
Inspect
Class class-default
Pass

Policy Map type inspect pol-self-outside
Description: Router to outside network
Class cls-icmp-reply
Inspect
Class cls-isakmp
Pass
Class class-default
Drop

Policy Map type inspect pol-outside-self
Class cls-remote-access
Inspect
Class cls-isakmp
Pass
Class class-default

R1#sh zone-pair security
Zone-pair name zp-in-out
Description: Inside network to outside network
Source-Zone in-zone Destination-Zone out-zone
service-policy pol-inside-outside
Zone-pair name zp-self-out
Description: Router to outside network
Source-Zone self Destination-Zone out-zone
service-policy pol-self-outside
Zone-pair name zp-out-self
Description: Outside network to router itself
Source-Zone out-zone Destination-Zone self
service-policy not configured

R1#sh zone security
zone self
Description: System defined zone

zone in-zone
Description: Inside network
Member Interfaces:
FastEthernet1/0

zone out-zone
Description: Outside untrusted network
Member Interfaces:
FastEthernet0/0

R1#sh run interface fa0/0
Building configuration…

Current configuration : 157 bytes
!
interface FastEthernet0/0
description Outside zone
ip address 172.16.1.1 255.255.255.252
zone-member security out-zone
duplex auto
speed auto
!
end

R1#sh run interface fa1/0
Building configuration…

Current configuration : 154 bytes
!
interface FastEthernet1/0
description Inside network
ip address 10.0.0.1 255.255.255.0
zone-member security in-zone
duplex auto
speed auto
!
end

Advertisements
This entry was posted in Security. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s