CCNA security - Part 15: Implementing Cisco IOS Zone-Based FirewallsSource Show
Hi LinkedIn, Days ago, I started a new training course called "CCNA Security 210-260", where we will explore in a series of 19 Articles: Modules
In this article we will describe how to implement Cisco IOS Zone-Based Firewalls in different steps: 1. Zone-Based Firewall Operates 2. Configuring and Verifying Cisco IOS Zone-Based Firewalls - Configure ZBF - Implementing NAT Summary 1. Zone-Based Firewall OperatesIn this type of FW the administrator specify the name of each interface, and set for each one a policy. We can set many zones inside/outside (one or more interface, an interface can belong to only one zone), traffic in the same zone is allowed. To allow traffic between two zone we need to create a policy. ZBF has many features: - Stateful inspection - Application inspection - Packet filtering - URL filtering - Transparent firewall - Support for virtual routing and forwarding (a secondary routing table used to keep some route) - Access control lists To understand more the concept we will explain the Cisco Common Classification Policy Language (C3PL), where we have three components: - Class maps: This method is used to identify traffic that should be inspected, traffic can be matched based on layer 3 to layer 7. We can configure our class map to match all conditions or any condition of the list. - Policy maps: These are the action that will be applied on the traffic, we will call in this method the class maps that we already set. Policy maps use four actions; inspect (stateful inspection on traffic), permit (permit traffic without inspection), drop (drop traffic that match the policy) and log (log information about the traffic that will match the policy). Policy map is processed from top to bottom. - Service policies: This is applied to a zone pair; a zone pair represents the direction of the flow between two zones. "The policy map applied to the zone pair (using the service-policy command) applies to traffic initiated in one zone going to the other zone in one direction. If reply traffic is desired, the inspect action in the policy map should be applied, which will allow stateful inspection" [Source Cisco Book] To have more information please check this LINK. As we know those components we need now to configure the ZBF: - Create the Class map: R(config)#class-map type inspect match-any CLASS-NAME R(config-cmap)#match protocol ftp R(config-cmap)#exit - Create the policy map: R(config) R(config-pmap) R(config-pmap-c) R(config-pmap-c) R(config-pmap) - We need to name the security zones: R(config) R(config-sec-zone) R(config) R(config-sec-zone) - Create zone pair (zone, direction) and apply the Policy map: R(config) R(config-sec-zone) R(config-sec-zone) - Apply the last configuration to interfaces: R(config) R(config-if) R(config-if) R(config-if) R(config-if) R(config-if) R(config-if) - The Self Zone Each traffic destined to the router is considered going to the self-zone, by default all traffic going to/from self zone is allowed, if we want to change that we need to apply a policy (after we apply a policy we must ensure that we allow management traffic). 2. Configuring and Verifying Cisco IOS Zone-Based Firewalls- Configure ZBF:In this part we will configure ZBF on Cisco IOS using CCP and CLI, first we will check the CCP configuration (it's easier to configure FW using CCP): You can check CLI configuration in this video: We can verify the configuration using the CLI with the following show commands: R#show class-map type inspect (show call-map) R#show policy-map type inspect zone-pair in-out sessions (show policy map applied on zone pair in-out) - Implementing NAT:In the following video we will see how to implement NAT on Cisco Router using CCP: As we saw how to configure NAT using CCP let's have a look on the CLI part: - Set the ACL that match the source IP address that we will translate: R(config)#access-list 10 permit 1.1.1.1 0.0.0.255 - Set inside and outside interfaces where we will apply NAT: R(config) R(config-if) R(config-if) R(config-if) - Apply NAT (traffic that matches the ACL on the inside interface will be translated to the Public address configured on the outside interface): R(config) - Verify the existing configuration: R(config) SummaryIn this part we discovered together the implementation of Cisco IOS Zone-Based FW using CCP and CLI and how to configure NAT using wizard. All what you can find in this article is based on the CCNA Security book so we can ensure that every one that assist to this training can have an idea about CCNA 210-260 Exam, I wish for you all the luck ^^ Reference CCNA Security Book 210-260 Where is the inspection policy applied?The Inspection Policy elements are selected in Firewall, IPS, and Layer 2 Firewall Policy elements. The IPS Template and Layer 2 Firewall Template enable deep inspection for all IP traffic. Deep inspection is not automatically enabled in the Firewall Template.
Which action can be applied IOS zoneExplanation: The three actions that can be applied are inspect, drop,and pass.
What are the general rules for applying ZoneRules for applying Zone-based Policy Firewall:
All traffic between zones is affected by existing policies. Traffic cannot flow between zone member interface and any interface that is not a zone member. Pass, inspect or drop actions can only be applied between two zones.
What is the role of pass action in a Cisco IOS policy zoneWhat is the function of the pass action on a Cisco IOS Zone-Based Policy Firewall? Explanation: The pass action performed by Cisco IOS ZPF permits forwarding of traffic in a manner similar to the permit statement in an access control list.
|
