CCNA security - Part 15: Implementing Cisco IOS Zone-Based Firewalls
Source
Hi LinkedIn,
Days ago, I started a new training course called "CCNA Security 210-260", where we will explore in a series of 19 Articles:
Modules
- Networking Security Concepts Done
- Common Security Threats Done
- Implementing AAA in Cisco IOS Done
- Bring Your Own Device (BYOD) Done
- Fundamentals of VPN Technology and Cryptography Done
- Fundamentals of IP Security Done
- Implementing ipsec Site-to-Site VPNs Done
- Implementing SSL VPNs Using Cisco ASA Done
- Securing Layer 2 Technologies Done
- network Foundation protection Done
- Securing the Management Plane on Cisco IOS devices Done
- Securing the Data Plane in IPv6 Done
- Securing Routing Protocols and the Control Plane Done
- Understanding firewall Fundamentals Done
- Implementing Cisco IOS Zone-Based firewalls
- Configuring Basic Firewall Policies on Cisco ASA
- Cisco IDS/IPS Fundamentals
- Mitigation Technologies for E-mail-Based and web-based threats
- Mitigation Technologies for Endpoint Threats
In this article we will describe how to implement Cisco IOS Zone-Based Firewalls in different steps:
1. Zone-Based Firewall Operates
2. Configuring and Verifying Cisco IOS Zone-Based Firewalls
- Configure ZBF
- Implementing NAT
Summary
1. Zone-Based Firewall Operates
In this type of FW the administrator specify the name of each interface, and set for each one a policy. We can set many zones inside/outside (one or more interface, an interface can belong to only one zone), traffic in the same zone is allowed. To allow traffic between two zone we need to create a policy. ZBF has many features:
- Stateful inspection
- Application inspection
- Packet filtering
- URL filtering
- Transparent firewall
- Support for virtual routing and forwarding (a secondary routing table used to keep some route)
- Access control lists
To understand more the concept we will explain the Cisco Common Classification Policy Language (C3PL), where we have three components:
- Class maps: This method is used to identify traffic that should be inspected, traffic can be matched based on layer 3 to layer 7. We can configure our class map to match all conditions or any condition of the list.
- Policy maps: These are the action that will be applied on the traffic, we will call in this method the class maps that we already set. Policy maps use four actions; inspect (stateful inspection on traffic), permit (permit traffic without inspection), drop (drop traffic that match the policy) and log (log information about the traffic that will match the policy). Policy map is processed from top to bottom.
- Service policies: This is applied to a zone pair; a zone pair represents the direction of the flow between two zones. "The policy map applied to the zone pair (using the service-policy command) applies to traffic initiated in one zone going to the other zone in one direction. If reply traffic is desired, the inspect action in the policy map should be applied, which will allow stateful inspection" [Source Cisco Book]
To have more information please check this LINK.
As we know those components we need now to configure the ZBF:
- Create the Class map:
R(config)#class-map type inspect match-any CLASS-NAME R(config-cmap)#match protocol ftp R(config-cmap)#exit- Create the policy map:
R(config) R(config-pmap) R(config-pmap-c) R(config-pmap-c) R(config-pmap)- We need to name the security zones:
R(config) R(config-sec-zone) R(config) R(config-sec-zone)- Create zone pair (zone, direction) and apply the Policy map:
R(config) R(config-sec-zone) R(config-sec-zone)- Apply the last configuration to interfaces:
R(config) R(config-if) R(config-if) R(config-if) R(config-if) R(config-if) R(config-if)- The Self Zone
Each traffic destined to the router is considered going to the self-zone, by default all traffic going to/from self zone is allowed, if we want to change that we need to apply a policy (after we apply a policy we must ensure that we allow management traffic).
2. Configuring and Verifying Cisco IOS Zone-Based Firewalls
- Configure ZBF:
In this part we will configure ZBF on Cisco IOS using CCP and CLI, first we will check the CCP configuration (it's easier to configure FW using CCP):
You can check CLI configuration in this video:
We can verify the configuration using the CLI with the following show commands:
R#show class-map type inspect (show call-map) R#show policy-map type inspect zone-pair in-out sessions (show policy map applied on zone pair in-out)- Implementing NAT:
In the following video we will see how to implement NAT on Cisco Router using CCP:
As we saw how to configure NAT using CCP let's have a look on the CLI part:
- Set the ACL that match the source IP address that we will translate:
R(config)#access-list 10 permit 1.1.1.1 0.0.0.255- Set inside and outside interfaces where we will apply NAT:
R(config) R(config-if) R(config-if) R(config-if)- Apply NAT (traffic that matches the ACL on the inside interface will be translated to the Public address configured on the outside interface):
R(config)- Verify the existing configuration:
R(config)Summary
In this part we discovered together the implementation of Cisco IOS Zone-Based FW using CCP and CLI and how to configure NAT using wizard.
All what you can find in this article is based on the CCNA Security book so we can ensure that every one that assist to this training can have an idea about CCNA 210-260 Exam, I wish for you all the luck ^^
Reference
CCNA Security Book 210-260