--> Zone-Based Policy Firewall allows you to configure stateful firewall implementation on IOS Routers.
--> Supports deep packet inspection.
--> Zone-Based Policy Firewall works on the concept of logical security zones.
--> Security Zones is a logical segmentation of the network and it can be of two types,
1) System-defined Zone: Self Zone ( cannot be changed or deleted)
--> Responsible for the traffic destined to the router or initiated by the router.
--> Management plane or control plane traffic.
--> Allowed from any user-defined zone to system defined zone.
--> This behavior can be changed with the help of Policy.
2) User-defined Zone
--> Can be created or deleted by the administrator.
--> Traffic Passing via the router.
--> Each and every zone can have one or more interfaces attached to it.
--> By default, traffic within the same zone is allowed and traffic between two different zones is
blocked.
--> Firewall policies are built between security zones.
--> Zone-Based Policy firewall configuration is done based upon Cisco Common Classification
Policy Language.
Steps:
1) Create Security Zones
Router(config)# zone security Inside
Router(config)# zone security Outside
2) Assign Security Zones on the Interfaces.
Router(config)# int fa0/0
Router(config-if)# Zone-member security Inside
Router(config)# int fa0/1
Router(config-if)# Zone-member security Outside
Note: Configuring security zones on Interfaces creates the issues in the production network, as the
traffic between two different zones is blocked by default.
3) specify the traffic that to be inspected by the firewall with the help of class maps ( Layer 4
class maps uses ACL for traffic classification, Layer 7 for deep inspection)
Router(config)# Class-map type inspect matchany allowhttpaccess
Router(config)# match protocol http
Router(config)# exit
4) Configure the policy map to apply the action on the traffic that is matched using class map.
Router(config)# policy-map type inspect allowhttpaccess
Router(config)# class type inspect allowhttpaccess
Router(config)# inspect
Router(config)# exit
Note: Policy map actions are divided into following types,
1) Inspect -- Allow the connection and create entry in the state table of the router.
2) Allow -- Allow the connection but does not creates entry in the state table of the router.
3) Drop -- Block the connection.
4) Log-log the packets in allow/drop actions.
5) Police -- Traffic Policing the packets.
5) Create a Zone pair to apply the firewall policy which is created.
Router(config)# zone-pair security InsidetoOutside source Inside destination Outside
Router(config)#service-policy type inspect allowhttpaccess
Router(config)#exit
Verification :
# show policy-map type inspect zone-pair InsidetoOutside
# show zone security
# show policy-firewall config zone
# show zone-pair security
Md.Kareemoddin
CCIE # 54759
--> Supports deep packet inspection.
--> Zone-Based Policy Firewall works on the concept of logical security zones.
--> Security Zones is a logical segmentation of the network and it can be of two types,
1) System-defined Zone: Self Zone ( cannot be changed or deleted)
--> Responsible for the traffic destined to the router or initiated by the router.
--> Management plane or control plane traffic.
--> Allowed from any user-defined zone to system defined zone.
--> This behavior can be changed with the help of Policy.
2) User-defined Zone
--> Can be created or deleted by the administrator.
--> Traffic Passing via the router.
--> Each and every zone can have one or more interfaces attached to it.
--> By default, traffic within the same zone is allowed and traffic between two different zones is
blocked.
--> Firewall policies are built between security zones.
--> Zone-Based Policy firewall configuration is done based upon Cisco Common Classification
Policy Language.
Steps:
1) Create Security Zones
Router(config)# zone security Inside
Router(config)# zone security Outside
2) Assign Security Zones on the Interfaces.
Router(config)# int fa0/0
Router(config-if)# Zone-member security Inside
Router(config)# int fa0/1
Router(config-if)# Zone-member security Outside
Note: Configuring security zones on Interfaces creates the issues in the production network, as the
traffic between two different zones is blocked by default.
3) specify the traffic that to be inspected by the firewall with the help of class maps ( Layer 4
class maps uses ACL for traffic classification, Layer 7 for deep inspection)
Router(config)# Class-map type inspect matchany allowhttpaccess
Router(config)# match protocol http
Router(config)# exit
4) Configure the policy map to apply the action on the traffic that is matched using class map.
Router(config)# policy-map type inspect allowhttpaccess
Router(config)# class type inspect allowhttpaccess
Router(config)# inspect
Router(config)# exit
Note: Policy map actions are divided into following types,
1) Inspect -- Allow the connection and create entry in the state table of the router.
2) Allow -- Allow the connection but does not creates entry in the state table of the router.
3) Drop -- Block the connection.
4) Log-log the packets in allow/drop actions.
5) Police -- Traffic Policing the packets.
5) Create a Zone pair to apply the firewall policy which is created.
Router(config)# zone-pair security InsidetoOutside source Inside destination Outside
Router(config)#service-policy type inspect allowhttpaccess
Router(config)#exit
Verification :
# show policy-map type inspect zone-pair InsidetoOutside
# show zone security
# show policy-firewall config zone
# show zone-pair security
Md.Kareemoddin
CCIE # 54759
0 Comments