Alex Luigi RICOBON

Cisco introduced Zone-based Policy Firewall since it’s 12.4(6) IOS release. It helps organizing firewall policies on multi-interface routers. This small tutorial will show how to set up a simple firewall policy on a router that interconnects three networks:

The steps are:

1. Define class-maps that describe the traffic that you want to permit between zones
2. Configure policy-maps to inspect traffic on the class-maps you just defined
3. Configure the clients and servers zones and assign router interfaces to their respective zones
4. Configure the zone-pair and apply the appropriate policy-map
5. Configure access-lists for strengthening the firewall

Note: This is a basic firewall setup. It is for demonstration purposes only, you should build a stronger one!

1. Defining class maps. From the intranet to the internet and vice versa we will allow all traffic types, and impose rules using acl-s.

class-map type inspect match-any intranet-internet-traffic
 match protocol tcp
 match protocol udp
 match protocol icmp
class-map type inspect match-any internet-intranet-traffic
 match protocol tcp
 match protocol udp
 match protocol icmp

We’ll allow SSH, FTP, POP3, IMAP and HTTP from the intranet to the DMZ and no access from DMZ to the intranet:

class-map type inspect match-any intranet-dmz-traffic
match protocol icmp
match protocol ssh
match protocol ftp
match protocol pop3
match protocol imap
match protocol http

The DMZ will be accessed from the internet only using FTP, HTTP, HTTPS, IMPAS, POP3S. From the DMZ to the internet we’ll allow all traffic.

class-map type inspect match-any internet-dmz-traffic
 match protocol ftp
 match protocol pop3s
 match protocol imaps
 match protocol http
 match protocol https
class-map type inspect match-any dmz-internet-traffic
 match protocol icmp
 match protocol tcp
 match protocol udp

2. Configuring policy maps: we will need as many policy-maps as class-maps:

policy-map type inspect internet-to-intranet-policy
 class type inspect internet-intranet-traffic
  inspect
 class class-default
  drop
policy-map type inspect intranet-to-internet-policy
 class type inspect intranet-internet-traffic
  inspect
 class class-default
  drop
policy-map type inspect intranet-to-dmz-policy
 class type inspect intranet-dmz-traffic
  inspect
 class class-default
  drop
policy-map type inspect dmz-to-internet-policy
 class type inspect dmz-internet-traffic
  inspect
 class class-default
  drop
policy-map type inspect internet-to-dmz-policy
 class type inspect internet-dmz-traffic
  inspect
 class class-default
  drop

3. Configuring zone names and assigning them to interfaces:

zone security internet
zone security intranet
zone security dmz
interface FastEthernet0
 zone-member security internet
interface FastEthernet1
 zone-member security dmz
interface FastEthernet2
 zone-member security intranet

4. Configuring zone pairs to permit traffic between zones:

zone-pair security intranet-internet source intranet destination internet
 service-policy type inspect intranet-to-internet-policy
zone-pair security internet-intranet source internet destination intranet
 service-policy type inspect internet-to-intranet-policy
zone-pair security intranet-dmz source intranet destination dmz
 service-policy type inspect intranet-to-dmz-policy
zone-pair security internet-dmz source internet destination dmz
 service-policy type inspect internet-to-dmz-policy
zone-pair security dmz-internet source dmz destination internet
 service-policy type inspect dmz-to-internet-policy

5. Configuring access lists: For now we don’t want to allow any connections from the internet to the intranet, so we will use a rule that allows only icmp messages. This rule will be matched in the internet-intranet class map.

ip access-list extended internet-to-intranet-alc
 allow icmp any 192.168.1.0 0.0.0.255
 deny ip any any
class-map type inspect match-any internet-intranet-traffic
 match access-group name internet-to-intranet-acl

Note that the mask is written in reverse, so the mask in the acl is actually 255.255.255.0

 Print

Tags: cisco, english, howtos

This entry was posted on Tuesday, March 31st, 2009 at 16:00 and is filed under IT&C Stuff. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.