P olicy
Z one pair
A pply
Each interface is assigned a security zone
A zone pair specify a one way firewall policy between 2 zones
INTERFACES
int fa0/0
zone-member security outside
int s0/1/0
zone-member securty inside
ZONE-PAIRS
zone-pair security {name} source inside dest outside
POLICY
class-map type inspect match-any ALLOWED
match telnet
policy-map type inspect FWPOLICY
class type inspect ALLOWED
inspect
APPLY
zone-pair security inside-to-outside
service-policy type inspect FWPOLICY
show zone security
show zone-pair security
show class-map type inspect ALLOWED
I nterface
P policy
Z one pair
S ervice policy
Step 1: Define and populate our zones:
configure terminal ! zone security ZONE_PRIVATE zone security ZONE_INTERNET ! interface range fa0/0 - 1 zone-member security ZONE_PRIVATE ! interface s0/0 zone-member security ZONE_INTERNET
Step 2: Define the class maps that identify traffic that is permitted between zones:
configure terminal ! class-map type inspect match-any CM_INTERNET_TRAFFIC match protocol http match protocol https match protocol ftp
Step 3: Configure a policy map which specifies the action for the class map:
configure terminal ! policy-map type inspect PM_PRIVATE_TO_INTERNET class type inspect CM_INTERNET_TRAFFIC inspect
Step 4: Configure the zone pair and apply your policy:
configure terminal zone-pair security ZONEP_PRIV_INT source ZONE_PRIVATE destination ZONE_INTERNET service-policy type inspect PM_PRIVATE_TO_INTERNET
ANOTHER EXAMPLE!!!!!
class-map type inspect match-any Guest_Protocols match protocol http match protocol https match protocol dns class-map type inspect match-any All_Protocols match protocol tcp match protocol udp match protocol icmp ! policy-map type inspect Trusted class class-default pass policy-map type inspect Guest_to_Internet class type inspect Guest_Protocols inspect class class-default drop policy-map type inspect Trusted_to_Internet class type inspect All_Protocols inspect class class-default drop ! zone security Trusted zone security Guest zone security Internet zone-pair security Trusted source Trusted destination Trusted service-policy type inspect Trusted zone-pair security Trusted->Internet source Trusted destination Internet service-policy type inspect Trusted_to_Internet zone-pair security Guest->Internet source Guest destination Internet service-policy type inspect Guest_to_Internet
MY EXAMPLE !!!!!!!
Just a basic Zone Based Firewall Example
R1 -----------------1.1.1.4 FA0/0 R4 2.2.2.4 FA0/1 -------------------- R3
CONFIG ON R4
zone security RICHPRIVATE
zone security RICHINTERNET
Int fa0/0
zone-member security RICHPRIVATE
Int fa0/1
zone-member security RICHINTERNET
class-map type inspect match-any ALLOW
match protocol telnet
match protocol icmp
policy-map type inspect RICHINSPECT
class type inspect ALLOW
inspect
zone-pair security RICHPRIVATE-TO-INTERNET source RICHPRIVATE destination RICHINTERNET
service-policy type inspect RICHINSPECT
R4#show policy-map type inspect zone-pair
policy exists on zp RICHPRIVATE-TO-INTERNET
Zone-pair: RICHPRIVATE-TO-INTERNET
Service-policy inspect : RICHINSPECT
Class-map: ALLOW (match-any)
Match: protocol telnet
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol icmp
1 packets, 80 bytes
30 second rate 0 bps
Inspect
Packet inspection statistics [process switch:fast switch]
icmp packets: [0:10]
Session creations since subsystem startup or last reset 1
Current session counts (estab/half-open/terminating) [0:0:0]
Maxever session counts (estab/half-open/terminating) [0:1:0]
Last session created 00:04:54
Last statistic reset never
Last session creation rate 0
Maxever session creation rate 1
Last half-open session total 0
Class-map: class-default (match-any)
Match: any
Drop
0 packets, 0 bytes
Great troubleshooting command
ip inspect log drop-pkt