Monday, April 2, 2012

Zone Based Firewall

I interface
P olicy
Z one pair
A pply

Each interface is assigned a security zone

A zone pair specify a one way firewall policy between 2 zones

INTERFACES
int fa0/0
zone-member security outside

int s0/1/0
zone-member securty inside

ZONE-PAIRS
zone-pair security {name} source inside dest outside

POLICY
class-map type inspect match-any ALLOWED
match telnet

policy-map type inspect FWPOLICY
class type inspect ALLOWED
inspect

APPLY
zone-pair security inside-to-outside
service-policy type inspect  FWPOLICY

show zone security
show zone-pair security
show class-map type inspect ALLOWED


I nterface
P policy
Z one pair
S ervice policy

Step 1: Define and populate our zones:

configure terminal
!
zone security ZONE_PRIVATE
zone security ZONE_INTERNET
!
interface range fa0/0 - 1
zone-member security ZONE_PRIVATE
!
interface s0/0
zone-member security ZONE_INTERNET

Step 2: Define the class maps that identify traffic that is permitted between zones:

configure terminal
!
class-map type inspect match-any CM_INTERNET_TRAFFIC
match protocol http
match protocol https
match protocol ftp

Step 3: Configure a policy map which specifies the action for the class map:

configure terminal
!
policy-map type inspect PM_PRIVATE_TO_INTERNET
class type inspect CM_INTERNET_TRAFFIC
inspect

Step 4: Configure the zone pair and apply your policy:

configure terminal
zone-pair security ZONEP_PRIV_INT source ZONE_PRIVATE destination ZONE_INTERNET
service-policy type inspect PM_PRIVATE_TO_INTERNET
 
 
 
ANOTHER EXAMPLE!!!!! 
 
class-map type inspect match-any Guest_Protocols
 match protocol http
 match protocol https
 match protocol dns
class-map type inspect match-any All_Protocols
 match protocol tcp
 match protocol udp
 match protocol icmp
!
policy-map type inspect Trusted
 class class-default
  pass
policy-map type inspect Guest_to_Internet
 class type inspect Guest_Protocols
  inspect 
 class class-default
  drop
policy-map type inspect Trusted_to_Internet
 class type inspect All_Protocols
  inspect 
 class class-default
  drop
!         
zone security Trusted
zone security Guest
zone security Internet
zone-pair security Trusted source Trusted destination Trusted
 service-policy type inspect Trusted
zone-pair security Trusted->Internet source Trusted destination Internet
 service-policy type inspect Trusted_to_Internet
zone-pair security Guest->Internet source Guest destination Internet
 service-policy type inspect Guest_to_Internet 



 MY EXAMPLE !!!!!!!


Just a basic Zone Based Firewall Example

R1 -----------------1.1.1.4 FA0/0 R4 2.2.2.4 FA0/1 -------------------- R3


CONFIG ON R4

zone security RICHPRIVATE
zone security RICHINTERNET

Int fa0/0
 zone-member security RICHPRIVATE

Int fa0/1
 zone-member security RICHINTERNET

class-map type inspect match-any ALLOW
 match protocol telnet
 match protocol icmp

policy-map type inspect RICHINSPECT
 class type inspect ALLOW
  inspect

zone-pair security RICHPRIVATE-TO-INTERNET source RICHPRIVATE destination RICHINTERNET
 service-policy type inspect RICHINSPECT


R4#show policy-map type inspect zone-pair

policy exists on zp RICHPRIVATE-TO-INTERNET
 Zone-pair: RICHPRIVATE-TO-INTERNET

  Service-policy inspect : RICHINSPECT

    Class-map: ALLOW (match-any)
      Match: protocol telnet
        0 packets, 0 bytes
        30 second rate 0 bps
      Match: protocol icmp
        1 packets, 80 bytes
        30 second rate 0 bps

   Inspect
        Packet inspection statistics [process switch:fast switch]
        icmp packets: [0:10]

        Session creations since subsystem startup or last reset 1
        Current session counts (estab/half-open/terminating) [0:0:0]
        Maxever session counts (estab/half-open/terminating) [0:1:0]
        Last session created 00:04:54
        Last statistic reset never
        Last session creation rate 0
        Maxever session creation rate 1
        Last half-open session total 0

    Class-map: class-default (match-any)
      Match: any
      Drop
        0 packets, 0 bytes


Great troubleshooting command 

ip inspect log drop-pkt













pppoe

Cisco IOS Broadband Access Aggregation and DSL Command Reference


client side

interface FastEthernet0/0
pppoe enable
pppoe-client dial-pool-number 1
!
interface Dialer1
ip address dhcp
encapsulation ppp
ppp authentication chap
dialer pool 1
dialer-group 1

!interface Virtual-Template1
 no ip address


server side

ip dhcp pool R3
network 192.168.1.0 255.255.255.0
bba-group pppoe global
virtual-template 1
!
!interface FastEthernet0/0
no ip address
duplex half
pppoe enable group global
!
interface Virtual-Template1
ip address 192.168.1.2 255.255.255.0