ZBF - New user looking for feedback

cluck_hurst76 — Tue, 12 Mar 2019 00:49:37 GMT

Hi Community,

It has been a long time since i've worked CLI with Cisco and have just started a small business with a partner and dug out an old 871w to use at the office.

After some time I got it working where Bridged Wireless and Wired are separated into VLAN 1 (Private) and VLAN 2 (Public). We will be adding a VLAN 3 for Voice network later on.

So after reading a ton of stuff on ZBF's; my head a spinning, I thought I would tackle it. I am at a design stage only and have mapped out a diagram for the network and started with what sounded as the most complicated section - the self zone.

I am basically looking for some general feedback to see if I'm on the correct path overal and maybe offer correction if needed or suggest better methods. Some constructive critisims if you will.

It's a learning exercise for me; as I mentioned it's been a long time since I touched CLI with device like this.

I have attached a speadsheet with diagram and self zone config; look forward to responses.

Thanks in advance,

Chris

Re: ZBF - New user looking for feedback

Elton Babcock — Mon, 21 Jan 2013 04:22:29 GMT

I have always thought of the self group as the easy one. Self is the router interfaces itself and if I remember correctly the self zone can go anywhere.

If you can be a little more in depth about what you want and what traffic will need to go where I can help setup your class and policy maps along with the ACLs.

You really just have to think of each area on your network as a zone and define what kind of zone it is with a name. Then you create a policy for traffic in each direction between the zones. The tricky part is when you start needing specific traffic to move across the zones when your action is drop. This is where the ACLs are important. Anyways, get back to me and we can get it all figured out.

Elton

Sent from Cisco Technical Support iPhone App

Re: ZBF - New user looking for feedback

cluck_hurst76 — Tue, 22 Jan 2013 15:32:36 GMT

Hi Elton,

Thanks for the response.

I attached a spreadsheet to the post, but I see you read via the mobile phone J

I will copy and paste the work I’ve done below. Essentially looking at

Zone A: Private Network (Wired/Wireless Bridge)

Zone B: Public Network (Wired/Wireless Bridge)

Zone C: Self

Zone 😧 Outside

Zone E: DMZ (nothing there yet, future use)

Zone F: Voice Network (IP based phones)

Zone G: VPN (future use)

As my post said, thought I would work on the self first; as I said, like to learn and understand what I’m doing as I go.

Thanks,

Chris

English:

- deny telnet connectivity from all zones

- deny http connectivity from all zones

- allow SSH only from private networks

- all https only from private networks

- allow icmp echo, reply, trace and unreachables from all networks *except *outside

- allow tftp from private network, limited hosts

- allow smtp from private network, limited hosts

- allow domain lookups

*ACLS*

ip access-list extended PRIVATE_NETWORK_TO_SELF_ACL

permit icmp 192.168.1.0 0.0.0.15 any eq echo-reply

permit icmp 192.168.1.0 0.0.0.15 any eq echo

permit icmp 192.168.1.0 0.0.0.15 any net-unreachable

permit tcp 192.168.1.0 0.0.0.15 any eq ssh

permit tcp 192.168.1.0 0.0.0.15 any eq 443

permit tcp 192.168.1.0 0.0.0.15 any eq domain

permit udp 192.168.1.0 0.0.0.15 any eq domain

permit udp 192.168.1.0 0.0.0.15 any eq snmp

permit udp 192.168.1.0 0.0.0.15 any eq tftp

ip access-list extended PUBLIC_NETWORK_TO_SELF_ACL

permit icmp 10.10.10.0 0.0.0.255 any eq echo

permit icmp 10.10.10.0 0.0.0.255 any eq echo-reply

ip access-list extended VOICE_NETWORK_TO_SELF_ACL

permit 192.168.2.0 0.0.0.255 any eq echo-reply

ip access-list extended SELF_TO_VOICE_NETWORK_ACL

permit icmp any any echo-reply

permit icmp any any echo

permit icmp any any unreachable

ip access-list extended SELF_TO_PRIVATE_NETWORK_ACL

permit icmp any any echo

permit tcp any any eq ssh

permit tcp any any eq www

permit tcp any any eq 443

ip access-list extended OUTSIDE_TO_SELF_ACL

deny ip any any

ip access-list extended SELF_TO_OUTSIDE_ACL

permit icmp any any echo-reply

permit icmp any any echo

permit icmp any any traceroute

permit icmp any any unreachable

ip access-list extended SELF_TO_PUBLIC_NETWORK

permit icmp any any eq echo

class-map type inspect match-any MANAGEMENT_PROTOCOLS_CMAP

description Protocols used in Management of the router

match protocol tcp

match protocol udp

match protocol icmp

match protocol h323

! Traffic originated from Zone A (Private) to Self

class-map type inspect match-all PRIVATE_NETWORK_TO_SELF_CMAP

match access-group name PRIVATE_NETWORK_TO_SELF_ACL

match class-map MANAGEMENT_PROTOCOLS_CMAP

! Traffic originated from the Self to Zone A (Prviate)

class-map type inspect match-all SELF_TO_PRIVATE NETWORK_CMAP

match access-group name SELF_TO_PRIVATE_NETWORK_ACL

match class-map MANAGEMENT_PROTOCOLS_CMAP

! Traffic originating Outside (Zone D) to Self

class-map type inspect match-any OUTSIDE_TO_SELF_CMAP

match access-group name OUTSIDE_TO_SELF_ACL

match class-map MANAGEMENT_PROTOCOLS_CMAP

!Traffic originating Self to Outside (Zone D)

class-map type inspect match-any SELF_TO_OUTSIDE_CMAP

match access-group name SELF_TO_OUTSIDE_ACL

match protocol icmp

! Traffic originating Self to Zone B (Public)

class-map type inspect match-all SELF_TO_PUBLIC_NETWORK_CMAP

match access-group name SELF_TO_PUBLIC_NETWORK

match protocol icmp

! Traffic originating Zone B (Public) to Self

class-map type inspect match-all PUBLIC_NETWORK_TO_SELF_CMAP

match access-group name PUBLIC_NETWORK_TO_SELF_ACL

match protocol icmp

! Traffic originating Zone F (Voice) to Self

class-map type inspect match-all VOICE_NETWORK_TO_SELF_CMAP

match access-group name VOICE_NETWORK_TO_SELF_ACL

match protocol icmp

! Traffic originating Self to Zone F (Voice)

class-map type inspect match-all SELF_TO_VOICE_NETWORK_CMAP

match access-group name SELF_TO_VOICE_NETWORK_ACL

match protocol icmp

! Policy from Outside (Zone D) to Self

policy-map type inspect OUTSIDE_TO_SELF_PMAP

class type inspect OUTSIDE_TO_SELF_CMAP

inspect

class class-default

drop log

! Policy from Self to Outside (Zone D)

policy-map type inspect SELF_TO_OUTSIDE_PMAP

class type inspect SELF_TO_OUTSIDE_CMAP

inspect

class class-default

drop log

! Policy from Private Network (Zone A) to Self

policy-map type inspect PRIVATE_NETWORK_TO_SELF_PMAP

class type inspect PRIVATE_NETWORK_TO_SELF_CMAP

pass

class class-default

drop log

! Policy from Self to Private Network (Zone A)

policy-map type inspect SELF_TO_PRIVATE_NETWORK_PMAP

class type inspect SELF_TO_PRIVATE NETWORK_CMAP

pass

class class-default

drop log

! Policy from Public Network (Zone B) to Self

policy-map type inspect PUBLIC_NETWORK_TO_SELF_PMAP

class type inspect PUBLIC_NETWORK_TO_SELF_CMAP

inspect

class class-default

drop log

! Policy from Self to Public Network (Zone B)

policy-map type inspect SELF_TO_PUBLIC_NETWORK_PMAP

class type inspect SELF_TO_PUBLIC_NETWORK_CMAP

inspect

class class-default

drop log

! Policy from Voice Network (Zone F) to Self

policy-map type inspect VOICE_NETWORK_TO_SELF_PMAP

class type inspect VOICE_NETWORK_TO_SELF_CMAP

inspect

class class-default

drop log

! Policy from Self to Voice Network (Zone F)

policy-map type inspect SELF_TO_VOICE_NETWORK_PMAP

class type inspect SELF_TO_VOICE_NETWORK_CMAP

inspect

class class-default

drop log

... continued later for VPN and DMZ zones, allowing VPN protocols in self zone if I recall readings

'Private Network and Self

zone-pair security PRIVATE_NETWORK_TO_SELF_ZP source PRIVATE_NETWORK destination self

service-policy type inspect PRIVATE_NETWORK_TO_SELF_PMAP

zone-pair security SELF_TO_PRIVATE_NETWORK_ZP source self destination PRIVATE_NETWORK

service-policy type inspect SELF_TO_PRIVATE_NETWORK_PMAP

-------------------------------------------------------------------------------------------------------------------------------

zone-pair security PUBLIC_NETWORK_TO_SELF _ZP source PUBLIC_NETWORK destination self

service-policy type inspect PUBLIC_NETWORK_TO_SELF_PMAP

zone-pair security SELF_TO_PUBLIC_NETWORK _ZP source self destination PUBLIC_NETWORK

service-policy type inspect SELF_TO_PUBLIC_NETWORK_PMAP

-----------------------------------------------------------------------------------------------------------------

zone-pair security VOICE_NETWORK_TO_SELF _ZP source VOICE_NETWORK destination self

service-policy type inspect VOICE_NETWORK_TO_SELF_PMAP

zone-pair security SELF_TO_VOICE_NETWORK _ZP source self destination VOICE_NETWORK

service-policy type inspect SELF_TO_VOICE_NETWORK_PMAP

--------------------------------------------

zone-pair security OUTSIDE_TO_SELF _ZP source OUTSIDE destination self

service-policy type inspect OUTSIDE_TO_SELF_PMAP

zone-pair security SELF_TO_OUTSIDE_ZP source self destination OUTSIDE

service-policy type inspect SELF_TO_OUTSIDE_CMAP

------------------------------------------------------------

Re: ZBF - New user looking for feedback

Elton Babcock — Tue, 22 Jan 2013 16:42:08 GMT

It really does look like your on the right track. Just some things to be mindful of.

Being that the self zone is essentially traffic originating from the router and coming into the router itself, you probably don't need a subnet defined in the ACL. A host address would probably work fine.

Everything appears to look good and it should work. My suggestion is just get things up and running and then implement the FW policies one at a time to help with troubleshooting problems. Trying to do it all at once could be a nightmare.

Elton

topic ZBF - New user looking for feedback in Network Security

ZBF - New user looking for feedback

Re: ZBF - New user looking for feedback

Re: ZBF - New user looking for feedback

Re: ZBF - New user looking for feedback