IOS Zone Based Firewall Blocking Internet Ingress

Rob Cluett — Tue, 12 Mar 2019 00:36:41 GMT

I'm very new to the concept of a firewalls. I'm attempting to block specific traffic from the internet into my router and allow only certain traffic out. Each representing the traffic flow. Example of the zone's and zone pairs would be. I'm confused about the SELF zone and if it even comes into play here with the WAN zone.

---ZONES---

ZONE	Description
ZONE-WAN	Internet access comes into interface Gi0/0.
ZONE LAN	VLANS 1-6 host users who need unfiltered access out to the internet and unfiltered between each other.
ZONE EDMZ	VLAN 7 needs specific traffic restricted in from the WAN and other specific traffic filtered out to the WAN. Some traffic from the LAN to the EDMZ needs to be filtered but any traffic from the EDMZ should get to the LAN.

ZONE

Description

ZONE-WAN

Internet access comes into interface Gi0/0.

ZONE LAN

VLANS 1-6 host users who need unfiltered access out to the internet and unfiltered between each other.

ZONE EDMZ

VLAN 7 needs specific traffic restricted in from the WAN and other specific traffic filtered out to the WAN.

Some traffic from the LAN to the EDMZ needs to be filtered but any traffic from the EDMZ should get to the LAN.

---ZONE PAIRS---

ZONE-PAIR SELF->WAN

ZONE-PAIR WAN->SELF

ZONE-PAIR LAN->WAN

ZONE-PAIR WAN->LAN

ZONE-PAIR WAN->EDMZ

ZONE-PAIR EDMZ->WAN

ZONE-PAIR LAN->EDMZ

ZONE-PAIR EDMZ-LAN

Using the Zone's and Pairs above (or if any of them can be eliminated) how would I:

1) allow only http and https traffic in to the router from the WAN (WAN/ISP connection on interface Gi0/0). All other traffic should be dropped.

2) allow all traffic out to the WAN in a stateful fashion from the LAN on all VLANS (1,2,3,4,5,6). So my users have access to everything on the internet.

3) allow all traffic between all VLANS (1,2,3,4,5,6). Nothing is filtered.

4) restrict specific traffic into the EDMZ from the WAN.

5) restrict specific traffic from the WAN to the EDM

IOS Zone Based Firewall Blocking Internet Ingress

Henrik Grankvist — Thu, 13 Dec 2012 09:46:52 GMT

Hello!

First I would create the zones it self

zone security OUTSIDE

zone security INSIDE

zone security EDMZ

1) I guess you mean from the Internet to the router it self?

class-map type inspect match-any HTTP_CMAP

match protocol http

match protocol https

policy-map type inspect OUTSIDE-SELF_PMAP

class type inspect HTTP_CMAP

pass ! traffic to the self zone can't be statefully inspected.

class class-default ! This is a default class that is already there and this affects all traffic that is not matched by a previus class-map

drop ! It is a default permit in the default class-map when it is applied to the self zone so it has to be changed.

zone-pair security OUTSIDE-SELF source OUTSIDE destination self

service-policy type inspect OUTSIDE-SELF_PMAP

For security reasons I always create an ACL where I permitt all my LANs IP-ranges.

Like:

ip access-list standard LAN-IP-ADDRESSES

permit 192.168.0.0 0.0.0.255

permit 192.168.1.0 0.0.0.255

etc....

class-map type inspect LAN-IP-ADDRESSES_CMAP

match access-group name LAN-IP-ADDRESSES

policy-map type inspect INSIDE-OUTSIDE_PMAP

class type inspect LAN-IP-ADDRESSES_CMAP

inspect ! Now traffic is inspected statfully when it is going between zones.

zone-pair security INSIDE-OUTSIDE source INSIDE destination OUTSIDE

service-policy type inspect INSIDE-OUTSIDE_PMAP

Just put them in the same zone, this is done last, because if you put things in zones before you make the policys everything will be blocked until you have made them.

4) 4 and 5 sounds exactly the same to me?

Now it depends on if you want to permit specific traffic to the EDMZ/DMZ(?) or if you want to den specific traffic? Sounds like you want to deny specific traffic, but that is not the best way so because then you have no control so I will demonstate the other way around.

class-map type inspect match-any SPECIFIC-TRAFFIC_CMAP ! Make sure to do a match-any if you want more than two protocol to be matched.

match protocol SPECIFIC-PROTOCOL

policy-map type inspect OUTSIDE-EDMZ_PMAP

class type inspect SPECIFIC-TRAFFIC_CMAP

inspect

zone-pair security OUTSIDE-EDMZ source OUTSIDE destination EDMZ

service-policy type inspect OUTSIDE-EDMZ_PMAP

Last thing to do:

Is to add the zones to the interfaces:

interface gi0/0

zone-member OUTSIDE

interface something-inside

zone-member INSIDE

interface something-inside2

zone-member INSIDE

inteface edmz

zone-member EDMZ

I just wrote this from my head so a everything maybe isn't correctly spelled all the way.

Hope it helps!

topic IOS Zone Based Firewall Blocking Internet Ingress in Network Security

IOS Zone Based Firewall Blocking Internet Ingress

IOS Zone Based Firewall Blocking Internet Ingress