Zone based firewall, and blocking specific hosts / networks

searchoptics_2011 — Tue, 12 Mar 2019 00:08:28 GMT

I recently setup our Cisco 890 in zone firewall mode, rathern than the ACL method.

I feel like I have most of this under control, however one specific area.

I am trying to block some of our QA resources from ever reaching production, you know the developer screw up and all.

Anyway, If someone could give me a hand with these rules, that would be great.

object-group network Production_Resources

description Group of Public Production Resources

10.87.1.0 255.255.255.0

64.87.17.0 255.255.255.224

64.87.26.232 255.255.255.248

object-group network QA_Resources

description Workstations and Servers to be used with the QA enviornment

host 10.87.42.81

host 10.87.42.93

host 10.87.42.101

host 10.87.42.102

class-map type inspect match-any DROP_TRAFFIC

match access-group name DROP_QA_TRAFFIC

match protocol bittorrent

match protocol kazaa2

match protocol edonkey

class-map type inspect match-any TrafficToOutside

match protocol tcp

match protocol udp

match protocol icmp

match protocol ipsec-msft

match protocol smtp

class-map type inspect match-any FIREWALL_EXCEPTIONS

match access-group name FIREWALL_EXCEPTIONS

policy-map type inspect IN-TO-OUT

class type inspect DROP_TRAFFIC

drop log

class type inspect TrafficToOutside

inspect

class class-default

drop log

policy-map type inspect OUT-TO-IN

class type inspect FIREWALL_EXCEPTIONS

inspect

class class-default

drop

zone security inside

zone security outside

zone-pair security ZONE-IN-TO-OUT source inside destination outside

service-policy type inspect IN-TO-OUT

zone-pair security ZONE-OUT-TO-IN source outside destination inside

service-policy type inspect OUT-TO-IN

interface GigabitEthernet0

bandwidth 10240

ip address 24.43.xxx.yyy 255.255.255.248 secondary

ip address 24.43.xxx.yy1 255.255.255.248 secondary

ip address 24.43.xxx.yy2 255.255.255.248

ip nat outside

no ip virtual-reassembly

zone-member security outside

duplex auto

speed auto

interface Vlan10

bandwidth 102400

ip address 172.16.42.1 255.255.255.0

ip nbar protocol-discovery

ip flow ingress

ip flow egress

ip nat inside

ip virtual-reassembly

zone-member security inside

ip tcp adjust-mss 1452

ip ospf mtu-ignore

ip route 10.87.42.0 255.255.255.0 172.16.42.2 permanent name SDOfficeL3Switch

ip route 10.87.43.0 255.255.255.0 172.16.42.3 permanent name soPhoneRoute

ip access-list extended DROP_QA_TRAFFIC

remark Rule to prevent QA resources from reaching production

remark CCP_ACL Category=128

deny ip object-group QA_Resources object-group Production_Resources

permit ip object-group QA_Resources any

ip access-list extended FIREWALL_EXCEPTIONS

permit tcp any any eq 8080

permit tcp any any eq 8090

permit tcp any any eq 8091

permit tcp any any eq 8100

permit tcp any any eq 8789

permit udp any any eq 8080

permit udp any any eq 8091

permit udp any any eq 8100

permit udp any any eq 8789

permit udp any any eq 443

permit tcp any any eq 443

permit udp any any eq 1194

cerberus#sh ip access-lists DROP_QA_TRAFFIC

Extended IP access list DROP_QA_TRAFFIC

10 deny ip object-group QA_Resources object-group Production_Resources (24 matches)

20 permit ip object-group QA_Resources any (1039 matches)

cerberus#sh policy-map type inspect zone-pair ZONE-IN-TO-OUT

policy exists on zp ZONE-IN-TO-OUT

Zone-pair: ZONE-IN-TO-OUT

Service-policy inspect : IN-TO-OUT

Class-map: DROP_TRAFFIC (match-any)

Match: access-group name DROP_QA_TRAFFIC

1177 packets, 39856 bytes

30 second rate 0 bps

Match: protocol bittorrent

0 packets, 0 bytes

30 second rate 0 bps

Match: protocol kazaa2

0 packets, 0 bytes

30 second rate 0 bps

Match: protocol edonkey

0 packets, 0 bytes

30 second rate 0 bps

Drop

1177 packets, 39856 bytes

Class-map: TrafficToOutside (match-any)

Match: protocol tcp

29387 packets, 975759 bytes

30 second rate 1000 bps

Match: protocol udp

24002 packets, 1395741 bytes

30 second rate 1000 bps

Match: protocol icmp

112 packets, 2348 bytes

30 second rate 0 bps

Match: protocol ipsec-msft

0 packets, 0 bytes

30 second rate 0 bps

Match: protocol smtp

0 packets, 0 bytes

30 second rate 0 bps

Inspect

Packet inspection statistics [process switch:fast switch]

tcp packets: [2992:2786067]

udp packets: [46590:3698]

icmp packets: [204:949]

Session creations since subsystem startup or last reset 53345

Current session counts (estab/half-open/terminating) [901:4:0]

Maxever session counts (estab/half-open/terminating) [1057:61:47]

Last session created 00:00:00

Last statistic reset never

Last session creation rate 620

Maxever session creation rate 1660

Last half-open session total 4

TCP reassembly statistics

received 0 packets out-of-order; dropped 0

peak memory usage 0 KB; current usage: 0 KB

peak queue length 0

Class-map: class-default (match-any)

Match: any

Drop

15 packets, 1332 bytes

cerberus#

And yet it's not blocked, I can open a browser to the production page and view the site(S)

I think this covers the revelant lines of the config.

As always, any help is greatly appreciated !

Zone based firewall, and blocking specific hosts / networks

Julio Carvajal — Sat, 13 Oct 2012 05:19:37 GMT

Hello John,

I am going to be honest with you . I checked the setup real fast so I am not 100% sure if this will do it for you but I think it will.

Anyway here is what I found weird:

class-map type inspect match-any DROP_TRAFFIC

match access-group name DROP_QA_TRAFFIC

match protocol bittorrent

match protocol kazaa2

match protocol edonkey

cerberus#sh ip access-lists DROP_QA_TRAFFIC

Extended IP access list DROP_QA_TRAFFIC

10 deny ip object-group QA_Resources object-group Production_Resources (24 matches)

20 permit ip object-group QA_Resources any (1039 matches)

Please change the ACL to the following:

ip access-list DROP_QA_TRAFFIC

1 permit ip object-group QA_Resources object-group Production_Resources

Let me know how it goes

Remember to rate all of the forum answers

Zone based firewall, and blocking specific hosts / networks

iec1128759 — Mon, 15 Oct 2012 15:45:31 GMT

http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/ht_ooop.html

topic Zone based firewall, and blocking specific hosts / networks in Network Security

Zone based firewall, and blocking specific hosts / networks

Zone based firewall, and blocking specific hosts / networks

Zone based firewall, and blocking specific hosts / networks