cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2385
Views
0
Helpful
25
Replies

ISR C1111 Zone-Based Firewall configuration

TheGoob
Level 4
Level 4

Hi I wanted to enable my ISR Firewall in addition to my FPR Firewall and wanted to check and verify this would be safely implemented and didn’t miss anything.

My main interest aside from blocking everything I don’t want in was to allow each network Internet access and then in 192.168.1.0 allow imap and smtp in for email and then 192.168.2.0 https/443 for my nginx proxy. Not sure if I apply to the network as a whole or the specific lan ip which needs them opened wan to lan.

ISR ZONE FIREWALL

Zones
Router(config)#zone security INSIDE
Router(config)#zone security OUTSIDE

Interfaces 
Router(config)#interface gigabitEthernet 0/1/5
Router(config-if)#zone-member security INSIDE
Router(config)#interface gigabitEthernet 0/0/0
Router(config-if)#zone-member security OUTSIDE

Zone-Pairs
Router(config)#zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
Router(config)#zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE

Class Map for INSIDE-TO-OUTSIDE
Router(config)#ip access-list extended INSIDE-TO-OUTSIDE
Router(config-ext-nacl)#permit tcp 192.168.1.0 0.0.255.255 any eq www
Router(config-ext-nacl)#permit tcp 192.168.1.0 0.0.255.255 any eq imap
Router(config-ext-nacl)#permit tcp 192.168.1.0 0.0.255.255 any eq smtp
  Do I need these two above for me to send and receive email on the “in-to-out’?
Router(config-ext-nacl)#permit icmp 192.168.1.0 0.0.255.255 any
Router(config-ext-nacl)#permit tcp 192.168.2.0 0.0.255.255 any eq www
Router(config-ext-nacl)#permit tcp 192.168.2.0 0.0.255.255 any eq https
  Do I need this on the “in-to-out” for my access in from WAN to Https?
Router(config-ext-nacl)#permit icmp 192.168.2.0 0.0.255.255 any
Router(config-ext-nacl)#permit tcp 192.168.3.0 0.0.255.255 any eq www
Router(config-ext-nacl)#permit icmp 192.168.3.0 0.0.255.255 any
Router(config-ext-nacl)#permit tcp 192.168.4.0 0.0.255.255 any eq www
Router(config-ext-nacl)#permit icmp 192.168.4.0 0.0.255.255 any
Router(config-ext-nacl)#permit tcp 192.168.5.0 0.0.255.255 any eq www
Router(config-ext-nacl)#permit icmp 192.168.5.0 0.0.255.255 any
Router(config-ext-nacl)#permit tcp 192.168.6.0 0.0.255.255 any eq www
Router(config-ext-nacl)#permit icmp 192.168.6.0 0.0.255.255 any
Router(config)#class-map type inspect match-all INSIDE-TO-OUTSIDE-CLASS
Router(config-cmap)#match access-group name INSIDE-TO-OUTSIDE

Class Map for OUTSIDE-TO-INSIDE
Router(config)ip access-list extended OUTSIDE-TO-INSIDE
Router(config-ext-nacl)#permit icmp any 192.168.1.0 0.0.255.255
Router(config-ext-nacl)#permit tcp 192.168.1.0 0.0.255.255 any eq imap
Router(config-ext-nacl)#permit tcp 192.168.1.0 0.0.255.255 any eq smtp
  Do I need these two above for me to send and receive email on the “out-to-in”?
Router(config-ext-nacl)#permit icmp any 192.168.2.0 0.0.255.255
Router(config-ext-nacl)#permit tcp 192.168.2.0 0.0.255.255 any eq https
  Do I need this on the “out-to-in” for my access in from WAN to Https?
Router(config-ext-nacl)#permit icmp any 192.168.3.0 0.0.255.255
Router(config-ext-nacl)#permit icmp any 192.168.4.0 0.0.255.255
Router(config-ext-nacl)#permit icmp any 192.168.5.0 0.0.255.255
Router(config-ext-nacl)#permit icmp any 192.168.6.0 0.0.255.255
Router(config)#class-map type inspect match-all OUTSIDE-TO-INSIDE-CLASS
Router(config)#match access-group name OUTSIDE-TO-INSIDE

Policy-map for INSIDE-TO-OUTSIDE
Router(config)#policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
Router(config-pmap)#class type inspect INSIDE-TO-OUTSIDE-CLASS
Router(config-pmap)#inspect
Router(config-pmap)#class class-default
Router(config-pmap)#drop log

Policy-map for OUTSIDE-TO-INSIDE
Router(config)#policy-map type inspect OUTSIDE-TO-INSIDE-POLICY
Router(config-pmap)#class type inspect OUTSIDE-TO-INSIDE-CLASS
Router(config-pmap)#pass
Router(config-pmap)#class class-default
Router(config-pmap)#drop log

Apply 
Router(config)#zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
Router(config-sec-zone-pair)#service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
Router(config)#zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
Router(config-sec-zone-pair)#service-policy type inspect OUTSIDE-TO-INSIDE-POLICY
1 Accepted Solution

Accepted Solutions

TheGoob
Level 4
Level 4

Alright so I feel shamed for “giving up”. So unless I am missing the bigger point, I created this for ZONE FW on ISR w/ OUTSIDE, INSIDE and DMZ. Please comment or correct my incorrect assumptions.

 

ISR ZONE FIREWALL

Zones
Router(config)#zone security INSIDE
Router(config)#zone security OUTSIDE
Router(config)#zone security DMZ

Interfaces 
Router(config)#interface gigabitEthernet 0/1/5 (192.168.1.0 - 192.168.6.0)
Router(config-if)#zone-member security INSIDE
Router(config)#interface gigabitEthernet 0/0/0
Router(config-if)#zone-member security OUTSIDE
Router(config)#interface gigabitEthernet 0/1/4 (172.16.1.0)
Router(config-if)#zone-member security DMZ

Zone-Pairs
Router(config)#zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
Router(config)#zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
Router(config)#zone-pair security OUT-TO-DMZ source OUTSIDE destination DMZ
Router(config)#zone-pair security IN-TO-DMZ source INSIDE destination DMZ

Class Map for INSIDE-TO-OUTSIDE
Router(config)#ip access-list extended INSIDE-TO-OUTSIDE
Router(config-ext-nacl)#permit any 192.168.1.0 0.0.0.255 any
Router(config-ext-nacl)#permit any 192.168.2.0 0.0.0.255 any
Router(config-ext-nacl)#permit any 192.168.3.0 0.0.0.255 any
Router(config-ext-nacl)#permit any 192.168.4.0 0.0.0.255 any
Router(config-ext-nacl)#permit any 192.168.5.0 0.0.0.255 any
Router(config-ext-nacl)#permit any 192.168.6.0 0.0.0.255 any
Router(config)#class-map type inspect match-all INSIDE-TO-OUTSIDE-CLASS
Router(config-cmap)#match access-group name INSIDE-TO-OUTSIDE
   THIS ABOVE WILL ALLOW NETWORKS ON SG350XG OUTSIDE INTERNET?

Class Map for OUTSIDE-TO-INSIDE
Router(config)ip access-list extended OUTSIDE-TO-INSIDE
Router(config-ext-nacl)#permit icmp any 192.168.2.0 0.0.255.255
Router(config-ext-nacl)#permit tcp host 192.168.2.181 any eq https
Router(config-ext-nacl)#permit tcp host 192.168.2.181 any eq http
Router(config)#class-map type inspect match-all OUTSIDE-TO-INSIDE-CLASS
Router(config)#match access-group name OUTSIDE-TO-INSIDE
  THIS ABOVE ALLOWS OUT TO IN NGINX PROXY PORT 443,80 AND ICMP TO 192.168.2.181?

Class Map for OUTSIDE-TO-DMZ
Router(config)#ip access-list extended OUTSIDE-TO-DMZ
Router(config-ext-nacl)#permit tcp host 172.16.1.180 any eq smtp
Router(config-ext-nacl)#permit tcp host 172.16.1.180 any eq ssh
Router(config)#class-map type inspect match-all OUTSIDE-TO-DMZ-CLASS
Router(config)#match access-group name OUTSIDE-TO-DMZ
   THIS ABOVE ALLOWS OUT TO DMZ SMTP AND SSH TO 172.16.1.180

Class Map for INSIDE-TO-DMZ
Router(config)#ip access-list extended INSIDE-TO-DMZ
Router(config-ext-nacl)#permit tcp 192.168.5.0 0.0.255.255 host 172.16.1.180 eq smtp
Router(config-ext-nacl)#permit tcp 192.168.5.0 0.0.255.255 host 172.16.1.180 eq ssh
Router(config)#class-map type inspect match-all INSIDE-TO-DMZ-CLASS
Router(config-cmap)#match access-group name INSIDE-TO-DMZ
   THIS ABOVE ALLOWS 5.0 NETWORK TO CONNECT TO SMTP AND SSH TO 172.16.1.180
   Just not sure how the DMZ email (172.16.1.180) Relays to INSIDE email 192.168.1.180

Policy-map for INSIDE-TO-OUTSIDE
Router(config)#policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
Router(config-pmap)#class type inspect INSIDE-TO-OUTSIDE-CLASS
Router(config-pmap)#inspect
Router(config-pmap)#class class-default
Router(config-pmap)#drop log

Policy-map for OUTSIDE-TO-INSIDE
Router(config)#policy-map type inspect OUTSIDE-TO-INSIDE-POLICY
Router(config-pmap)#class type inspect OUTSIDE-TO-INSIDE-CLASS
Router(config-pmap)#pass
Router(config-pmap)#class class-default
Router(config-pmap)#drop log

Policy-map for OUTSIDE-TO-DMZ
Router(config)#policy-map type inspect OUTSIDE-TO-DMZ-POLICY
Router(config-pmap)#class type inspect OUTSIDE-TO-DMZ-CLASS
Router(config-pmap)#inspect
Router(config-pmap)#class class-default
Router(config-pmap)#drop log

Policy-map for INSIDE-TO-DMZ
Router(config)#policy-map type inspect INSIDE-TO-DMZ-POLICY
Router(config-pmap)#class type inspect INDISE-TO-DMZ-CLASS
Router(config-pmap)#pass
Router(config-pmap)#class class-default
Router(config-pmap)#drop log

Apply 
Router(config)#zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
Router(config-sec-zone-pair)#service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
Router(config)#zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
Router(config-sec-zone-pair)#service-policy type inspect OUTSIDE-TO-INSIDE-POLICY
Router(config)#zone-pair security OUT-TO-DMZ source OUTSIDE destination DMZ
Router(config-sec-zone-pair)#service-policy type inspect OUTSIDE-TO-DMZ-POLICY
Router(config)#zone-pair security IN-TO-DMZ source INSIDE destination DMZ
Router(config-sec-zone-pair)#service-policy type inspect INSIDE-TO-DMZ-POLICY

View solution in original post

25 Replies 25

balaji.bandi
Hall of Fame
Hall of Fame

Most use case used Zone based firewall - if you like to have DMZ and Inside outside should consider.

or you looking to zone to restrict the Service not to communicate ?  The configuration can be applied and required some testing's. depends how your interfaces connected inside and outside.

check some flows as mentioned with diagrams below document. (your config high level ok, but again that need to be tested in real environment.)

https://community.cisco.com/t5/security-knowledge-base/ios-zone-based-firewall-step-by-step-basic-configuration/ta-p/3142774

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hello

Well in my scenario I am not sure where a DMZ would be situated. As you and others have helped me this past 2 months with my ISR - FPR - SG350XG, all 6 of my networks are at the SG end and I am, on the ISR, only using 2 Interfaces WAN and LAN. 

Maybe I am mistaken in which type of firewall I want as this would just be for allowing access in and out on networks and specific hosts. 
I have the FW on my FPR and wanted this ISR FW to just be a second layer. 

i suggest not make any complicated or over engineer where not required.

If you have 2 Interface - then your INSIDE and OUTSIDE with NAT should work - until i hear something different.

You can host the Service behind FW ( FPR) - so another layer  of protection.

Router is not a Full Firewall like FPR what do the job, router need to do what Router can do, it has some additional features like ACL and Zone based Firewall where you like to have branch all in one to limit the more hardware requirement.

If you have dedicated FW - i would take advantage and host the Services behind FPR and ISR do the NAT. (this is my view)

Note : every time you change the design - you need to provide more network diagram and how the services connected.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Javier Acuña
Spotlight
Spotlight

To configure the iOS device by zones you must take these five aspects into account.

ZBFW configuration procedure

The following are the configuration tasks that you must follow:

Configure zones
Assign router interfaces to zones
Create zone pairs
Configure access policy between zones (class maps and policy maps)
Apply policy maps to zone pairs

 

TheGoob
Level 4
Level 4

So unless I misunderstood, the answer was “no, don’t do it. Leave the FPR for the Firewall and the ISR for the routing”. 

The correct answer is - it depends. @balaji.bandi makes a good point in not complicating a simple thing. On the other hand, you are the only one who can say what is important for you and what is not. In my opinion, having two layers of firewall is a good thing for network security.

In your setup, the DMZ could be the network between the ISR and the FPR - vlan 8 - which you can use to host a mail relay server for example.

Hope this helps.

Regards, LG
*** Please Rate All Helpful Responses ***

TheGoob
Level 4
Level 4

Interesting. 
I mean is having a zone firewall interned for in, out and DMZ? I mean really I just wanted to see if my original post would “work” and then when it did maybe venture out into the DMZ aspect or even as you say this relay server. That in itself I’ve never done so who knows. I just wanted to simply see if it would work, but yeah I understand both perspectives. 

The DMZ concept in my opinion is a very elastic one. The DMZ is something in between the "outside" word and the "inside" network. You decide what kind of access is permitted to the DMZ and what kind of access is permitted from the DMZ to the outside and inside zones.

Take for example the mail relay sitting in the DMZ.

You can have a network policy defining that the company mail should be delivered to a mail relay server in the DMZ and from the mail relay the mail is delivered to the internal mail server. The internal mail server is not accessible from the internet - only the mail relay from the DMZ is permitted to access it. 

Regards, LG
*** Please Rate All Helpful Responses ***

TheGoob
Level 4
Level 4

Not saying I can’t, but am saying too complicated for me at this stage. I get the concept, it’s the implementation of it. So I’d have to create a 2nd email server just to send it to my main internal server? 
no let’s not get involved with this. Gonna make my brain explode. 

The mail server is just an example. You can think of another use case that is more appropriate for your needs - for example a guest wireless network using the embedded AP on your ISR.

Regards, LG
*** Please Rate All Helpful Responses ***

TheGoob
Level 4
Level 4

Well getting back to the email situation, is the DMZ more of a routing implementation or is the mail server actually moved to the 172.16.1.0 Network? 

Like I feel the WiFi is a easier example as it would sit “before” the FPR and have its own network away from my 6 SG Networks and just have Internet access, no lan, but the email server raises theory questions. I’m fascinated for the ability of it. 

Clearly the email blah@blah.com translates to x.x.x.180 so I would NAT that to this new network ip on the DMZ such as 172.16.1.180, then translate/relay that to the internal/existing 192.168.1.180? 


@TheGoob wrote:

Well getting back to the email situation, is the DMZ more of a routing implementation or is the mail server actually moved to the 172.16.1.0 Network? 

Like I feel the WiFi is a easier example as it would sit “before” the FPR and have its own network away from my 6 SG Networks and just have Internet access, no lan, but the email server raises theory questions. I’m fascinated for the ability of it. 

Clearly the email blah@blah.com translates to x.x.x.180 so I would NAT that to this new network ip on the DMZ such as 172.16.1.180, then translate/relay that to the internal/existing 192.168.1.180? 


An actual NEW server, the mail relay, is deployed in the DMZ and is given an IP address from that network - 172.16.1.180 for example. You will translate this address to a public one from the pool you have from your ISP and register that public IP in the DNS for your domain as the MX record. Implementing the ZBFW on the ISR, you will configure a policy permitting SMTP traffic from the internet to access the mail relay in the DMZ.

You will implement another policy on your FPR permitting SMTP traffic from your mail relay server to be delivered to your internal mail server. Basically you will have two mail servers:

  • one in the DMZ accessible from the Internet
  • one in the internal network, accessible only from the DMZ and not from the Internet directly
Regards, LG
*** Please Rate All Helpful Responses ***

Geeze. I mean I suppose it’s doable. The mail server resides on an HPE Proliant w/ 6 Interfaces. I could simply boot up another VM and host another mail server as you said and have it in the DMZ Network.

So my existing 192.168.1.180 translates to 207.108.121.180 and has a registered domain… I would assign this new relay DMZ email server a different WAN IP not 207.108.121.180?

making sketch here

 

ISR
NAT 207.108.121.180 to 172.16.1.180 (though I hate consolidating that WAN IP to one LAN IP)
ACL allowing SMTP to 172.168.16.180, all other usage blocked from LAN.
|
|
————DMZ - Email 172.16.1.180 / Relay 
|
|
FPR - ACL permitting outside (172.16.1.180) to inside (192.168.1.180) SMTP. 
|
|
SG350XG
|
|
Email Server 192.168.1.180 uses Relay IP 172.16.1.180.
5.0 Network can access email locally. 

It seems like a working solution.

If you want to NAT fore than one service on one IP, you can use the ip nat inside source static tcp or ip nat inside source static udp variation of the command in order to map different services, smtp and others, to a single IP. The differentiation between the services is done using the Layer 4 protocol, tcp ur udp, and port numbers.

Regards, LG
*** Please Rate All Helpful Responses ***

Review Cisco Networking for a $25 gift card