Solved: Re: ISR C1111 Zone-Based Firewall configuration - Page 2

TheGoob · ‎03-13-2024

Hi I wanted to enable my ISR Firewall in addition to my FPR Firewall and wanted to check and verify this would be safely implemented and didn’t miss anything.

My main interest aside from blocking everything I don’t want in was to allow each network Internet access and then in 192.168.1.0 allow imap and smtp in for email and then 192.168.2.0 https/443 for my nginx proxy. Not sure if I apply to the network as a whole or the specific lan ip which needs them opened wan to lan.

ISR ZONE FIREWALL

Zones
Router(config)#zone security INSIDE
Router(config)#zone security OUTSIDE

Interfaces 
Router(config)#interface gigabitEthernet 0/1/5
Router(config-if)#zone-member security INSIDE
Router(config)#interface gigabitEthernet 0/0/0
Router(config-if)#zone-member security OUTSIDE

Zone-Pairs
Router(config)#zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
Router(config)#zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE

Class Map for INSIDE-TO-OUTSIDE
Router(config)#ip access-list extended INSIDE-TO-OUTSIDE
Router(config-ext-nacl)#permit tcp 192.168.1.0 0.0.255.255 any eq www
Router(config-ext-nacl)#permit tcp 192.168.1.0 0.0.255.255 any eq imap
Router(config-ext-nacl)#permit tcp 192.168.1.0 0.0.255.255 any eq smtp
  Do I need these two above for me to send and receive email on the “in-to-out’?
Router(config-ext-nacl)#permit icmp 192.168.1.0 0.0.255.255 any
Router(config-ext-nacl)#permit tcp 192.168.2.0 0.0.255.255 any eq www
Router(config-ext-nacl)#permit tcp 192.168.2.0 0.0.255.255 any eq https
  Do I need this on the “in-to-out” for my access in from WAN to Https?
Router(config-ext-nacl)#permit icmp 192.168.2.0 0.0.255.255 any
Router(config-ext-nacl)#permit tcp 192.168.3.0 0.0.255.255 any eq www
Router(config-ext-nacl)#permit icmp 192.168.3.0 0.0.255.255 any
Router(config-ext-nacl)#permit tcp 192.168.4.0 0.0.255.255 any eq www
Router(config-ext-nacl)#permit icmp 192.168.4.0 0.0.255.255 any
Router(config-ext-nacl)#permit tcp 192.168.5.0 0.0.255.255 any eq www
Router(config-ext-nacl)#permit icmp 192.168.5.0 0.0.255.255 any
Router(config-ext-nacl)#permit tcp 192.168.6.0 0.0.255.255 any eq www
Router(config-ext-nacl)#permit icmp 192.168.6.0 0.0.255.255 any
Router(config)#class-map type inspect match-all INSIDE-TO-OUTSIDE-CLASS
Router(config-cmap)#match access-group name INSIDE-TO-OUTSIDE

Class Map for OUTSIDE-TO-INSIDE
Router(config)ip access-list extended OUTSIDE-TO-INSIDE
Router(config-ext-nacl)#permit icmp any 192.168.1.0 0.0.255.255
Router(config-ext-nacl)#permit tcp 192.168.1.0 0.0.255.255 any eq imap
Router(config-ext-nacl)#permit tcp 192.168.1.0 0.0.255.255 any eq smtp
  Do I need these two above for me to send and receive email on the “out-to-in”?
Router(config-ext-nacl)#permit icmp any 192.168.2.0 0.0.255.255
Router(config-ext-nacl)#permit tcp 192.168.2.0 0.0.255.255 any eq https
  Do I need this on the “out-to-in” for my access in from WAN to Https?
Router(config-ext-nacl)#permit icmp any 192.168.3.0 0.0.255.255
Router(config-ext-nacl)#permit icmp any 192.168.4.0 0.0.255.255
Router(config-ext-nacl)#permit icmp any 192.168.5.0 0.0.255.255
Router(config-ext-nacl)#permit icmp any 192.168.6.0 0.0.255.255
Router(config)#class-map type inspect match-all OUTSIDE-TO-INSIDE-CLASS
Router(config)#match access-group name OUTSIDE-TO-INSIDE

Policy-map for INSIDE-TO-OUTSIDE
Router(config)#policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
Router(config-pmap)#class type inspect INSIDE-TO-OUTSIDE-CLASS
Router(config-pmap)#inspect
Router(config-pmap)#class class-default
Router(config-pmap)#drop log

Policy-map for OUTSIDE-TO-INSIDE
Router(config)#policy-map type inspect OUTSIDE-TO-INSIDE-POLICY
Router(config-pmap)#class type inspect OUTSIDE-TO-INSIDE-CLASS
Router(config-pmap)#pass
Router(config-pmap)#class class-default
Router(config-pmap)#drop log

Apply 
Router(config)#zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
Router(config-sec-zone-pair)#service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
Router(config)#zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
Router(config-sec-zone-pair)#service-policy type inspect OUTSIDE-TO-INSIDE-POLICY

TheGoob · ‎03-17-2024

Hey there

So yesterday I made 2 new VM’s. Being I have 6 static ups I am messing around with one not currently being used, but also has a domain I bought for it years back: perfect scenario.

So on ISR I did a static port NAT(?) from 207.108.121.179 to 172.16.1.179 for email and ssh. And it works. I then did another dynamic NAT? That anything that connects to the 192.168.4.0 network also grabs a 207.108.121.179 WAN IP.
My next part is how to do this relay scenario. In the VM in the postfix there literally one option… ‘relay address x.x.x.x:port’ so I assume it overrides to that port for delivery. Now I just need to do the math in my head of what ports to open which direction on what firewall.

along with that, is the idea of the DMZ “nothing in rest of LAN can connect:see it but only internet can, separating it from lan for security”

TheGoob · ‎03-18-2024

More I think about it, do I really want my email in the DMZ? Doesn’t they essentially open it all up? If you secure it then isn’t that contradicting to even using the DMZ? At least where it’s at, behind the firewall with only mail port/ssh open should be secure enough.
I guess I thought it would be “fun” to set up a Zone FW on the ISR but seems pointless.

liviu.gheorghe · ‎03-18-2024

Like I mentioned in a previous post, you are the only one to say what is the appropriate configuration for your network.

Regards, LG
*** Please Rate All Helpful Responses ***

TheGoob · ‎03-19-2024

Alright so I feel shamed for “giving up”. So unless I am missing the bigger point, I created this for ZONE FW on ISR w/ OUTSIDE, INSIDE and DMZ. Please comment or correct my incorrect assumptions.

ISR ZONE FIREWALL

Zones
Router(config)#zone security INSIDE
Router(config)#zone security OUTSIDE
Router(config)#zone security DMZ

Interfaces 
Router(config)#interface gigabitEthernet 0/1/5 (192.168.1.0 - 192.168.6.0)
Router(config-if)#zone-member security INSIDE
Router(config)#interface gigabitEthernet 0/0/0
Router(config-if)#zone-member security OUTSIDE
Router(config)#interface gigabitEthernet 0/1/4 (172.16.1.0)
Router(config-if)#zone-member security DMZ

Zone-Pairs
Router(config)#zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
Router(config)#zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
Router(config)#zone-pair security OUT-TO-DMZ source OUTSIDE destination DMZ
Router(config)#zone-pair security IN-TO-DMZ source INSIDE destination DMZ

Class Map for INSIDE-TO-OUTSIDE
Router(config)#ip access-list extended INSIDE-TO-OUTSIDE
Router(config-ext-nacl)#permit any 192.168.1.0 0.0.0.255 any
Router(config-ext-nacl)#permit any 192.168.2.0 0.0.0.255 any
Router(config-ext-nacl)#permit any 192.168.3.0 0.0.0.255 any
Router(config-ext-nacl)#permit any 192.168.4.0 0.0.0.255 any
Router(config-ext-nacl)#permit any 192.168.5.0 0.0.0.255 any
Router(config-ext-nacl)#permit any 192.168.6.0 0.0.0.255 any
Router(config)#class-map type inspect match-all INSIDE-TO-OUTSIDE-CLASS
Router(config-cmap)#match access-group name INSIDE-TO-OUTSIDE
   THIS ABOVE WILL ALLOW NETWORKS ON SG350XG OUTSIDE INTERNET?

Class Map for OUTSIDE-TO-INSIDE
Router(config)ip access-list extended OUTSIDE-TO-INSIDE
Router(config-ext-nacl)#permit icmp any 192.168.2.0 0.0.255.255
Router(config-ext-nacl)#permit tcp host 192.168.2.181 any eq https
Router(config-ext-nacl)#permit tcp host 192.168.2.181 any eq http
Router(config)#class-map type inspect match-all OUTSIDE-TO-INSIDE-CLASS
Router(config)#match access-group name OUTSIDE-TO-INSIDE
  THIS ABOVE ALLOWS OUT TO IN NGINX PROXY PORT 443,80 AND ICMP TO 192.168.2.181?

Class Map for OUTSIDE-TO-DMZ
Router(config)#ip access-list extended OUTSIDE-TO-DMZ
Router(config-ext-nacl)#permit tcp host 172.16.1.180 any eq smtp
Router(config-ext-nacl)#permit tcp host 172.16.1.180 any eq ssh
Router(config)#class-map type inspect match-all OUTSIDE-TO-DMZ-CLASS
Router(config)#match access-group name OUTSIDE-TO-DMZ
   THIS ABOVE ALLOWS OUT TO DMZ SMTP AND SSH TO 172.16.1.180

Class Map for INSIDE-TO-DMZ
Router(config)#ip access-list extended INSIDE-TO-DMZ
Router(config-ext-nacl)#permit tcp 192.168.5.0 0.0.255.255 host 172.16.1.180 eq smtp
Router(config-ext-nacl)#permit tcp 192.168.5.0 0.0.255.255 host 172.16.1.180 eq ssh
Router(config)#class-map type inspect match-all INSIDE-TO-DMZ-CLASS
Router(config-cmap)#match access-group name INSIDE-TO-DMZ
   THIS ABOVE ALLOWS 5.0 NETWORK TO CONNECT TO SMTP AND SSH TO 172.16.1.180
   Just not sure how the DMZ email (172.16.1.180) Relays to INSIDE email 192.168.1.180

Policy-map for INSIDE-TO-OUTSIDE
Router(config)#policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
Router(config-pmap)#class type inspect INSIDE-TO-OUTSIDE-CLASS
Router(config-pmap)#inspect
Router(config-pmap)#class class-default
Router(config-pmap)#drop log

Policy-map for OUTSIDE-TO-INSIDE
Router(config)#policy-map type inspect OUTSIDE-TO-INSIDE-POLICY
Router(config-pmap)#class type inspect OUTSIDE-TO-INSIDE-CLASS
Router(config-pmap)#pass
Router(config-pmap)#class class-default
Router(config-pmap)#drop log

Policy-map for OUTSIDE-TO-DMZ
Router(config)#policy-map type inspect OUTSIDE-TO-DMZ-POLICY
Router(config-pmap)#class type inspect OUTSIDE-TO-DMZ-CLASS
Router(config-pmap)#inspect
Router(config-pmap)#class class-default
Router(config-pmap)#drop log

Policy-map for INSIDE-TO-DMZ
Router(config)#policy-map type inspect INSIDE-TO-DMZ-POLICY
Router(config-pmap)#class type inspect INDISE-TO-DMZ-CLASS
Router(config-pmap)#pass
Router(config-pmap)#class class-default
Router(config-pmap)#drop log

Apply 
Router(config)#zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
Router(config-sec-zone-pair)#service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
Router(config)#zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
Router(config-sec-zone-pair)#service-policy type inspect OUTSIDE-TO-INSIDE-POLICY
Router(config)#zone-pair security OUT-TO-DMZ source OUTSIDE destination DMZ
Router(config-sec-zone-pair)#service-policy type inspect OUTSIDE-TO-DMZ-POLICY
Router(config)#zone-pair security IN-TO-DMZ source INSIDE destination DMZ
Router(config-sec-zone-pair)#service-policy type inspect INSIDE-TO-DMZ-POLICY

balaji.bandi · ‎03-19-2024

You can have number or combination - end you need to test it based on the IP address you using, and let us know what is not working, Since this your setup and IP address what is outside and what is inside,. what goes in DMZ is part of your design.

as i referred before the example config working one - rather we do multiple post same concept. have you used that examples ? have you tested ? what not working ? share the outcome saves lot of people time.

https://community.cisco.com/t5/security-knowledge-base/ios-zone-based-firewall-step-by-step-basic-configuration/ta-p/3142774

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

TheGoob · ‎03-19-2024

That’s just it, I haven’t tried it yet as I don’t want my whole system to go down and wife kills me. I’m more asking if my ACL implementation looked correct. The concept the structure the placement. The DMZ acl. Not asking for answers to what I don’t know, just a possible something being backwards or, wait, what if it DOES work but I don’t know I had code wrong and everything is wide open. I simply Want a “look over” that if I implement it and it works, would it be safe.

balaji.bandi · ‎03-20-2024

if the mapping correct and routing in place - it should work as expected - you also should have back up plan what if that not working, how do you troubleshoot and fix.

I don’t want my whole system to go down and wife kills me

in other case if you not sure then - we suggest make it simple your setup that works for you and trouibleshoot easy.

or get simulators like GNS 3 or PNET or CML to simulate your concept and test before you like to try on real world.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

liviu.gheorghe · ‎03-20-2024

There are a few things that don't seem right.

First of all, interface assignment to zones is not entirely correct. You have the Gi0/0/0 facing the Internet as OUTSIDE which is correct, but you also have Gi0/1/5 as INSIDE. The INSIDE interface should be the one facing the FPR - Gi0/1/4. The

192.168.1.0 - 192.168.6.0

subnets are your internal networks that sit after the FPR and should not be present in this device. My suggestion is to move the DHCP servers from the ISR to the FPR.

Any other interface, besides Gi0/0/0 (OUTSIDE) and Gi0/1/4 (INSIDE), will be the DMZ.

Regards, LG
*** Please Rate All Helpful Responses ***

TheGoob · ‎03-20-2024

Hi

I may have written it wrong but yes, INSIDE was indeed the networks. Also, the DHCP Servers are residing on the SG350XG

TheGoob · ‎03-21-2024

Alright, works. Thank you friends. Mostly for your patience, but obviously your guidance as well.

liviu.gheorghe · ‎03-23-2024

Glad we could help and that it worked out.

Regards, LG
*** Please Rate All Helpful Responses ***