Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
963
Views
1
Helpful
4
Replies

Firewall Basics on C1111 Router

Go to solution
jeremy0463
Spotlight
Spotlight

‎12-22-2023 03:10 PM

Can someone please help me understand the basic firewall configuration on the C1111 router. Cisco adds the following during initial configuration through the GUI.

zone security INSIDE

description Zone for inside interfaces

zone security OUTSIDE

description Zone for outside interfaces

zone security default

 

ip access-list extended Web_acl

permit ip any any

 

class-map type inspect match-any Web_app

match protocol tcp

match protocol udp

match protocol ftp

match protocol icmp

 

class-map type inspect match-all Web

match class-map Web_app

match access-group name Web_acl

 

policy-map type inspect INSIDE-OUTSIDE-POLICY

class type inspect Web

inspect

class class-default

drop log

 

zone-pair security INSIDE-OUTSIDE source INSIDE destination OUTSIDE

service-policy type inspect INSIDE-OUTSIDE-POLICY

So as I understand it, this defines 3 zones. The default zone is just for unused interfaces. Then, the ACL is put into place to control who can go outbound I guess? Then the first class map inspects outbound traffic based on match-any protocol added. The second class map ensures that traffic matches at least one protocol in the first class map and all the rules in the ACL. Then the policy is created to inspect outbound traffic based on the second Web class map. What is the "drop log" and the class class-default? I don't understand thee zone-pair or the service-policy statement. Does that essentially "connect" the two zones and define direction that the policy will be enforced and then assign the policy to the pair?

Additionally, does this by default drop all inbound traffic? Then if I wanted to allow certain inbound traffic, I would need to essentially duplicate the above for an outside-inside policy, etc... Why would the default setup inspect any outbound traffic and not just pass it?

I am very new to this, please go easy.

Labels:
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎12-23-2023 02:00 AM

@jeremy0463 the class-map classifies/matches the traffic, the policy-map determines what action to take (inspect, drop or pass). The zone-pair determines the direction  source and destination) zone interfaces the policy-map applies to.

You need a zone-pair per direction, so from outside to inside etc - which would reference a different policy-map.

You can have multiple class-maps referenced in the policy-map, each with different action.

class-default is a system-defined class map that is used when packets do not match the user-defined class-maps.

View solution in original post

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎12-23-2023 02:59 AM

i would, suggest to read basic guide lines when you want to design or configured zone based firewalls  - then you make a small diagram what you looking to achieve with IP address, what need to allow what need to drop between the zone and from zone to outside.

https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/98628-zone-design-guide.html

https://community.cisco.com/t5/security-knowledge-base/ios-zone-based-firewall-step-by-step-basic-configuration/ta-p/3142774

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to jeremy0463

‎12-23-2023 10:00 AM

Friend you config is OK there is no problem.

For zone defualt' any interface that not member of any other zones are by defualt member of this zone' this zone is allow any traffic to pass through.

MHM

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Rob Ingram
VIP
VIP

‎12-23-2023 02:00 AM

@jeremy0463 the class-map classifies/matches the traffic, the policy-map determines what action to take (inspect, drop or pass). The zone-pair determines the direction  source and destination) zone interfaces the policy-map applies to.

You need a zone-pair per direction, so from outside to inside etc - which would reference a different policy-map.

You can have multiple class-maps referenced in the policy-map, each with different action.

class-default is a system-defined class map that is used when packets do not match the user-defined class-maps.

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎12-23-2023 02:59 AM

i would, suggest to read basic guide lines when you want to design or configured zone based firewalls  - then you make a small diagram what you looking to achieve with IP address, what need to allow what need to drop between the zone and from zone to outside.

https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/98628-zone-design-guide.html

https://community.cisco.com/t5/security-knowledge-base/ios-zone-based-firewall-step-by-step-basic-configuration/ta-p/3142774

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
jeremy0463
Spotlight
Spotlight

‎12-23-2023 09:48 AM

Ok, those are really helpful. I am going to read through them to get more advanced in this. But for now, just to get online and make things safe from attack, am I good with these commands. Then I can layer on top of it or adjust it as I read. Just don't want to be vulnerable while I learn it.

zone security INSIDE

description Zone for inside interfaces

zone security OUTSIDE

description Zone for outside interfaces

 

 

—————————————————————————————————————————

INSIDE TO OUTSIDE

—————————————————————————————————————————

 

ip access-list extended INSIDE-TO-OUTSIDE_acl

permit ip any any

 

class-map type inspect match-any INSIDE-TO-OUTSIDE_app

match protocol http

match protocol https

match protocol imap

match protocol ftp

match protocol ftps

match protocol icmp

match protocol snmp

match protocol ipsec-msft

match protocol tcp

match protocol udp

 

class-map type inspect match-all INSIDE-TO-OUTSIDE_cmap

match class-map INSIDE-TO-OUTSIDE_app

match access-group name INSIDE-TO-OUTSIDE_acl

 

policy-map type inspect INSIDE-TO-OUTSIDE_policy

class type inspect INSIDE-TO-OUTSIDE_cmap

inspect

class class-default

drop log

 

zone-pair security INSIDE-TO-OUTSIDE source INSIDE destination OUTSIDE

service-policy type inspect INSIDE-TO-OUTSIDE_policy

 

interface gigabitEthernet 0/1/0

zone-member security INSIDE

 

interface Vlan1

zone-member security INSIDE

 

interface Vlan250

zone-member security INSIDE

 

interface gigabitEthernet 0/1/0

zone-member security OUTSIDE

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to jeremy0463

‎12-23-2023 10:00 AM

Friend you config is OK there is no problem.

For zone defualt' any interface that not member of any other zones are by defualt member of this zone' this zone is allow any traffic to pass through.

MHM

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card