12-12-2012 04:06 PM - edited 03-11-2019 05:36 PM
I'm very new to the concept of a firewalls. I'm attempting to block specific traffic from the internet into my router and allow only certain traffic out. Each representing the traffic flow. Example of the zone's and zone pairs would be. I'm confused about the SELF zone and if it even comes into play here with the WAN zone.
---ZONES---
ZONE | Description |
---|---|
ZONE-WAN | Internet access comes into interface Gi0/0. |
ZONE LAN | VLANS 1-6 host users who need unfiltered access out to the internet and unfiltered between each other. |
ZONE EDMZ | VLAN 7 needs specific traffic restricted in from the WAN and other specific traffic filtered out to the WAN. Some traffic from the LAN to the EDMZ needs to be filtered but any traffic from the EDMZ should get to the LAN. |
---ZONE PAIRS---
ZONE-PAIR SELF->WAN
ZONE-PAIR WAN->SELF
ZONE-PAIR LAN->WAN
ZONE-PAIR WAN->LAN
ZONE-PAIR WAN->EDMZ
ZONE-PAIR EDMZ->WAN
ZONE-PAIR LAN->EDMZ
ZONE-PAIR EDMZ-LAN
Using the Zone's and Pairs above (or if any of them can be eliminated) how would I:
1) allow only http and https traffic in to the router from the WAN (WAN/ISP connection on interface Gi0/0). All other traffic should be dropped.
2) allow all traffic out to the WAN in a stateful fashion from the LAN on all VLANS (1,2,3,4,5,6). So my users have access to everything on the internet.
3) allow all traffic between all VLANS (1,2,3,4,5,6). Nothing is filtered.
4) restrict specific traffic into the EDMZ from the WAN.
5) restrict specific traffic from the WAN to the EDM
12-13-2012 01:46 AM
Hello!
First I would create the zones it self
zone security OUTSIDE
zone security INSIDE
zone security EDMZ
1) I guess you mean from the Internet to the router it self?
class-map type inspect match-any HTTP_CMAP
match protocol http
match protocol https
policy-map type inspect OUTSIDE-SELF_PMAP
class type inspect HTTP_CMAP
pass ! traffic to the self zone can't be statefully inspected.
class class-default ! This is a default class that is already there and this affects all traffic that is not matched by a previus class-map
drop ! It is a default permit in the default class-map when it is applied to the self zone so it has to be changed.
zone-pair security OUTSIDE-SELF source OUTSIDE destination self
service-policy type inspect OUTSIDE-SELF_PMAP
2)
For security reasons I always create an ACL where I permitt all my LANs IP-ranges.
Like:
ip access-list standard LAN-IP-ADDRESSES
permit 192.168.0.0 0.0.0.255
permit 192.168.1.0 0.0.0.255
etc....
class-map type inspect LAN-IP-ADDRESSES_CMAP
match access-group name LAN-IP-ADDRESSES
policy-map type inspect INSIDE-OUTSIDE_PMAP
class type inspect LAN-IP-ADDRESSES_CMAP
inspect ! Now traffic is inspected statfully when it is going between zones.
zone-pair security INSIDE-OUTSIDE source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-OUTSIDE_PMAP
3)
Just put them in the same zone, this is done last, because if you put things in zones before you make the policys everything will be blocked until you have made them.
4) 4 and 5 sounds exactly the same to me?
Now it depends on if you want to permit specific traffic to the EDMZ/DMZ(?) or if you want to den specific traffic? Sounds like you want to deny specific traffic, but that is not the best way so because then you have no control so I will demonstate the other way around.
class-map type inspect match-any SPECIFIC-TRAFFIC_CMAP ! Make sure to do a match-any if you want more than two protocol to be matched.
match protocol SPECIFIC-PROTOCOL
policy-map type inspect OUTSIDE-EDMZ_PMAP
class type inspect SPECIFIC-TRAFFIC_CMAP
inspect
zone-pair security OUTSIDE-EDMZ source OUTSIDE destination EDMZ
service-policy type inspect OUTSIDE-EDMZ_PMAP
Last thing to do:
Is to add the zones to the interfaces:
interface gi0/0
zone-member OUTSIDE
interface something-inside
zone-member INSIDE
interface something-inside2
zone-member INSIDE
inteface edmz
zone-member EDMZ
I just wrote this from my head so a everything maybe isn't correctly spelled all the way.
Hope it helps!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide