cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
743
Views
0
Helpful
3
Replies

ZBF - New user looking for feedback

cluck_hurst76
Level 1
Level 1

Hi Community,

It has been a long time since i've worked CLI with Cisco and have just started a small business with a partner and dug out an old 871w to use at the office.

After some time I got it working where Bridged Wireless and Wired are separated into VLAN 1 (Private) and VLAN 2 (Public). We will be adding a VLAN 3 for Voice network later on.

So after reading a ton of stuff on ZBF's; my head a spinning, I thought I would tackle it. I am at a design stage only and have mapped out a diagram for the network and started with what sounded as the most complicated section - the self zone.

I am basically looking for some general feedback to see if I'm on the correct path overal and maybe offer correction if needed or suggest better methods. Some constructive critisims if you will.

It's a learning exercise for me; as I mentioned it's been a long time since I touched CLI with device like this.

I have attached a speadsheet with diagram and self zone config; look forward to responses.

Thanks in advance,

Chris

3 Replies 3

Elton Babcock
Level 1
Level 1

I have always thought of the self group as the easy one. Self is the router interfaces itself and if I remember correctly the self zone can go anywhere.

If you can be a little more in depth about what you want and what traffic will need to go where I can help setup your class and policy maps along with the ACLs.

You really just have to think of each area on your network as a zone and define what kind of zone it is with a name. Then you create a policy for traffic in each direction between the zones. The tricky part is when you start needing specific traffic to move across the zones when your action is drop. This is where the ACLs are important. Anyways, get back to me and we can get it all figured out.

Elton

Sent from Cisco Technical Support iPhone App

Hi Elton,

Thanks for the response.

I attached a spreadsheet to the post, but I see you read via the mobile phone J

I will copy and paste the work I’ve done below.  Essentially looking at

Zone A: Private Network (Wired/Wireless Bridge)

Zone B: Public Network (Wired/Wireless Bridge)

Zone C: Self

Zone D: Outside

Zone E: DMZ (nothing there yet, future use)

Zone F: Voice Network  (IP based phones)

Zone G: VPN (future use)

As my post said, thought I would work on the self first; as I said, like to learn and understand what I’m doing as I go.

Thanks,

Chris

English:

- deny telnet connectivity from all zones

- deny http connectivity from all zones

-  allow SSH only from private networks

-  all https only from private networks

-  allow icmp echo, reply, trace and unreachables from all networks *except *outside

-  allow tftp from private network, limited hosts

-  allow smtp from private network, limited hosts

- allow domain lookups

*ACLS*

ip access-list extended PRIVATE_NETWORK_TO_SELF_ACL

permit icmp 192.168.1.0 0.0.0.15 any eq echo-reply

permit  icmp 192.168.1.0 0.0.0.15 any eq echo

permit icmp 192.168.1.0 0.0.0.15 any net-unreachable

permit tcp 192.168.1.0 0.0.0.15 any eq ssh

permit tcp 192.168.1.0 0.0.0.15 any eq 443

permit tcp 192.168.1.0 0.0.0.15 any eq domain

permit udp 192.168.1.0 0.0.0.15 any eq domain

permit udp 192.168.1.0 0.0.0.15 any eq snmp

permit udp 192.168.1.0 0.0.0.15 any eq tftp

ip access-list extended PUBLIC_NETWORK_TO_SELF_ACL

permit icmp 10.10.10.0 0.0.0.255 any eq echo

permit icmp 10.10.10.0 0.0.0.255 any eq echo-reply

ip access-list extended VOICE_NETWORK_TO_SELF_ACL

  permit 192.168.2.0 0.0.0.255 any eq echo-reply

ip access-list extended SELF_TO_VOICE_NETWORK_ACL

  permit icmp any any echo-reply

  permit icmp any any echo

  permit icmp any any unreachable

ip access-list extended SELF_TO_PRIVATE_NETWORK_ACL

   permit icmp any any echo

   permit tcp any any eq ssh

   permit tcp any any eq www

   permit tcp any any eq 443

ip access-list extended OUTSIDE_TO_SELF_ACL

  deny ip any any 

ip access-list extended SELF_TO_OUTSIDE_ACL

   permit icmp any any echo-reply

  permit icmp any any echo

  permit icmp any any traceroute

  permit icmp any any unreachable

ip access-list extended SELF_TO_PUBLIC_NETWORK

  permit icmp any any eq echo

class-map type inspect match-any MANAGEMENT_PROTOCOLS_CMAP

  description Protocols used in Management of the router

  match protocol tcp

  match protocol udp

  match protocol icmp

  match protocol h323

! Traffic originated from Zone A (Private) to Self

class-map type inspect match-all PRIVATE_NETWORK_TO_SELF_CMAP

  match access-group name PRIVATE_NETWORK_TO_SELF_ACL

   match class-map MANAGEMENT_PROTOCOLS_CMAP

!  Traffic originated from the Self  to Zone A (Prviate)

class-map type inspect match-all SELF_TO_PRIVATE NETWORK_CMAP

     match access-group name SELF_TO_PRIVATE_NETWORK_ACL

     match class-map MANAGEMENT_PROTOCOLS_CMAP

! Traffic originating Outside (Zone D) to Self

class-map type inspect match-any OUTSIDE_TO_SELF_CMAP

   match access-group name OUTSIDE_TO_SELF_ACL

   match class-map MANAGEMENT_PROTOCOLS_CMAP

!Traffic originating Self to Outside (Zone D)

class-map type inspect match-any SELF_TO_OUTSIDE_CMAP

      match access-group name SELF_TO_OUTSIDE_ACL

      match protocol icmp

! Traffic originating Self to Zone B (Public)

class-map type inspect match-all SELF_TO_PUBLIC_NETWORK_CMAP

   match access-group name SELF_TO_PUBLIC_NETWORK

    match protocol icmp

! Traffic originating Zone B (Public) to Self

class-map type inspect match-all PUBLIC_NETWORK_TO_SELF_CMAP

    match access-group name PUBLIC_NETWORK_TO_SELF_ACL

    match protocol icmp

! Traffic originating Zone F (Voice) to Self

class-map type inspect match-all  VOICE_NETWORK_TO_SELF_CMAP

    match access-group name  VOICE_NETWORK_TO_SELF_ACL

    match protocol icmp

! Traffic originating Self to Zone F (Voice)

class-map type inspect match-all SELF_TO_VOICE_NETWORK_CMAP

    match access-group name SELF_TO_VOICE_NETWORK_ACL

    match protocol icmp

! Policy from Outside (Zone D) to Self

policy-map type inspect OUTSIDE_TO_SELF_PMAP

  class type inspect OUTSIDE_TO_SELF_CMAP

      inspect

   class class-default

      drop log

! Policy from Self to Outside (Zone D)

policy-map type inspect  SELF_TO_OUTSIDE_PMAP

   class type inspect  SELF_TO_OUTSIDE_CMAP

      inspect

   class class-default

     drop log

! Policy from Private Network (Zone A) to Self

policy-map type inspect  PRIVATE_NETWORK_TO_SELF_PMAP

   class type inspect PRIVATE_NETWORK_TO_SELF_CMAP

      pass

   class class-default

     drop log

! Policy from Self to Private Network (Zone A)

policy-map type inspect  SELF_TO_PRIVATE_NETWORK_PMAP

   class type inspect  SELF_TO_PRIVATE NETWORK_CMAP

      pass

   class class-default

     drop log

! Policy from  Public Network (Zone B) to Self

policy-map type inspect  PUBLIC_NETWORK_TO_SELF_PMAP

   class type inspect  PUBLIC_NETWORK_TO_SELF_CMAP

      inspect

   class class-default

     drop log

! Policy from  Self to Public Network (Zone B)

policy-map type inspect  SELF_TO_PUBLIC_NETWORK_PMAP

   class type inspect  SELF_TO_PUBLIC_NETWORK_CMAP

      inspect

   class class-default

     drop log

! Policy from  Voice Network (Zone F) to Self

policy-map type inspect  VOICE_NETWORK_TO_SELF_PMAP

   class type inspect VOICE_NETWORK_TO_SELF_CMAP

      inspect

   class class-default

     drop log

! Policy from Self to Voice Network (Zone F)

policy-map type inspect  SELF_TO_VOICE_NETWORK_PMAP

   class type inspect  SELF_TO_VOICE_NETWORK_CMAP

      inspect

   class class-default

     drop log

... continued later for VPN and DMZ zones, allowing VPN protocols in self zone if I recall readings

'Private Network and Self

zone-pair security PRIVATE_NETWORK_TO_SELF_ZP source PRIVATE_NETWORK destination self

   service-policy type inspect PRIVATE_NETWORK_TO_SELF_PMAP

zone-pair security  SELF_TO_PRIVATE_NETWORK_ZP source self destination PRIVATE_NETWORK

   service-policy type inspect SELF_TO_PRIVATE_NETWORK_PMAP

-------------------------------------------------------------------------------------------------------------------------------

zone-pair security PUBLIC_NETWORK_TO_SELF _ZP source PUBLIC_NETWORK  destination self

   service-policy type inspect PUBLIC_NETWORK_TO_SELF_PMAP

zone-pair security SELF_TO_PUBLIC_NETWORK _ZP source self destination PUBLIC_NETWORK

   service-policy type inspect SELF_TO_PUBLIC_NETWORK_PMAP

-----------------------------------------------------------------------------------------------------------------

zone-pair security VOICE_NETWORK_TO_SELF _ZP source VOICE_NETWORK  destination self

   service-policy type inspect VOICE_NETWORK_TO_SELF_PMAP

zone-pair security SELF_TO_VOICE_NETWORK _ZP source self  destination VOICE_NETWORK

   service-policy type inspect  SELF_TO_VOICE_NETWORK_PMAP

--------------------------------------------

zone-pair security OUTSIDE_TO_SELF _ZP source OUTSIDE  destination self

   service-policy type inspect OUTSIDE_TO_SELF_PMAP

zone-pair security SELF_TO_OUTSIDE_ZP source  self destination OUTSIDE

   service-policy type inspect SELF_TO_OUTSIDE_CMAP

------------------------------------------------------------

It really does look like your on the right track. Just some things to be mindful of.

Being that the self zone is essentially traffic originating from the router and coming into the router itself, you probably don't need a subnet defined in the ACL. A host address would probably work fine.

Everything appears to look good and it should work. My suggestion is just get things up and running and then implement the FW policies one at a time to help with troubleshooting problems. Trying to do it all at once could be a nightmare.

Elton

Review Cisco Networking for a $25 gift card