This guide is used as a guide to configuring zone based firewall.
Pre-requisites:
1. A zones must already be designed and mapped to a router topology
2. Traffic that must pass between zones must already be identified and understood
In our example, we'll be using the following diagram:
Here is the chart we'll be using to identify inter-zone traffic:
| Destination |
---|
Source |
| in | dmz | out |
in | x | http, imap | http, ftp |
dmz | - | x | smtp |
out | - | http, smtp | x |
Once we have designed the ZBFW using the above criteria, it is time to apply this configuration. Here are the steps we will execute:
1. Create "match access-list" and "protocol class-map" to identified traffic and apply protocol specific inspection respectively.
2. Create "traffic class-map" to apply "match access-list" and "protocol class-map".
3. Create "traffic policy-map" to inspect, drop or pass the traffic identified by the "traffic class-map".
4. Create "traffic service-policy" and apply "traffic policy-map" created in #3.
Step 1: Create "match access-list" and "protocol class-map"
Create access-list that will identify traffic to be matched when traversing across the zones.
ip access-list extended IN_TO_OUT_ACL
10 permit ip 10.1.1.0 0.0.0.255 any
ip access-list extended INT_TO_DMZ_ACL
10 permit ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255
ip access-list extended DMZ_TO_OUT_ACL
10 permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended OUT_TO_DMZ_ACL
10 permit ip any 192.168.1.0 0.0.0.255
class-map type inspect match-any IN_TO_OUT_PROTOCOLS
match protocol http
match protocol ftp
class-map type inspect match-any IN_TO_DMZ_PROTOCOLS
match protocol http
match protocol imap
class-map type inspect match-any DMZ_TO_OUT_PROTOCOLS
match protocol smtp
class-map type inspect match-any OUT_TO_DMZ_PROTOCOLS
match protocol http
match protocol smtp
Step 2: Create "traffic class-map"
Create a class-map to combine the access-list and class-map we identified in step 1.
class-map type inspect match-all IN_TO_OUT_CMAP
match access-group name IN_TO_OUT_ACL
match class-map IN_TO_OUT_PROTOCOLS
class-map type inspect match-all IN_TO_DMZ_CMAP
match access-group name IN_TO_DMZ_ACL
match class-map IN_TO_DMZ_PROTOCOLS
class-map type inspect match-all DMZ_TO_OUT_CMAP
match access-group name DMZ_TO_OUT_ACL
match class-map DMZ_TO_OUT_PROTOCOLS
class-map type inspect match-all OUT_TO_DMZ_CMAP
match access-group name OUT_TO_DMZ_ACL
match class-map OUT_TO_DMZ_PROTOCOLS
Step 3: Create "traffic policy-map"
Now that we've created the four necessary class-map that identify the traffic, we'll need to apply the action to them.
policy-map type inspect IN_TO_OUT_PMAP
class IN_TO_OUT_CMAP
inspect
policy-map type inspect IN_TO_DMZ_PMAP
class IN_TO_OUT_CMAP
inspect
policy-map type inspect DMZ_TO_OUT_PMAP
class DMZ_TO_OUT_CMAP
inspect
policy-map type inspect OUT_TO_DMZ_PMAP
class OUT_TO_DMZ_CMAP
inspect
Step 4: Apply the "traffic service-policy"
The last step is to apply the policy-map to each zone-pair, effectively activating the zone based firewall.
zone-pair security IN_TO_OUT_ZP source INSIDE destination OUTSIDE
service-policy type inspect IN_TO_OUT_PMAP
zone-pair security IN_TO_DMZ_ZP source INSIDE destination DMZ
service-policy type inspect IN_TO_DMZ_PMAP
zone-pair security DMZ_TO_OUT_ZP source DMZ destination OUTSIDE
service-policy type inspect DMZ_TO_OUT_PMAP
zone-pair security OUT_TO_DMZ_ZP source OUTSIDE destination DMZ
service-policy type inspect OUT_TO_DMZ_PMAP
Please note that the zones must be predefined or step 4 will fail. If not already done, please create the zones using the following commands
zone security INSIDE
zone security DMZ
zone security OUTSIDE
Final Steps
Now that the entire ZBFW policy has been built, the last steps are to associate each interface with a zone-member.
interface FastEthernet0/0
zone-member INSIDE
interface FastEthernet0/1
zone-member DMZ
interface FastEthernet0/2
zone-member OUTSIDE