Escolar Documentos
Profissional Documentos
Cultura Documentos
Security zones are defined in global configuration mode. You have the
option of including a description for each zone, but that's it.
Router(config)# zone security Trusted
Router(config-sec-zone)# zone security Guest
Router(config-sec-zone)# zone security Internet
(For those wishing to copy and paste, the complete configuration is
available at the end of the article.)
There is also a special default zone named "self". This zone applies to
traffic which originates from or is destined for the control plane of router
itself (e.g. routing protocols, SSH, SNMP, etc.). By default, all traffic is
allowed into the self zone.
Physical and logical interfaces are assigned to security zones in a manner
similar to how they may be designated NAT inside and outside interfaces,
with the command zone-member security. In our lab, FastEthernet0/0
is an IEEE 802.1Q trunk to the core LAN switch carrying the data (1), voice
(10), and guest wireless (99) VLANs. FastEthernet0/1 connects to the
MPLS WAN and FastEthernet0/2/0 connects to a broadband Internet
circuit.
Router(config)# interface f0/0.1
Router(config-subif)# zone-member security Trusted
Router(config-subif)# interface f0/0.10
Router(config-subif)# zone-member security Trusted
zone Trusted
Member Interfaces:
FastEthernet0/0.1
FastEthernet0/1
FastEthernet0/0.10
zone Guest
Member Interfaces:
FastEthernet0/0.99
zone Internet
Member Interfaces:
FastEthernet0/2/0
First, we'll create a class map to match all of the traffic we want to allow
from the Trusted zone out to the Internet. We want to inspect all traffic
outbound to the Internet so that return traffic is allowed statefully.
Unfortunately, we can't use the inspect action with the default class map,
so we'll need to create a custom class map to match the base protocols
TCP, UDP, and ICMP. (This doesn't allow non-TCP/UDP protocols such as
IPsec, but meets our needs.)
Router(config)# class-map type inspect match-any
All_Protocols
Router(config-cmap)# match protocol tcp
use the pass action on the default class map; there is no need to inspect
and allow return traffic since the intra-zone pair applies in both directions.
Router(config)# policy-map type inspect Trusted
Router(config-pmap)# class class-default
Router(config-pmap-c)# pass
Lastly, we'll apply the three policy maps to their appropriate zone pairs.
Router(config)# zone-pair security Trusted->Internet
Router(config-sec-zone-pair)# service-policy type inspect
Trusted_to_Internet
Router(config-sec-zone-pair)# zone-pair security Guest>Internet
Router(config-sec-zone-pair)# service-policy type inspect
Guest_to_Internet
Router(config-sec-zone-pair)# zone-pair security Trusted
Router(config-sec-zone-pair)# service-policy type inspect
Trusted
We can verify our configuration using the command show zone-pair
security:
Router# show zone-pair security
Zone-pair name Trusted
Source-Zone Trusted Destination-Zone Trusted
service-policy Trusted
Zone-pair name Trusted->Internet
Source-Zone Trusted Destination-Zone Internet
service-policy Trusted_to_Internet
Zone-pair name Guest->Internet
Source-Zone Guest Destination-Zone Internet
service-policy Guest_to_Internet
More detail regarding the entire firewall policy hierarchy can be achieved
with the command show policy-map type inspect zone-pair:
Router# show policy-map type inspect zone-pair
Zone-based policy (ZPF) firewalls are the latest development in the evolution of
Cisco firewall technologies. In this activity, you configure a basic ZPF on an edge
router R3 that allows internal hosts access to external resources and blocks external
hosts from accessing internal resources. You then verify firewall functionality from
internal and external hosts.
R3:
Task 2:
Note:
Step 1.
For all configuration tasks, be sure to use the exact names as specified.
Step 2.
Task 3:
Step 1.
Use the access-list command to create extended ACL 101 to permit all IP protocols
from the192.168.3.0/24 source network to any destination.
Step 2.
Use the class map type inspect command with the match-all option to create a
class map namedIN-NET-CLASS-MAP. Use the match access-group command
to match ACL 101.
Note:
protocols (HTTP, FTP, etc.) can be specific to be matched using the matchany option in order to provide more precise control over what type of traffic is
inspected.
Task 4:
Step 1.
Use the policy-map type inspect command and create a policy map named IN-2OUT-PMAP.
Step 2.
CLASS-MAP.
Step 3.
The use of the inspect command invokes context-based access control (other
options include pass and drop).
R3(config-pmap-c)# inspect
Issue the exit command twice to leave config-pmap-c mode and return
to config mode.
R3(config-pmap-c)# exit
R3(config-pmap)# exit
Task 4:
Step 1.
Use the policy-map type inspect command and create a policy map named IN-2OUT-PMAP.
Step 2.
CLASS-MAP.
Step 3.
The use of the inspect command invokes context-based access control (other
options include pass and drop).
R3(config-pmap-c)# inspect
Issue the exit command twice to leave config-pmap-c mode and return
to config mode.
R3(config-pmap-c)# exit
R3(config-pmap)# exit
interface fa0/1
zone-member security IN-ZONE
interface s0/0/1
zone-member security OUT-ZONE