CCNA Experiment 38 ZFW (Zone Firewall)

Source: Internet
Author: User

CCNA Experiment 38 ZFW ( Zone firewall )

Environment: Windows XP ,Packet Tracert5.3

Objective: To understand the principle and basic configuration of ZFW

Description

ZFW(zone-based policy Firewall), is a zone-based firewall, the firewall policy of zone-based firewall configuration is only effective when data is sent from one region to another. Data in the same region does not apply any policy, so we can use the interface that needs to be used in different regions so that we can apply the strategy we want. However, sometimes it may not be necessary for some interfaces to use policies with each other, so such interfaces can be arbitrarily exchanged between them as long as they are zoned into the same region. Zone is the smallest unit of application firewall policy, a zone can contain an interface, or it can contain multiple interfaces.  

Area all data is discarded by default, so the appropriate policy must be configured to allow certain data to pass. It is important to note that interfaces of the same region do not require configuration policies because they are freely accessible by default, and we only need to configure policies between zones and regions, and to configure policies between such zones and zones, you must define which zone to which region, that is, the direction must be configured, For example, the configuration of data from Zone1 to Zone2 is all released. As you can see, Zone1 is the source area and Zone2 is the destination area. Configure a group of policies that contains the source and destination areas, such as a zone group, called Zone-pairs. As you can see, a zone-pairs represents a policy from one region to another, and a policy that configures a zone to another zone, you must configure a zone-pairs and join the policy. When you configure a policy for a zone to another zone, if the policy action is inspect, you do not need to configure the policy for the returned data because the returned data is allowed by default, and if the policy action passes or the drop does not return traffic or is discarded directly. If you have two zones and you want to apply policies in two directions, such as zone1 to Zone2 or Zone2 to ZONE1, you must configure two zone-pairs, which is one zone-pairs for each direction.

Steps:

Use Packet Tracert5.3. Create the following topology:

650) this.width=650; "src=" Http://hi.csdn.net/attachment/201012/10/0_12919698434c4h.gif "/>

Configuration R1 Router:

router>en

Router#conf T

Router (config) #host R1

R1 (config) #int fa0/0

R1 (config-if) #ip add 192.168.0.1 255.255.255.0

R1 (config-if) #no sh

R1 (config) #ip rou 0.0.0.0 0.0.0.0 192.168.0.2

Configuration FireWall Router:

router>en

Router#conf T

Router (config) #host FireWall

FireWall (config) #class-map type Inspect Match-any private-to-internet// Create a private network to an Internet network with a matching condition named Private-to-internet

FireWall (CONFIG-CMAP) #match protocol http// definition Match http traffic conditions

FireWall (CONFIG-CMAP) #match protocol ICMP// definition matching ICMP traffic condition

FireWall (CONFIG-CMAP) #match protocol TCP// definition matching TCP traffic conditions

FireWall (CONFIG-CMAP) #match protocol UDP// define matching UDP traffic conditions

FireWall (CONFIG-CMAP) #match protocol Telnet// define match telnet traffic condition

FireWall (CONFIG-CMAP) #match protocol FTP// define matching ftp traffic conditions

FireWall (CONFIG-CMAP) #match protocol DHCP// define matching dhcp traffic conditions

FireWall (CONFIG-CMAP) #match protocol DNS// define matching DNS traffic conditions

FireWall (CONFIG-CMAP) #match protocol h323// define matching h323 traffic conditions

FireWall (CONFIG-CMAP) #match protocol IP// define matching IP traffic conditions

FireWall (CONFIG-CMAP) #match protocol IPSec// define matching IPSec traffic conditions

FireWall (CONFIG-CMAP) #match protocol IPv6// define matching IPSec traffic conditions

FireWall (CONFIG-CMAP) #match protocol POP3// define matching POP3 traffic conditions

FireWall (CONFIG-CMAP) #match protocol SMTP// define matching SMTP traffic conditions

FireWall (CONFIG-CMAP) #match protocol RTP// define matching RTP traffic conditions

FireWall (CONFIG-CMAP) #match protocol ARP// definition match arp traffic condition

FireWall (CONFIG-CMAP) #match protocol NTP// define match NTP traffic conditions

FireWall (CONFIG-CMAP) #exit// exit

FireWall (config) #class-map type Inspect Match-any INTERNET-TO-DMZ// Create an Internet network to a DMZ network with a matching condition named INTERNET-TO-DMZ

FireWall (CONFIG-CMAP) #match protocol http// definition Match http traffic conditions

FireWall (CONFIG-CMAP) #match protocol TCP// definition matching TCP traffic conditions

FireWall (CONFIG-CMAP) #exit// exit

FireWall (config) #policy-map type inspect 1// Create policy 1

FireWall (CONFIG-PMAP) #class type inspect private-to-internet// use matching criteria in policy private-to-internet

FireWall (CONFIG-PMAP-C) #inspect// define behavior when conditions are met inspect

FireWall (config-pmap-c) #class type inspect Class-default// configuration default

FireWall (CONFIG-PMAP-C) #end// exit

Firewall#conf T

FireWall (config) #policy-map type Inspect 2// Create policy 2

FireWall (CONFIG-PMAP) #class type inspect INTERNET-TO-DMZ// use matching criteria in policy INTERNET-TO-DMZ

FireWall (CONFIG-PMAP-C) #inspect// define behavior when conditions are met inspect

FireWall (config-pmap-c) #class type inspect Class-default// configuration default

FireWall (config-pmap-c) #end

Firewall#conf T

FireWall (Config-pmap) #zone security Privatezone// Create secure zone privatezone ( private network )

FireWall (Config-sec-zone) #exit// exit

FireWall (config) #zone security Dmzzone// Create secure zone dmzzone (DMZ network )

FireWall (Config-sec-zone) #exit

FireWall (config) #zone security Internetzone// Create an external security zone Internetzone

FireWall (Config-sec-zone) #exit

FireWall (config) #zone-pair security private-internet source Privatezone destination Internetzone// create from private network to Regional policies between the Internet zones

FireWall (Config-sec-zone-pair) #service-policy type inspect 1// define policies between zones apply policy 1

FireWall (Config-sec-zone-pair) #exit// exit

FireWall (config) #zone-pair security private-dmz source Privatezone destination Dmzzone// create from private network to DMZ Regional policies between regions

FireWall (Config-sec-zone-pair) #service-policy type inspect 1// define policies between zones apply policy 1

FireWall (Config-sec-zone-pair) #exit// exit

FireWall (config) #zone-pair security internet-dmz source Internetzone destination Dmzzone

Create a zone policy from the Internet to the DMZ zone

FireWall (Config-sec-zone-pair) #service-policy type Inspect 2//// define policies between zones apply policy 2

FireWall (Config-sec-zone-pair) #exit// exit

FireWall (config) #int fa0/0// ingress interface fa0/0

FireWall (config-if) #ip add 192.168.0.2 255.255.255.0// Configure IP

FireWall (config-if) #zone-member security Privatezone// The interface is zoned into a private network area

FireWall (Config-sec-zone-pair) #exit// exit

FireWall (config-if) #no sh// Open Interface

FireWall (CONFIG-IF) #exit// exit

FireWall (config) #int FA0/1// ingress interface FA0/1

FireWall (config-if) #ip add 192.168.1.254 255.255.255.0// Configure IP

FireWall (config-if) #zone-member security Dmzzone// interface is zoned into the DMZ network Area

FireWall (config-if) #no sh// Open Interface

FireWall (CONFIG-IF) #exit// exit

FireWall (config) #int s0/0/0// ingress interface s0/0/0

FireWall (config-if) #ip Add 1.1.1.1 255.255.255.0// Configure IP

FireWall (config-if) #zone-member security Internetzone// interface is crossed into the Internet Network Area

FireWall (config-if) #no sh// Open Interface

FireWall (CONFIG-IF) #exit// exit

FireWall (config) #ip rou 0.0.0.0 0.0.0.0 1.1.1.2// Configure default route

Configuration R2 Router:

router>en

Router#conf T

Router (config) #host R2

R2 (config) #int s0/0/0

R2 (config-if) #ip add 1.1.1.2 255.255.255.0

R2 (config-if) #clock rate 64000

R2 (config-if) #no sh

R2 (config) #int fa0/0

R2 (config-if) #ip add 192.168.2.254 255.255.255.0

R2 (config-if) #no sh

R2 (config-if) #exit

R2 (config) #ip rou 0.0.0.0 0.0.0.0 1.1.1.1

Test network:

650) this.width=650; "src=" Http://hi.csdn.net/attachment/201012/10/0_12919702492Ooj.gif "/>

650) this.width=650; "src=" Http://hi.csdn.net/attachment/201012/10/0_1291970271Vk1F.gif "/>

650) this.width=650; "src=" Http://hi.csdn.net/attachment/201012/10/0_1291970299wz5n.gif "/>

650) this.width=650; "src=" Http://hi.csdn.net/attachment/201012/10/0_129197031145P4.gif "/>

by configuring a zone-based firewall, you can protect the internal network from external intrusion requirements, can be said ZFW is the enhanced version of CBAC, its configuration is more flexible and simple, as long as reasonable use will be a good security solutions.


This article from "Liu Fengyuan" blog, declined reprint!

CCNA Experiment 38 ZFW (Zone Firewall)

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.