Configuration Analysis of IOS zone-pair Firewall

The zone-pair firewall divides the interface of the ios router into several regions, and the traffic between different regions cannot communicate. This is similar to the interface type of ASA! Pay attention to the following points:

1. confirm that the same security interface is divided into the same zone.

2. Use class-map to capture traffic between different zones and provide 3-7 layer traffic detection

 

ZBF (config-pmap-c )#?
Policy-map class configuration commands:
Drop Drop the packet
Exit Exit from class action configuration mode
Inspect Context-based Access Control Engine
No Negate or set default values of a command
Pass the packet
Police Police limits traffic
Service-policy Deep Packet Inspection Engine Deep Packet Detection
Urlfilter URL Filtering Engine URL Filtering

3. If there is no traffic in that direction, you do not need to configure it, because communication is not allowed between different zones by default.

4. Application of policy-map service-map

Let's talk about it with the example below.

 

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0QH63S1-0.png "/>

Requirements:

Hosts in Internet zone can reach DNS, SMTP, and SSH services on one server in the DMZ. The other server
Will offer SMTP, HTTP, and HTTPS services. The firewall policy will restrict access to the specific services
Available on each host.
Specify The DMZ hosts cannot connect to hosts in any other zone.
Using Hosts in the client zone can connect to hosts in the server zone on all TCP, UDP, and ICMP services.
Using Hosts in the server zone cannot connect to hosts in the client zone, using t a UNIX-based application server
Can open X Windows client sessions to X Windows servers on desktop PCs in the client zone on ports 6900
6910.
Using All hosts in the private zone (combination of clients and servers) can access hosts in the DMZ on SSH, FTP,
POP, IMAP, ESMTP, and HTTP services, and in the Internet zone on HTTP, HTTPS, and DNS services and
ICMP. Furthermore, application inspection will be applied on HTTP connections from the private zone to
Internet zone in order to assure that supported instant messaging and P2P applications are not carried on port
80. (See Figure 3 .)

Configuration

Class-map type inspect match-any pr-to-DMZ-class
Match protocol ssh
Match protocol http
Match protocol pop3
Match protocol imap
Class-map type inspect match-any pr-to-bublic
Match protocol http
Match protocol https
Match protocol dns
Match protocol icmp
Class-map type inspect match-any dns-http-class
Match protocol dns
Match protocol http
Class-map type inspect match-any smtp-class
Match protocol smtp
Class-map type inspect match-all smtp-acl-class
Match access-group 111
Match class-map smtp-class
Class-map type inspect match-any x-class
Match protocol uuucp
Class-map type inspect match-all client-to-server-class
Match protocol tcp
Match protocol udp
Match protocol icmp
Class-map type inspect match-all dns-http-acl-class
Match access-group 110
Match class-map dns-http-class
!
!
Policy-map type inspect server-to-client-policy
Class type inspect x-class
Class-default
Policy-map type inspect clinet-to-server-policy
Class type inspect client-to-server-class
Inspect
Class-default
Policy-map type inspect pr-to-public-policy
Class type inspect pr-to-bublic
Inspect
Class-default
Policy-map type inspect pr-to-DMZ-policy
Class type inspect pr-to-DMZ-class
Inspect
Class-default
Policy-map type inspect internet-dmz-policy
Class type inspect dns-http-acl-class
Inspect
Class type inspect smtp-acl-class
Inspect
Class-default
!
Zone security DMZ
Zone security pr
Zone security public
Zone security server
Zone security client
Zone-pair security pr-to-public source pr destination public
Service-policy type inspect pr-to-public-policy
Zone-pair security pr-to-DMZ source pr destination DMZ
Service-policy type inspect pr-to-DMZ-policy
Zone-pair security public-to-DMZ source public destination DMZ
Service-policy type inspect internet-dmz-policy
Zone-pair security servers-clients source server destination client
Service-policy type inspect server-to-client-policy
Zone-pair security client-to-server source client destination server
Service-policy type inspect clinet-to-server-policy

Interface FastEthernet0/0
Ip address 172.16.1.1 255.255.255.0
Zone-member security public
Duplex auto
Speed auto
Interface FastEthernet0/1
No ip address
Shutdown
Duplex auto
Speed auto
Interface FastEthernet1/0
!
Interface FastEthernet1/1
!
Interface FastEthernet1/2
!
Interface FastEthernet1/3
!
Interface FastEthernet1/4
!
Interface FastEthernet1/5
!
Interface FastEthernet1/6
!
Interface FastEthernet1/7
!
Interface FastEthernet1/8
!
Interface FastEthernet1/9
!
Interface FastEthernet1/10
!
Interface FastEthernet1/11
!
Interface FastEthernet1/12
!
Interface FastEthernet1/13
No switchport
Ip address 172.16.2.1 255.255.255.0
Zone-member security DMZ
!
Interface FastEthernet1/14
Switchport access vlan 2
!
Interface FastEthernet1/15
!
Interface Vlan1
Ip address 192.168.1.1 255.255.255.0
Zone-member security server
!
Interface Vlan2
Ip address 192.168.2.1 255.255.255.0
Zone-member security client
!
Router rip
Version 2
Network 172.16.0.0
Network 192.168.1.0
Network 192.168.2.0
No auto-summary
!
Ip route 0.0.0.0 0.0.0.0 172.16.1.2
!
!
Ip http server
No ip http secure-server
!
Access-list 110 permit ip any host 172.16.2.2
Access-list 111 permit ip any host 172.16.2.3

Summary: This configuration is quite troublesome. In fact, the core is just the application of several policies. I should be familiar with QOS. Isn't it the same as MQC?

There are also 1.1 interfaces that can belong to multiple zones. In this configuration, int vlan 1 belongs to both zone-security pr and zone-security server, but these two interfaces are contained, I don't know if this is the reason.

Another detailed article does not refer to the application of parmeter-map. This is an example of the specific protocol parameters.

 

Audit-trail off alert on max-incomplete low 800 max-incomplete high 1000 one-minute low unlimited one-minute high unlimited udp idle-time 30 icmp idle-time 10 dns-timeout 5 tcp idle-time 3600 tcp finwait-time 5 tcp synwait-time 15 tcp max-incomplete host unlimited block-time 0 sessions maximum 2147483647

 

Policy-map type inspect inside-to-outside.policy class type inspect inside-to-outside.class inspect inside-to-outside.pa mounted under policy-map class-default

This article is from the cisco network blog, please be sure to keep this source http://liangrui.blog.51cto.com/1510945/636039