Firewall Series 1: How to monitor internal and external traffic and program sessions in the Network Environment

I. background description
1. Configure the network environment as the central site shanghai and the branch site nanjing
2. The central site has three areas: Internet region, Intranet region, and DMZ region.
3. the DMZ region has internal enterprise servers (DNS, WEB, Email, and FTP) and is remotely managed through SSH and HTTPS encryption.
4. dmz address pool of the central site: 172.18.100.0/24
Center site inside address pool: 172.18.101.0/24
II. Key configurations of regional firewalls
How do I allow normal outbound access traffic to DMZ?
The key lies in how to define what is normal access traffic.
DMZ is deployed with enterprise servers (DNS, WEB, Email, FTP) and remotely managed through SSH and HTTPS encryption. The traffic is normal, which is expressed:
Http 80
Https 443
Set ftp 20/21
POP3. 110
Imap 143
Imap over ssl 993
Ssh 22
Smtp 25
Command:
Traffic map matching rules:
Note the difference between match-any and match-all.
Class-map type inspect match-any dns. traffic. any. class
Match protocol dns
Match protocol http
Match protocol https
Match protocol icmp
Class-map type inspect match-any multi. traffic. any. class
Match protocol dns
Match protocol http
Match protocol https
Match protocol smtp
Match protocol pop3
Match protocol imap
Match protocol imap3
Match protocol ssh
Match protocol icmp
Class-map type inspect match-all multi. traffic. all. class
Match access-group name multi. traffic. acl
Match class-map multi. traffic. any. class
Class-map type inspect match-all dns. traffic. all. class
Match access-group name dns
Match class-map dns. traffic. any. class
Class-map type inspect match-any app. inspect. class
Match protocol ssh
Match protocol ftp
Match protocol pop3
Match protocol imap3
Match protocol smtp
Match protocol http
Match protocol https
Match protocol icmp
 
 
 
Configure policy-map to set how traffic that meets the rules will be handled:
Allow and check sessions
If it does not match, it is discarded by default.
Policy-map type inspect out. dmz. policy
Class type inspect multi. traffic. all. class
Inspect
Class-default
Drop
Policy-map type inspect dmz. out. policy
Class type inspect dns. traffic. all. class
Inspect
Class-default
Drop
Policy-map type inspect in. dmz. policy
Class type inspect app. inspect. class
Inspect
Class-default
Drop
 
 
 
3. Configure NAT
As long as it is a network device connected to the Internet, NAT is usually set, the IP address is limited, all are money, performance and cost are to weigh Oh ..
According to the service provided by DMZ, the configuration is as follows:
Key services must be set to static ing, and other internal access to the Internet can use dynamic ing.
Look at the service, look at the port, this should be familiar.
Ip nat inside source static tcp 172.18.100.14 80 interface Serial1/0 80
Ip nat inside source static tcp 172.18.100.12 443 interface Serial1/0 443
Ip nat inside source static tcp 172.18.100.13 22 interface Serial1/0 22
Ip nat inside source static udp 172.18.100.2 53 interface Serial1/0 53
Ipnat inside source static tcp 172.18.100.2 110 interface Serial1/0 110
Ipnat inside source static tcp 172.18.100.2 143 interface Serial1/0 143
Ipnat inside source static tcp 172.18.100.2 993 interface Serial1/0 993
Ip nat inside source static tcp 172.18.100.2 20 interface Serial1/0 20
Ip nat inside source static tcp 172.18.100.2 21 interface Serial1/0 21
Ip nat inside source static tcp 172.18.100.2 25 interface Serial1/0 25
 
Ip nat inside source list nat-I-o interface Serial1/0 overload
 
 
 
Iv. Result Display
Okay. Let's take a look at the details.
First look at nat Translation
Internal client ping branch site, dynamic ing enabled successfully
Branch site ssh management, dzm regional device, login successful
The branch site successfully accesses the web Server
The branch site successfully accesses the encryption service through https.
Shanghai # show ip nat tr
Pro Inside global Inside local Outside global
Icmp 200.0.10.2: 2 172.18.100.2: 2 200.0.30.2: 2 200.0.30.2: 2
Tcp 200.0.10.2: 20 172.18.100.2: 20 ------
Tcp 200.0.10.2: 21 172.18.100.2: 21 ------
Tcp 200.0.10.2: 22 172.18.100.13: 22 172.18.103.3: 49392 172.18.103.3: 49392
Tcp 200.0.10.2: 22 172.18.100.13: 22 200.0.30.2: 17648 200.0.30.2: 17648
Tcp 200.0.10.2: 22 172.18.100.13: 22 ------
Tcp 200.0.10.2: 25 172.18.100.2: 25 ------
Udp 200.0.10.2: 53 172.18.100.2: 53 ------
Tcp 200.0.10.2: 80 172.18.100.14: 80 172.18.103.3: 49480 172.18.103.3: 49480
Tcp 200.0.10.2: 80 172.18.100.14: 80 172.18.103.3: 49481 172.18.103.3: 49481
Tcp 200.0.10.2: 80 172.18.100.14: 80 172.18.103.3: 49482 172.18.103.3: 49482
Tcp 200.0.10.2: 80 172.18.100.14: 80 ------
Tcp 200.0.10.2: 110 172.18.100.2: 110 ------
Tcp 200.0.10.2: 143 172.18.100.2: 143 ------
Tcp 200.0.10.2: 443 172.18.100.12: 443 172.18.103.3: 49476 172.18.103.3: 49476
Tcp 200.0.10.2: 443 172.18.100.12: 443 172.18.103.3: 49477 172.18.103.3: 49477
Tcp 200.0.10.2: 443 172.18.100.12: 443 172.18.103.3: 49478 172.18.103.3: 49478
Tcp 200.0.10.2: 443 172.18.100.12: 443 172.18.103.3: 49479 172.18.103.3: 49479
Tcp 200.0.10.2: 443 172.18.100.12: 443 ------
Tcp 200.0.10.2: 993 172.18.100.2: 993 ------
Tcp 200.0.10.2: 18018 MAID: 18018 172.18.103.3: 80 172.18.103.3: 80
 
Now let's look at the number of traffic and program sessions monitored by the firewall.
Shanghai # show policy-map ty in zone-pair se
Policy exists on zp in2dmz
Zone-pair: in2dmz
Service-policy inspect: in. dmz. policy
Class-map: app. inspect. class (match-any)
Match: protocol ssh
2 packets, 48 bytes
30 second rate 0 bps
Match: protocol ftp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol pop3
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol imap3
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol smtp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol http
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol https
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol icmp
0 packets, 0 bytes
30 second rate 0 bps
Inspect
Number of Established Sessions = 1
Established Sessions
Session 68A2ED20 (172.18.101.2: 55222) => (172.18.100.13: 22) ssh: tcp SIS_OPEN/TCP_ESTAB
Created 00:01:45 and Last heard 00:01:40
Bytes sent (initiator: responder) [936: 1164]
 
Class-map: class-default (match-any)
Match: any
Drop
4 packets, 96 bytes
 
Policy exists on zp out2dmz
Zone-pair: out2dmz
Service-policy inspect: out. dmz. policy
Class-map: multi. traffic. all. class (match-all)
Match: access-group name multi. traffic. acl
Match: class-map match-any multi. traffic. any. class
Match: protocol dns
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol http
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol https
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol smtp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol pop3
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol imap
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol imap3
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol ssh
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol icmp
0 packets, 0 bytes
30 second rate 0 bps
Inspect
Number of Established Sessions = 2
Established Sessions
Session 68A2E620 (172.18.103.3: 49392) => (172.18.100.13: 22) ssh: tcp SIS_OPEN/TCP_ESTAB
Created 00:06:11 and Last heard 00:05:51
Bytes sent (initiator: responder) [3433: 3004]
Session 68A2E9A0 (200.0.30.2: 17648) => (172.18.100.13: 22) ssh: tcp SIS_OPEN/TCP_ESTAB
Created 00:03:17 and Last heard 00:01:25
Bytes sent (initiator: responder) [1832: 3160]
 
Class-map: class-default (match-any)
Match: any
Drop www.2cto.com
4 packets, 96 bytes
Policy exists on zp dmz2out
Zone-pair: dmz2out
Service-policy inspect: dmz. out. policy
Class-map: dns. traffic. all. class (match-all)
Match: access-group name dns
Match: class-map match-any dns. traffic. any. class
Match: protocol dns
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol http
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol https
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol icmp
0 packets, 0 bytes
30 second rate 0 bps
Inspect
Number of Established Sessions = 1
Established Sessions
Session 68A2D120 (172.18.100.14: 62666) => (172.18.103.3: 80) http: tcp SIS_OPEN/TCP_ESTAB
Created 00:25:14 and Last heard 00:25:13
Bytes sent (initiator: responder) [0: 0]
 
 
Class-map: class-default (match-any)
Match: any
Drop
0 packets, 0 bytes
 
 
 
Conclusion
1. by default, a region-based firewall does not communicate with each other across different regions. Therefore, you must explicitly configure a policy to allow the required traffic. This is a stateful firewall, as long as the traffic is monitored, then he will also put back the traffic.
2. This topology includes three direction policies:
Inside -- DMZ
Outside -- "DMZ
DMZ -- "outside
Generally, inside --> outside is required.
However, if an enterprise is strict with its staff's Internet access management, this is also a fine-grained configuration.
3. before configuration, be sure to clarify the ideas, which traffic should be allowed, which traffic should be dropped, the NAT configuration should be precise, TCP or udp, and check whether there are ftp services with multiple ports
4. Set the default route entry, which is mandatory. You cannot configure a dynamic routing protocol for the Internet to establish a neighbor with the ISP. In that case, the route is superb.
5. It is best to configure a syslog server to record logs for errors or troubleshooting.

From a blog that uses technology to ignite a dream