Configuring Zone-Based Policy Firewall (ZPF)
For IOS 12.4(6)T
First, creating zones:
R3(config)#zone security IN-ZONE
R3(config-sec-zone)#exit
R3(config-sec-zone)#zone se OUT-ZONE
Then comes access list part:
R3(config)#ip access-list extended 101
R3(config-ext-nacl)#permit ip 192.168.3.0 0.0.0.255 any
Creating a map and naming it:
R3(config)#class-map ty ?
inspect Configure CBAC Class Map
R3(config)#class-map type ?
inspect Configure CBAC Class Map
R3(config)#class-map type inspect ?
WORD class-map name
match-all Logical-AND all matching statements under this classmap
match-any Logical-OR all matching statements under this classmap
R3(config)#class-map type inspect match-all
R3(config)#class-map type inspect match-all ?
WORD class-map name
R3(config)#class-map type inspect match-all IN-NET-CLASS-MAP
Applying aceeess list :
Router(config-cmap)#match ?
access-group Access group
any Any packets
class-map Class map
cos IEEE 802.1Q/ISL class of service/user priority values
destination-address Destination address
discard-class Discard behavior identifier
dscp Match DSCP in IP(v4) and IPv6 packets
fr-de Match on Frame-relay DE bit
fr-dlci Match on fr-dlci
input-interface Select an input interface to match
ip IP specific values
mpls Multi Protocol Label Switching specific values
not Negate this match result
packet Layer 3 Packet length
precedence Match Precedence in IP(v4) and IPv6 packets
protocol Protocol
qos-group Qos-group
source-address Source address
Router(config-cmap)#match acc
Router(config-cmap)#match access-group ?
<1-2699> Access list index
name Named Access List
Router(config-cmap)#match access-group 101
Create a policy map to determine what to do with matched traffic.
R3(config)#policy-map ?
WORD policy-map name
type type of the policy-map
R3(config)#policy-map type ?
inspect Configure CBAC Policy Map
R3(config)#policy-map type inspect ?
WORD policy-map name
R3(config)#policy-map type inspect IN-2-OUT-PMAP
R3(config-pmap)#
Specify a class type of inspect and reference class map IN-NET-CLASS-MAP
R3(config-pmap)#class type ?
inspect Configure CBAC Class Map
R3(config-pmap)#class type inspect ?
WORD class-map name
class-default System default class matching otherwise unclassified packets
R3(config-pmap)#class type inspect IN-NET-CLASS-MAP
% class IN-NET-CLASS-MAP of type default is not allowed in policy-map IN-2-OUT-PMAP of type inspect
inspect command invokes context-based access control
R3(config-pmap-c)#inspect
R3(config-pmap-c)#?
drop Drop the packet
exit Exit from class action configuration mode
inspect Context-based Access Control Engine
no Negate or set default values of a command
pass Pass the packet
R3(config-pmap-c)#inspect
%No specific protocol configured in class IN-NET-CLASS-MAP for inspection. All protocols will be inspected
create a zone pair and specify the source and destination zones
R3(config)#zone
R3(config)#zone ?
security Security zone
R3(config)#zone-pair se
R3(config)#zone-pair security ?
WORD Name of zone-pair
R3(config)#zone-pair security IN-2-OUT-ZPAIR ?
source Source zone
R3(config)#zone-pair security IN-2-OUT-ZPAIR source IN-ZONE ?
destination Destination zone
R3(config)#zone-pair security IN-2-OUT-ZPAIR source IN-ZONE destination OUT-ZONE
R3(config-sec-zone-pair)#
Attach a policy-map and its associated actions to the zone pair
R3(config-sec-zone-pair)#service-policy ?
type Service Policy type
R3(config-sec-zone-pair)#service-policy type ?
inspect Configure CBAC Service Policy type inspect
R3(config-sec-zone-pair)#service-policy type inspect IN-2-OUT-PMAP
assign interfaces to the appropriate security zones
R3(config-sec-zone-pair)#int f0/1
R3(config-if)# zone-member security ?
WORD Name of zone defined
R3(config-if)#zone-member security IN-ZONE
R3(config-if)#int s0/0/1
R3(config-if)#zone-member security OUT-ZONE
R3(config)#zone security IN-ZONE
R3(config-sec-zone)#zone se OUT-ZONE
R3(config-ext-nacl)#permit ip 192.168.3.0 0.0.0.255 any
R3(config)#class-map type inspect match-all IN-NET-CLASS-MAP
Router(config-cmap)#match access-group 101
R3(config)#policy-map type inspect IN-2-OUT-PMAP
R3(config-pmap)#class type inspect IN-NET-CLASS-MAP
R3(config-pmap-c)#inspect
R3(config)#zone-pair security IN-2-OUT-ZPAIR source IN-ZONE destination OUT-ZONE
R3(config-sec-zone-pair)#service-policy type inspect IN-2-OUT-PMAP
R3(config-if)#zone-member security IN-ZONE
R3(config-if)#zone-member security OUT-ZONE
diagram
Cisco IOS classic firewall (ex Context-Based Access Control (CBAC))
First, blocking everything with acl:
R3(config)#ip acc extended OUT-IN
R3(config-ext-nacl)#deny ip any any
R3(config-if)#ip access-group OUT-IN in
Then, create an inspection rule to inspect ICMP, Telnet, and HTTP traffic:
R3(config)#ip inspect name ?
WORD Name of inspection defined (16 characters max)
R3(config)#ip inspect name IN-OUT-IN ?
http HTTP Protocol
icmp ICMP Protocol
tcp Transmission Control Protocol
telnet Telnet
udp User Datagram Protocol
R3(config)#ip inspect name IN-OUT-IN http
R3(config)#ip inspect name IN-OUT-IN icmp
R3(config)#ip inspect name IN-OUT-IN telnet
Then, before applying this ip inspect rule to the interface, in order to view catched connections, we can apply ip inspect audit-trail for viewing localy and on the server:
R3(config)#ip inspect audit-trail
R3(config)#logging 192.168.1.3
R3(config)#logging on
Applying to the interface:
R3(config-if)#ip inspect IN-OUT-IN ?
in Inbound inspection
out Outbound inspection
R3(config-if)#ip inspect IN-OUT-IN out
OUT - is to allow outgoing connections.
Messages are like this:
%FW-6-SESS_AUDIT_TRAIL_START: Start http session: initiator (192.168.3.3:1048) -- responder (192.168.1.3:80)
%FW-6-SESS_AUDIT_TRAIL_STOP: Stop http session: initiator (192.168.3.3:1048) -- responder (192.168.1.3:80)
R3(config)#do show ip inspect sessions
Established Sessions
Session 137553504 (192.168.3.3:1054)=>(192.168.1.3:http SIS_OPEN
R3#debug ip inspect detailed
INSPECT Detailed Debug debugging is on
R3#
%FW-6-SESS_AUDIT_TRAIL_START: Start http session: initiator (192.168.3.3:1055) -- responder (192.168.1.3:80)
CBAC: Finding pregen session for src_tableid:0, src_addr:192.168.3.3, src_port:1055, dst_tableid:0, dst_addr:192.168.1.3, dst_port:80
%FW-6-SESS_AUDIT_TRAIL_STOP: Stop http session: initiator (192.168.3.3:1055) -- responder (192.168.1.3:80)