forgot the link to the post: http://blog.ipexpert.com/2010/01/18/cisco-ios-zone-based-firewalls/
Regards, Brandon Carroll - CCIE #23837 Senior Technical Instructor - IPexpert Mailto: [email protected] Telephone: +1.810.326.1444 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA (R&S, Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security & Service Provider) Certification Training with locations throughout the United States, Europe and Australia. Be sure to check out our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com. On Wed, Feb 3, 2010 at 1:15 PM, Brandon Carroll <[email protected]>wrote: > Hi Jimmy, > > ZBF is always a sticky topic. > > Here is my run down: > > the ICMP is going to be Stateful so you know it needs to be inspected. Try > the following: > > ip access-list extended acl-INSIDE-TO-OUTSIDE-no-inspect > permit icmp any any eq echo > > class-map type inspect class-INSIDE-TO-OUTSIDE-no-inspect > match access-group acl-INSIDE-TO-OUTSIDE-no-inspect > > policy-map type inspect policy-INSIDE-TO-OUTSIDE > class type inspect class-INSIDE-TO-OUTSIDE > inspect > > ! Next the ICMP- it actually does need to be inspected to allow for the > reply. > > class type inspect class-INSIDE-TO-OUTSIDE-no-inspect > inspect > class class-default > drop > > > You don't do any interfaces ACLs, rather they are handled my the > class-maps, in other words you nest them in the policy-map. > > Here is a basic post I did on the ZBF. There is another one coming but I'm > a bit behind. Hopefully this gives you a push in the right direction. > > Also- take a look at the DSG for Lab 2a. Task 2.11 has ICMP allowed in the > ZBF configuration. Perhaps that will help a bit. > > Regards, > > Brandon Carroll - CCIE #23837 > Senior Technical Instructor - IPexpert > Mailto: [email protected] > Telephone: +1.810.326.1444 > Live Assistance, Please visit: www.ipexpert.com/chat > eFax: +1.810.454.0130 > > IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA (R&S, > Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security & Service > Provider) Certification Training with locations throughout the United > States, Europe and Australia. Be sure to check out our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com. > > > > On Wed, Feb 3, 2010 at 12:54 PM, Jimmy Larsson <[email protected]> wrote: > >> >> Hi >> >> I am trying some zone based firewall configurations am getting confused. >> My background is that I am very familiar with Pix/ASA and not very familiar >> at all with the Firewall-features of IOS. Therefore I always compare these >> which gets me confused. >> >> Now I´ve done a simple 2-zone firewall out of my 3-legged router. My goal >> is this: >> * Allow all outbound telnet stateful >> * Allow all icmp-echos initiated from inside (and ofcourse the >> corresponding echo replies) >> * Deny everything else between the zones. >> >> I have configured the two zones and a policy-map that inspects and allows >> my outbound telnet. It looks like this: >> >> >> >> class-map type inspect match-any class-INSIDE-TO-OUTSIDE >> match protocol telnet >> ! >> ! >> policy-map type inspect policy-INSIDE-TO-OUTSIDE >> class type inspect class-INSIDE-TO-OUTSIDE >> inspect >> class class-default >> drop >> ! >> zone security OUTSIDE >> zone security INSIDE >> zone-pair security INSIDE-TO-OUTSIDE source INSIDE destination OUTSIDE >> service-policy type inspect policy-INSIDE-TO-OUTSIDE >> >> >> interface FastEthernet0 >> description Outside >> zone-member security OUTSIDE >> ! >> interface FastEthernet1 >> description Inside >> zone-member security INSIDE >> ! >> interface Vlan13 >> zone-member security INSIDE >> ! >> >> So, now I can telnet from outside to telnet. But what about the icmp:s? My >> idea was to create a class-map referring to an acl that defines non-stateful >> outbound-traffic that should be allowed. Something like this: >> >> ip access-list extended acl-INSIDE-TO-OUTSIDE-no-inspect >> permit icmp any any eq echo >> >> class-map class-INSIDE-TO-OUTSIDE-no-inspect >> match access-group acl-INSIDE-TO-OUTSIDE-no-inspect >> >> But when trying to apply this to my policy-map (my goal was to do >> "pass"-action on this) I get this error: >> r1(config-pmap)#class class-INSIDE-TO-OUTSIDE-no-inspect >> % class class-INSIDE-TO-OUTSIDE-no-inspect of type default is not allowed >> in policy-map policy-INSIDE-TO-OUTSIDE of type inspect >> >> In what way am I thinking wrong here? >> >> Also, in my scenario, how should my interface acl:s look like when doing >> this zone-thing? Since traffic between zones are blocked by default and >> traffic inside a zone is permitted, I guess that I should´nt have any >> interface acl:s since all transit traffic security is taken care of by the >> zone-configuration. Right? Can there be any situation where interface acl:s >> are needed when doing ZBFW? >> >> Thanks in advance! >> -- >> ------- >> Jimmy Larsson >> Ryavagen 173 >> s-26030 Vallakra >> Sweden >> http://blogg.kvistofta.nu >> ------- >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
