Policy Maps : This will decide the 'fate' of the trafficĬlass map sort the traffic based on the following criteria 1.) Access-group 2.) Protocol 3.) A subordinate class map. Class map and Policy map configurations are carried out during this task.Ĭlass Maps : This will classify the traffic Interzone Access policy is the key part of a Zone based firewall where we classify the traffic and apply the firewall policies. Task 4 : Configure Interzone Access Policy Router(config)#zone-pair security IN-TO-DMZ source INSIDE destination DMZ Router(config)#zone-pair security OUT-TO-DMZ source OUTSIDE destination DMZ Router(config)#zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE Router(config)#zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE To create zone pairs the command is as follows. In our scenario the traffic flows between : DO NOT create zone pairs for non-communicating zones. If you want to make two zones to communicate you have to create Zone pairs. Zone pairs are created to connect the zones. Now if you try to ping a zone from another zone the traffic will be denied because of the default firewall policy. Router(config-if)#zone-member security DMZ Router(config)#interface gigabitEthernet 0/2 Router(config-if)#zone-member security OUTSIDE Router(config)#interface gigabitEthernet 0/1 Router(config-if)#zone-member security INSIDE Router(config)#interface gigabitEthernet 0/0 To achieve this we have to go to the particular interface and attach that interface to the zone.Type the command as below: Here I am going to assign Gigabyte Ethernet 0/0 to INSIDE zone, Ge0/1 to OUTSIDE zone and Ge0/2 to DMZ zone. We have to assign the router interface to a particular zone. Task 2 : Assign Router Interfaces to Zones To configure zones in a router, connect the router via putty or console, switch to the global configuration mode and type the command as below:
In this example (refer Figure 1) we have three zones. Self Zone is created automatically by the router while we create the other zones in a Zone Based Firewall. Intrazone communication is Allowed, traffic will flow implicitly among the interfaces that are in the same zone.Interzone communication is Denied, traffic will be denied among the interfaces that are in the different zones unless we specify a firewall policy.From Inside to DMZ - http and icmp is allowed From Outside to Inside - icmp is allowedģ. From Inside to Outside - http,icmp and pop3 is allowedĢ. Here I am defining a rule set for our ZBFW:ġ. Configure Interzone Access Policy (Class Maps & Policy Maps).The below are the configuration tasks that you need to follow:
#CISCO FIREWALL BUILDER FULL#
Here I am going to divide the entire configuration into logical sets and finally will combine them to the get the full configuration.
Uses inspect statements and stateful ACLs In addition to all the features which is available in classic IOS firewall, Zone based firewall will support Application inspection and control for HTTP, POP3, Sun RPC, IM Applications and P2P File sharing.įor advanced configuration of IOS Zone Based Firewall refer Ĭontrols Inbound and Outbound access on an interfaceĬontrols Bidirectional access between zones. Also the traffic will be dynamically inspected as it passes through the zones. The ZBFW mainly deals with the security zones, where we can assign the router interfaces to various security zones and control the traffic between the zones. The zone based firewall came up with many more features that is not available in CBAC. Cisco first implemented the router-based stateful firewall in CBAC where it used ip inspect command to inspect the traffic in layer 4 and layer 7.Įven though ASA devices are considered as the dedicated firewall devices, Cisco integrated the firewall functionality in the router which in fact will make the firewall a cost effective device. The zone based firewall (ZBFW) is the successor of Classic IOS firewall or CBAC (Context-Based Access Control). The Cisco IOS Zone Based Firewall is one of the most advanced form of Stateful firewall used in the Cisco IOS devices.
0 kommentar(er)
