Monday, 8 October 2012

Cisco IOS Zone-Based Firewall Step-by-step Configuration Guide

Introduction

The Cisco IOS Zone Based Firewall is one of the most advanced form of Stateful firewall used in Cisco IOS devices. The zone based firewall (ZBFW) is the successor of Classic IOS firewall or CBAC (Context-Based Access Control). Cisco first implemented the router-based stateful firewall in CBAC where it used ip inspect command to inspect the traffic in layer 4 and layer 7.

Even though ASA devices are considered as the dedicated firewall devices, Cisco integrated the firewall functionality in the router which in fact will make the firewall a cost effective device. The zone based firewall came up with many more features that is not available in CBAC. The ZBFW mainly deals with the security zones, where we can assign router interfaces to various security zones and control the traffic between the zones. Also the traffic will be dynamically inspected as it passes through the zones. In addition to all the features which is available in classic IOS firewall, Zone based firewall will support Application inspection and control for HTTP, POP3, Sun RPC, IM Applications and P2P File sharing.

For Advanced Configuration visit Zone Based Firewall Advanced Configuration

Zone Based Firewall Vs CBAC

CBACZone Based Firewall
Interface Based ConfigurationZone Based Configuration
Controls Inbound and Outbound access on an interfaceControls Bidirectional access between zones.
Uses inspect statements and stateful ACLsUses Class-Based Policy language
-Not supported-Support Application Inspection and Control
Support from IOS Release 11.2Support from IOS Release 12.4 (6) T

  • This document is a Step-by-step guide to configure a basic zone based policy firewall in an IOS Router. This example is based on a 2900 series router running with 15.0(1) code.
ZBFW Configuration Tasks

The below are the configuration tasks that you need to follow.

1. Configure Zones.

2. Assign router interfaces to Zones.

3. Create Zone pairs.

4. Configure Interzone access policy (Class Maps and Policy Maps)

5. Apply Policy Maps to Zone Pairs.

Network Diagram

The ZBFW configuration is based on the below network diagram.

Figure 1:











In this example we have three zones.
  • Inside Zone - Private LAN
  • DMZ Zone  - DMZ hosts
  • Outside Zone - Internet

Here I am defining a rule set for our ZBFW:

1. From Inside to Outside - http, tcp, udp, icmp and pop3 is allowed.

2. From Outside to Inside - icmp is allowed.

3. From Inside to DMZ - http, tcp and icmp is allowed

4. From Outside to DMZ - http is allowed

Default Rules of Zone Based Firewall

1. Interzone communication is Denied, traffic will be denied among the interfaces that are in the different zones unless we specify a firewall policy.

2. Intrazone communication is Allowed, traffic will flow implicitly among the interfaces that are in the same zone.

3. All traffic to self zone is Allowed.

Task 1 : Configure Zones

In this example (refer figure 1) we have got three zones. Inside, Outside and DMZ.

To configure zones in a router, connect the router via ssh or console, switch to the global configuration mode and type the command as below:

Router(config)#zone security INSIDE

Router(config)#zone security OUTSIDE

Router(config)#zone security DMZ










Task 2 : Assign Router Interface to Zones

We have to assign the router interface to a particular zone. Here I am going to assign Gigabyte Ethernet 0/0 to INSIDE zone, Ge0/1 to OUTSIDE zone and Ge0/2 to DMZ zone.

To achieve this we have to go to the particular interface and attach that interface to the zone. Type the command as below:

Router(config)#interface gigabitEthernet 0/0
Router(config-if)#zone-member securtiy INSIDE

Router(config)#interface gigabitEthernet 0/1
Router(config-if)#zone-member securtiy OUTSIDE

Router(config)#interface gigabitEthernet 0/2
Router(config-if)#zone-member securtiy DMZ
   

Now if you try to ping a zone from another zone the traffic will be denied because of the default firewall policy.

Task 3 : Create Zone Pairs

Zone pairs are created to connect the zones. If you want to make two zones to communicate you have to create zone pairs. DO NOT create zone pairs for non-communicating zones. In our scenario the traffic flows between:
  • INSIDE to OUTSIDE
  • OUTSIDE to INSIDE
  • OUTSIDE to DMZ
  • INSIDE to DMZ
So we need to create zone pair for all the four pairs. To create zone pair type the command as follows in global configuration mode.

Router(config)#zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE

Router(config)#zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE

Router(config)#zone-pair security OUT-TO-DMZ source OUTSIDE destination DMZ

Router(config)#zone-pair security IN-TO-DMZ source INSIDE destination DMZ







Task 4 : Configure Interzone Access Policy

Interzone Access policy is the key part of a zone based firewall where we classify the traffic and apply the firewall policies. Here we are defining the class-map and policy-map for classifying and defining policy to the traffic.

Class Maps : This will classify the traffic

Policy Maps : This will decide the 'fate' of the traffic.

Class Map Configuration

Class map sort the traffic based on the following criteria 1.) Access-group 2.) Protocol 3.) A subordinate class map. In this example we are sorting the traffic based on access group. So first we need to create an ACL and associate it with the class map.

a.) Class Map for INSIDE-TO-OUTSIDE

Router(config)#ip access-list extended INSIDE-TO-OUTSIDE
Router(config-ext-nacl)#permit tcp 172.17.0.0 0.0.255.255 any eq www
Router(config-ext-nacl)#permit tcp 172.17.0.0 0.0.255.255 any eq echo
Router(config-ext-nacl)#permit tcp 172.17.0.0 0.0.255.255 any eq pop3

Router(config)#class-map type inspect match-all INSIDE-TO-OUTSIDE-CLASS
Router(config-cmap)#match access-group name INSIDE-TO-OUTSIDE

b.) Class Map for OUTSIDE-TO-INSIDE

Router(config)#ip access-list extended OUTSIDE-TO-INSIDE
Router(config-ext-nacl)#permit tcp any 172.17.0.0 0.0.255.255 eq echo

Router(config)#class-map type inspect match-all OUTSIDE-TO-INSIDE-CLASS
Router(config-cmap)match access-group name OUTSIDE-TO-INSIDE

c.) Class Map for OUTSIDE-TO-DMZ

Router(config)#ip access-list extended OUTSIDE-TO-DMZ
Router(config-ext-nacl)#permit tcp any 192.168.1.0 0.0.0.255 eq www

Router(config)#class-map type inspect match-all OUTSIDE-TO-DMZ-CLASS
Router(config)#match access-group name OUTSIDE-TO-DMZ

d.) Class Map for INSIDE-TO-DMZ

Router(config)#ip access-list extended INSIDE-TO-DMZ
Router(config-ext-nacl)#permit tcp 172.17.0.0 0.0.255.255 192.168.1.0 0.0.0.255 eq www
Router(config-ext-nacl)#permit tcp 172.17.0.0 0.0.255.255 192.168.1.0 0.0.0.255 eq echo

Router(config)#class-map type inspect match-all INSIDE-TO-DMZ-CLASS
Router(config-cmap)#match access-group name INSIDE-TO-DMZ


Policy-Map Configuration

Policy-Maps will apply the firewall policy to the class-map that is configured previously. Three actions can be taken aganist the traffic with the policy-map configuration:
  • Inspect : Dynamically inspect the traffic
  • Drop : Drop the traffic
  • Pass : Simply forward the traffic.
There will be a drop policy, by default, at the end of the policy-map.

a.) Policy-map for INSIDE-TO-OUTSIDE

Router(config)#policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
Router(config-pmap)#class type inspect INSIDE-TO-OUTSIDE-CLASS
Router(config-pmap)#inspect
Router(config-pmap)#class class-default
Router(config-pmap)#drop log

b.) Policy-map for OUTSIDE-TO-INSIDE

Router(config)#policy-map type inspect OUTSIDE-TO-INSIDE-POLICY
Router(config-pmap)#class type inspect OUTSIDE-TO-INSIDE-CLASS
Router(config-pmap)#inspect
Router(config-pmap)#class class-default
Router(config-pmap)#drop log

c.) Policy-map for OUTSIDE-TO-DMZ

Router(config)#policy-map type inspect OUTSIDE-TO-DMZ-POLICY
Router(config-pmap)#class type inspect OUTSIDE-TO-DMZ-CLASS
Router(config-pmap)#inspect
Router(config-pmap)#class class-default
Router(config-pmap)#drop

d.) Policy-map for INSIDE-TO-DMZ

Router(config)#policy-map type inspect INSIDE-TO-DMZ-POLICY
Router(config-pmap)#class type inspect INSIDE-TO-DMZ-CLASS
Router(config-pmap)#pass
Router(config-pmap)#class class-default
Router(config-pmap)#drop log








Task 5 : Apply policy-maps to zone pairs

Now we have to attach the policy maps to the zone pairs that we already created. The command is as follows:

Router(config)#zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
Router(config-sec-zone-pair)#service-policy type inspect INSIDE-TO-OUTSIDE-POLICY

Router(config)#zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
Router(config-sec-zone-pair)#service-policy type inspect OUTSIDE-TO-INSIDE-POLICY

Router(config)#zone-pair security OUT-TO-DMZ source OUTSIDE destination DMZ
Router(config-sec-zone-pair)#service-policy type inspect OUTSIDE-TO-DMZ-POLICY

Router(config)#zone-pair security IN-TO-DMZ source INSIDE destination DMZ
Router(config-sec-zone-pair)#service-policy type inspect INSIDE-TO-DMZ-POLICY





There we finish the basic configuration of a zone based firewall.

Troubleshooting

Below you can find a list of commands for zone based firewall troubleshooting.

a.) Show Commands

show class-map type inspect

show policy-map type inspect

show zone-pair security

b.) Debug Commands*

*Use the debug command with great care.

debug policy-firewall detail

debug policy-firewall events

debug policy-firewall protocol tcp

debug policy-firewall protocol udp

Useful Links

11 comments:

  1. I have seen your zone-based policy firewall lesson. Even though I haven't put it into practice yet to confirm the results, but it looks well done.
    thanks my friend, and I will add your wordpress homepage into my favorite now.
    Keep up the good work, and my name is ahmed.
    you can always reach me at abma2008@gmail.com
    Thanks again for the valuable lesson my dear.

    Sincerely,
    Ahmed

    ReplyDelete
    Replies
    1. Thanks for your kind words my friend. Happy Learning!

      -
      Yadhu

      Delete
  2. Thanks for some very helpful articles Tony, particularly this one and the one about content filtering.

    I'm in the process of replacing some existing CBAC installations with ZBF and initially found it a bit confusing, particularly after configuring and dissecting some examples with SDM and CCP. Although the SDM way was required for the CCNA Security, I much prefer to learn and construct my configurations from the command line.

    There seems to be some confusion as to whether intra-zone traffic is passed by default or needs configuring in IOS 15. I currently have Version 15.1(4)M4 on my main lab router and also Version 12.4(24)T7 on another. I'll find that out by experimenting!

    Nick.

    ReplyDelete
    Replies
    1. Thank you for your comment Nick. I would recommend you to go through this document as well https://supportforums.cisco.com/docs/DOC-34539 .

      Tony.

      Delete
  3. Excellent article. Helped me to demystify some points. Thanks heaps.

    ReplyDelete
  4. please can you tell me configuration of Remote VPN configuration..?

    ReplyDelete
    Replies
    1. Hi, Thanks for your comment. Could you please explain the exact requirement? In which device you want to configure VPN? Regarding remote VPN I got two articles 1) http://yadhutony.blogspot.in/2013/01/cisco-ipsec-easy-vpn-server.html 2.) http://yadhutony.blogspot.in/2013/06/cisco-ios-ssl-vpn-configuration-guide.html.

      Delete
  5. Whether you want Troubleshooting for your Cisco router, we are here to provide the best Assistant services. Call us now at Cisco Customer Service phone Number 1800-857-2133 and get help with unlimited service plans at very affordable prices.Best Remote support for your Cisco router at affordable prices on 1-800-857-2133-Cisco Router Technical Support Global Support Service Helpline Number .


    http://247techaid.jigsy.com/entries/antivirus-technical-support/1-800-857-2133-cisco-router-technical-global-support-service-helpline-number

    ReplyDelete