Configuring a Zone-Based Policy Firewall

作者:admin发表时间:2010-8-12 评论:0 点击 3,291+

Addressing Table

Device Interface IP Address Subnet Mask Default Gateway
R1 Fa0/1 192.168.1.1 255.255.255.0 N/A
S0/0/0 10.1.1.1 255.255.255.252 N/A
R2 S0/0/0 10.1.1.2 255.255.255.252 N/A
S0/0/1 10.2.2.2 255.255.255.252 N/A
R3 Fa0/1 192.168.3.1 255.255.255.0 N/A
S0/0/1 10.2.2.1 255.255.255.252 N/A
PC-A NIC 192.168.1.3 255.255.255.0 192.168.1.1
PC-C NIC 192.168.3.3 255.255.255.0 192.168.3.1

Learning Objectives

Verify connectivity among devices before firewall configuration.

Configure a zone-based policy (ZPF) firewall on router R3

Verify ZPF firewall functionality using ping, Telnet and a web browser.

Introduction

Zone-based policy (ZPF) firewalls are the latest development in the evolution of Cisco

firewall technologies. In this activity, you configure a basic ZPF on an edge router R3

that allows internal hosts access to external resources and blocks external hosts from

accessing internal resources. You then verify firewall functionality from internal and

external hosts.

The routers have been pre-configured with the following:

Console password: ciscoconpa55

Password for vty lines: ciscovtyp

Enable password: ciscoenpa55

Host names and IP addressing

Static routing

Task 1: Verify Basic Network Connectivity

Verify network connectivity prior to configuring the zone-based policy firewall.

S tep 1. F ro m the P C -A c o mma nd pro mpt, ping P C -C a t 192. 168. 3.3.

S tep 2. F ro m the P C -C c o mma nd pro mpt, T elnet to the R o u ter R 2 S 0/0/1 inte

rfa c e a t 10. 2. 2. 2. E x it the

T elnet s es s io n.

S tep 3. F ro m P C -C , o pen a web bro ws er to the P C -A s erv er .

Click the Desktop tab and click the Web Browser application. Enter the PC-A IP address

192.168.1.3 as the

URL. The Packet Tracer 5.x welcome page from the web server should be displayed. Close

the browser on PC-C.

Task 2: Create the Firewall Zones on Router R3

Note: For all configuration tasks, be sure to use the exact names as specified.

S tep 1. C rea te a n inte rna l z o ne.

Use the zone security command to create a zone named IN-ZONE.

R3(config)# zone security IN-ZONE

S tep 2. S tep 2. C re a te a n ex te rna l z o ne.

Use the zone security command to create a zone named OUT-ZONE.

R3(config-sec-zone)# zone security OUT-ZONE

R3(config-sec-zone)# exit

Task 3: Define a Traffic Class and Access List

S tep 1. C reate an A C L tha t d efine s interna l tra ffic .

Use the access-list command to create extended ACL 101 to permit all IP protocols from

the 192.168.3.0/24

source network to any destination.

R3(config)# access-list 101 permit ip 192.168.3.0 0.0.0.255 any

S tep 2. C rea te a c la s s ma p refer e nc ing the interna l tra ffic A C L .

Use the class map type inspect command with the match-all option to create a class map

named IN-NET- CLASS-MAP. Use the match access-group command to match ACL 101.

R3(config)# class-map type inspect match-all IN-NET-CLASS-MAP

R3(config-cmap)# match access-group 101

R3(config-cmap)# exit

Note: Although not supported in this Packet Tracer exercise, individual protocols (HTTP,

FTP, etc.) can be specific to be matched using the match-any option in order to provide

more precise control over what type of traffic is inspected.

Task 4: Specify Firewall Policies

S tep 1. C rea te a po lic y ma p to de termine wha t to do with ma tc hed tra ffic .

Use the policy-map type inspect command and create a policy map named IN-2-OUT-PMAP.

R3(config)# policy-map type inspect IN-2-OUT-PMAP

S tep 2. S pec ify a c la s s ty pe o f in s pec t a nd refer enc e c la s s ma p IN -NE

T -C L AS S -M A P .

R3(config-pmap)# class type inspect IN-NET-CLASS-MAP

S tep 3. S pec ify the a c tio n o f in s pec t fo r this po lic y m a p

The use of the inspect command invokes context-based access control (other options

include pass and drop).

R3(config-pmap-c)# inspect

%No specific protocol configured in class IN-NET-CLASS-MAP for inspection. All protocols

will be inspected.

Issue the exit command twice to leave config-pmap-c mode and return to config mode.

R3(config-pmap-c)# exit

R3(config-pmap)# exit

Task 5: Apply Firewall Policies

S tep 1. C reate a pa ir o f z o nes .

Using the zone-pair security command, create a zone pair named IN-2-OUT-ZPAIR. Specify

the source and destination zones that were created in Task 1.

R3(config)# zone-pair security IN-2-OUT-ZPAIR source IN-ZONE destination

OUT-ZONE

S tep 2. S pec ify the po lic y ma p fo r ha ndling the tr a ffic between the two z o

nes .

Attach a policy-map and its associated actions to the zone pair using the service-policy

type inspect

command and reference the policy map previously created, IN-2-OUT-PMAP.

R3(config-sec-zone-pair)# service-policy type inspect IN-2-OUT-PMAP

R3(config-sec-zone-pair)# exit

R3(config)#

S tep 3. A s s ign inte rfa c e s to the a ppro pria te s ec u rity z o nes .

Use the zone-member security command in interface config mode to assign Fa0/1 to IN-ZONE

and S0/0/1 to

OUT-ZONE.

R3(config)# interface fa0/1

R3(config-if)# zone-member security IN-ZONE

R3(config-if)# exit

R3(config)# interface s0/0/1

R3(config-if)# zone-member security OUT-ZONE

R3(config-if)# exit

S tep 4. C o py the ru nning c o nfig to the s ta rtu p c o nfig.

Task 6: Test Firewall Functionality from IN-ZONE to OUT-ZONE

Verify that internal hosts can still access external resources after configuring the

zone-based policy firewall.

S tep 1. F ro m interna l P C -C , ping the ex tern a l PC -A s e rv er.

From the PC-C Command Prompt, ping PC-A at 192.168.1.3. The ping should succeed.

S tep 2. F ro m interna l P C -C , T elnet to the ro u ter R 2 S 0/0/1 interfa c e.

From the PC-C Command Prompt, telnet to R2 at 10.2.2.2 and provide the vty password

ciscovtypa55. The telnet should succeed. While the Telnet session is active, issue the

command show policy-map type inspect zone-pair sessions on R3 to view established

sessions.

R3# show policy-map type inspect zone-pair sessions

Zone-pair: IN-ZONE-OUT-ZONE

Service-policy inspect : IN-2-OUT-PMAP

Class-map: IN-NET-CLASS-MAP (match-all) Match: access-group 101

Inspect

Established Sessions

Session 139644744 (192.168.3.3:1025)=>(10.2.2.2:23) telnet:tcp

SIS_OPEN

Created 00:00:02, Last heard 00:00:00

Bytes sent (initiator:responder) [0:0]

What is the source IP address and port number? 192.168.3.3:1025 (port 1025 is random)

What is the destination IP address and port number? 10.2.2.2:23 (Telnet = port 23)

S tep 3. F ro m P C -C , ex it the T elne t s es s io n o n R 2 a nd c lo s e the C o

mma nd P ro mpt window .

S tep 4. F ro m interna l PC -C , o pen a web bro ws er to the P C -A s erv e r web pa

ge.

Enter the server IP address 192.168.1.3 in the browser URL field and click Go. The HTTP

session should succeed. While the HTTP session is active, issue the command show

policy-map type inspect zone-pair sessions on R3 to view established sessions.

Note: If the HTTP session times out before you execute the command on R3, you will have

to click the Go

button on PC-C to generate a session between PC-C and PC-A.

R3# show policy-map type inspect zone-pair sessions

Zone-pair: IN-ZONE-OUT-ZONE

Service-policy inspect : IN-2-OUT-PMAP

Class-map: IN-NET-CLASS-MAP (match-all) Match: access-group 101

Inspect

Established Sessions

Session 139142400 (192.168.3.3:1027)=>(192.168.1.3:80)

http:tcp SIS_OPEN

Created 00:00:02, Last heard 00:00:00

Bytes sent (initiator:responder) [0:0]

What is the source IP address and port number? 192.168.3.3:1027 (port 1027 is random)

What is the destination IP address and port number? 192.168.1.3:80 (HTTP web = port 80)

S tep 5. C lo s e the B ro ws er o n P C -C.

Task 7: Test Firewall Functionality from OUT-ZONE to IN-ZONE

Verify that external hosts CANNOT access internal resources after configuring the zone-

based policy firewall.

S tep 1. F ro m the P C -A s e rv er c o mma nd pro mpt, ping P C -C .

From the PC-A Command Prompt, ping PC-C at 192.168.3.3. The ping should fail.

S tep 2. F ro m ro u ter R 2, ping P C -C.

From R2, ping PC-C at 192.168.3.3. The ping should fail.

S tep 3. C hec k res u lts .

Your completion percentage should be 100%. Click Check Results to see feedback and

verification of which required components have been completed.

顶一下 0 踩一下 0

你可能对以下内容感兴趣!

  1. Configure a Network for S...
  2. Configure and Verify a Si...
  3. Layer 2 VLAN Security
  4. Layer 2 Security
  5. Configure IOS Intrusion P...
  6. Configuring Context-Based...
  7. Configure IP ACLs to Miti...
  8. Configure AAA Authenticat...

发表评论

*

w_0002.gif w_0009.gif w_0007.gif w_0011.gif w_0005.gif w_0008.gif w_0010.gif w_0003.gif w_0012.gif w_0001.gif w_0006.gif