Zone-based firewall Zone-based firewall is an advanced method of stateful firewall. In stateful firewall, an entry containing source IP address, destination IP address, source Port number and destination Port number, is maintained for the traffic generated by the trusted (private) network in the stateful database. This will only the traffic including the replies for the private (trusted) network using the stateful database.
Zone-based Firewall procedure:
- Create zones and assign an interface to it – In Zone-based firewall, logical zones are created. A zone is assigned to an interface. By default, traffic from one zone to another is not allowed.
- Create class-map – After creating a zone, a class-map policy is made which will identify the type of traffic, like ICMP, on which the policies will be applied.
- Create policy-map and assign class-map to the policy-map – After identifying the type of traffic in class-map, we have to define what action must be taken on the traffic. The action can be:
- Inspect: It is same as inspection of CBAC i.e only that traffic will be allowed from the outside network which will be inspected (return traffic of inside (trusted) network.
- Drop: This is the default action for all traffic. The class-map configured in a policy map can be configured to drop unwanted traffic.
- Pass: This will allow the traffic from one zone to another. Unlike inspect action, it will not create a session state for a traffic. If we want to allow traffic from the opposite direction, corresponding policy should be created.
The below are the configuration tasks that you need to follow:
- Configure Zones.
- Assign Router Interfaces to zones.
- Create Zone Pairs.
- Configure Interzone Access Policy (Class Maps & Policy Maps)
- Apply Policy Maps to Zone Pairs.
Task 1 : Configure Zones
zone security INSIDE
Task 2 : Assign Router Interfaces to Zones
interface GigabitEthernet0/0/1
zone-member security INSIDE
Task 3 : Create Zone Pairs
Zone pairs are created to connect the zones. If you want to make two zones to communicate you have to create Zone pairs. In our scenario the traffic flows between :
- INSIDE to OUTSIDE
Task 4 : Configure Interzone Access Policy
Class map sort the traffic based on the following criteria :
1.) Access-group
2.) Protocol
3.) A subordinate class map.
So first we need to create an ACL and associate it with the class map.
ip access-list extended OUTBOUND-INSIDE-MERAKI-MGMT
remark Next 24 lines – Meraki-Mgmt
permit udp 172.31.0.0 0.0.255.255 host 64.62.142.12 eq 7351
permit udp 172.31.0.0 0.0.255.255 host 64.62.142.12 eq 9350
permit udp 172.31.0.0 0.0.255.255 208.161.147.0 0.0.0.255 eq 7351
permit udp 172.31.0.0 0.0.255.255 208.161.147.0 0.0.0.255 eq 9350
permit udp 172.31.0.0 0.0.255.255 199.231.78.0 0.0.0.255 eq 7351
permit udp 172.31.0.0 0.0.255.255 199.231.78.0 0.0.0.255 eq 9350
permit udp 172.31.0.0 0.0.255.255 209.206.48.0 0.0.15.255 eq 7351
permit udp 172.31.0.0 0.0.255.255 208.206.48.0 0.0.15.255 eq 9350
permit tcp 172.31.0.0 0.0.255.255 host 64.62.142.2 eq 80
permit tcp 172.31.0.0 0.0.255.255 host 64.62.142.2 eq 443
permit tcp 172.31.0.0 0.0.255.255 host 64.62.142.2 eq 7734
permit tcp 172.31.0.0 0.0.255.255 host 64.62.142.2 eq 7752
permit tcp 172.31.0.0 0.0.255.255 108.161.147.0 0.0.0.255 eq 80
permit tcp 172.31.0.0 0.0.255.255 108.161.147.0 0.0.0.255 eq 443
permit tcp 172.31.0.0 0.0.255.255 108.161.147.0 0.0.0.255 eq 7734
permit tcp 172.31.0.0 0.0.255.255 108.161.147.0 0.0.0.255 eq 7752
permit tcp 172.31.0.0 0.0.255.255 209.206.48.0 0.0.15.255 eq 80
permit tcp 172.31.0.0 0.0.255.255 209.206.48.0 0.0.15.255eq 443
permit tcp 172.31.0.0 0.0.255.255 209.206.48.0 0.0.15.255 eq 7734
permit tcp 172.31.0.0 0.0.255.255 209.206.48.0 0.0.15.255 eq 7752
permit udp 172.31.0.0 0.0.255.255 any eq 123
permit udp 172.31.0.0 0.0.255.255 host 8.8.8.8 eq 53
permit icmp 172.31.0.0 0.0.255.255 host 8.8.8.8
permit icmp 172.31.0.0 0.0.255.255 209.206.48.0 0.0.15.255
class-map type inspect match-any OUTBOUND-INSIDE-MERAKI-MGMT
match access-group name OUTBOUND-INSIDE-MERAKI-MGMT
match protocol tcp
match protocol udp
match protocol icmp
Task 5: Policy-Map Configuration
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
class type inspect OUTBOUND-INSIDE-MERAKI-MGMT
inspect
Task 6 : Apply policy maps to zone pairs
zone-pair security ZP-INSIDE-TO-OUTSIDE source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
There we finish the basic configuration of a zone based firewall.
Troubleshooting
You can use the below commands to perform some basic troubleshooting and verification.
a.) Show commands
show class-map type inspect
show policy-map type inspect
show zone-pair security
b.) Debug Commands
debug policy-firewall detail
debug policy-firewall events
debug policy-firewall protocol tcp
debug policy-firewall protocol udp
Comments
(There are currently no comments for this post.)