Professional Documents
Culture Documents
Config Zone Firewall Router PDF
Config Zone Firewall Router PDF
S e r v ic e R e q u e s t s
Configure Zone Based Firewall on Cisco Routers
O p en a serv ic e req uest
U p dat e a serv ic e req uest
Download PDF
I nt roduc t ion
Configure Zone Based Firewall Fe e db ac k
R eq uirem ent s
O v erv iew of Zone- Based P olic y N et work S ec urit y on Cisc o R out ers
Zone b ased firewall Configurat ion E x am p les P le a s e r a te t h is s it e :
S t at eful I nsp ec t ion R out ing Firewall + + + + /- - --
S t at eful I nsp ec t ion T ransp arent Firewall
N ex t S t ep S u g g e s tio n s fo r im p r o v e m e n t:
T roub lesh oot t h e P roc edure
R elat ed I nform at ion
I nt r odu c t i on
T h is doc um ent desc rib es h ow t o c onfigure Zone b ased firewall on Cisc o R out ers. Cisc o I O S Classic Firewall st at eful If C is c o m a y c o n ta c t y o u fo r m o r e d e ta ils
insp ec t ion ( form erly k nown as Cont ex t - Based A c c ess Cont rol, or CBA C) em p loy ed an int erfac e- b ased c onfigurat ion o r f o r fu tu r e f e e d b a c k o p p o r tu n it ie s ,
m odel, in wh ic h a st at eful insp ec t ion p olic y was ap p lied t o an int erfac e. A ll t raffic p assing t h rough t h at int erfac e rec eiv ed p le a s e e n te r y o u r c o n t a c t in f o r m a t io n :
t h e sam e insp ec t ion p olic y . T h is c onfigurat ion m odel lim it ed t h e granularit y of t h e firewall p olic ies, and c aused c onfusion of
t h e p rop er ap p lic at ion of firewall p olic ies, p art ic ularly in sc enarios wh en firewall p olic ies m ust b e ap p lied b et ween m ult ip le F u ll N a m e :
int erfac es.
E m a il:
Zone- Based P olic y Firewall ( also k nown as Zone- P olic y Firewall, or ZFW ) c h anges t h e firewall c onfigurat ion from t h e older
int erfac e- b ased m odel t o a m ore flex ib le, m ore easily underst ood z one- b ased m odel. I nt erfac es are assigned t o z ones, and
insp ec t ion p olic y is ap p lied t o t raffic m ov ing b et ween t h e z ones. I nt er- z one p olic ies offer c onsiderab le flex ib ilit y and
granularit y , so different insp ec t ion p olic ies c an b e ap p lied t o m ult ip le h ost group s c onnec t ed t o t h e sam e rout er int erfac e.
Bac k t o T op
R e q u i r e m e nt s
T o p erform t h e st ep s desc rib ed in t h is doc um ent , y ou need t o h av e t h ese it em s:
Com p let e t h e init ial c onfigurat ion in Configure Y our R out er wit h S ec urit y D ev ic e M anager doc um ent .
Bac k t o T op
O ne int erfac e c onnec t ed t o a p riv at e L A N t h at m ust not b e ac c essib le from t h e p ub lic I nt ernet
O ne int erfac e c onnec t ed t o an I nt ernet serv ic e dem ilit ariz ed z one ( D M Z) , wh ere a W eb serv er, D om ain N am e
S y st em ( D N S ) serv er, and e- m ail serv er m ust b e ac c essib le t o t h e p ub lic I nt ernet
E ac h int erfac e in t h is net work are assigned t o it s own z one. A lt h ough y ou m igh t want t o allow v aried ac c ess from t h e p ub lic
I nt ernet t o sp ec ific h ost s in t h e D M Z and v aried ap p lic at ion use p olic ies for h ost s in t h e p rot ec t ed L A N .
I n t h is ex am p le, eac h z one h olds only one int erfac e. I f an addit ional int erfac e is added t o t h e p riv at e z one, t h e h ost s
c onnec t ed t o t h e new int erfac e in t h e z one c an p ass t raffic t o all h ost s on t h e ex ist ing int erfac e in t h e sam e z one.
A ddit ionally , t h e h ost s t raffic t o h ost s in ot h er z ones is sim ilarly affec t ed b y ex ist ing p olic ies.
1 of 7
Zone b ased firewall im p oses a p roh ib it iv e default sec urit y p ost ure. T h erefore, unless t h e D M Z h ost s are sp ec ific ally
p rov ided ac c ess t o ot h er net work s, ot h er net work s are safeguarded against any c onnec t ions from t h e D M Z h ost s. S im ilarly ,
no ac c ess is p rov ided for I nt ernet h ost s t o ac c ess t h e p riv at e z one h ost s, so p riv at e z one h ost s are safe from unwant ed
ac c ess b y I nt ernet h ost s.
Zone b ased firewall work s on c onc ep t of p olic ies c reat ed for t raffic m ov ing b et ween t h e z ones. T o c reat e firewall p olic ies,
y ou m ust c om p let e t h ese t ask s:
A c lass is a way of ident ify ing a set of p ac k et s b ased on it s c ont ent s. N orm ally y ou define a c lass so t h at y ou c an ap p ly an
ac t ion on t h e ident ified t raffic t h at reflec t s a p olic y . A c lass is designat ed v ia c lass m ap s. T h e c las s - m ap c om m and c reat es
a c lass m ap t o b e used for m at c h ing p ac k et s t o a sp ec ified c lass.
A n ac t ion is a sp ec ific func t ionalit y , for ex am p le, i ns p e c t , dr op , p as s , and p oli c e are ac t ions. A n ac t ion is defined for a
c lass using p olic y m ap . U se t h e p oli c y - m ap c om m and t o sp ec ify t h e nam e of t h e p olic y m ap t o b e c reat ed, added t o, or
m odified b efore y ou c an c onfigure p olic ies for c lasses wh ose m at c h c rit eria are defined in a c lass m ap .
Bac k t o T op
T h e c lient and serv er z ones are in t h e sam e sub net . A t ransp arent firewall is ap p lied b et ween t h e z ones, so
t h e int er- z one p olic ies on t h ose t wo int erfac es would only affec t t raffic b et ween t h e c lient and serv er z ones.
T h e V L A N 1 and V L A N 2 int erfac es c om m unic at e wit h ot h er net work s t h rough t h e b ridge v irt ual int erfac e ( BV I 1 ) . T h is
int erfac e is assigned t o t h e p riv at e z one. ( S ee Figure 2 .)
T h ese p olic ies are ap p lied, using t h e net work z ones defined earlier:
H ost s in I nt ernet z one c an reac h D N S , S M T P , and S S H serv ic es on one serv er in t h e D M Z. T h e ot h er serv er offers
S M T P , H T T P , and H T T P S serv ic es. T h e firewall p olic y rest ric t s ac c ess t o t h e sp ec ific serv ic es av ailab le on eac h
h ost .
H ost s in t h e c lient z one c an c onnec t t o h ost s in t h e serv er z one on all T CP , U D P , and I CM P serv ic es.
H ost s in t h e serv er z one c annot c onnec t t o h ost s in t h e c lient z one, ex c ep t a U N I X - b ased ap p lic at ion serv er c an
op en X W indows c lient sessions t o X W indows serv ers on desk t op P Cs in t h e c lient z one on p ort s 6 9 0 0 t o 6 9 1 0 .
A ll h ost s in t h e p riv at e z one ( c om b inat ion of c lient s and serv ers) c an ac c ess h ost s in t h e D M Z on S S H , FT P , P O P ,
I M A P , E S M T P , and H T T P serv ic es, and in t h e I nt ernet z one on H T T P , H T T P S , and D N S serv ic es and I CM P .
Furt h erm ore, ap p lic at ion insp ec t ion will b e ap p lied on H T T P c onnec t ions from t h e p riv at e z one t o t h e I nt ernet z one
in order t o assure t h at sup p ort ed inst ant m essaging and P 2 P ap p lic at ions are not c arried on p ort 8 0 . ( S ee Figure
3 .)
2 of 7
3 . I nt ernet - D M Z S M T P / H T T P / D N S insp ec t ion rest ric t ed b y h ost address
4 . S erv ers- Client s X W indows insp ec t ion wit h a p ort - ap p lic at ion m ap p ing ( P A M ) - sp ec ified serv ic e
Bec ause y ou ap p ly p ort ions of t h e c onfigurat ion t o different net work segm ent s at different t im es, it is im p ort ant t o
rem em b er t h at a net work segm ent loses c onnec t iv it y t o ot h er segm ent s wh en it is p lac ed in a z one. For inst anc e, wh en t h e
p riv at e z one is c onfigured, h ost s in t h e p riv at e z one loses c onnec t iv it y t o t h e D M Z and I nt ernet z ones unt il t h eir resp ec t iv e
p olic ies are defined.
S t at e f u l I ns p e c t i on R ou t i ng Fi r e wall
C onf i g u r e Pr i v at e I nt e r ne t Poli c y
T h e p riv at e I nt ernet p olic y ap p lies L ay er 4 insp ec t ion t o H T T P , H T T P S , D N S , and L ay er 4 insp ec t ion for I CM P from t h e
p riv at e z one t o t h e I nt ernet z one. T h is allows c onnec t ions from t h e p riv at e z one t o t h e I nt ernet z one, and allows t h e ret urn
t raffic . L ay er 7 insp ec t ion c arries t h e adv ant ages of t igh t er ap p lic at ion c ont rol, b et t er sec urit y , and sup p ort for ap p lic at ions
req uiring fix up . H owev er, L ay er 7 insp ec t ion, as m ent ioned, req uires a b et t er underst anding of net work ac t iv it y , as L ay er 7
p rot oc ols t h at are not c onfigured for insp ec t ion would not b e allowed b et ween z ones.
1 . D efine c lass- m ap s t h at desc rib e t h e t raffic t h at y ou want t o p erm it b et ween z ones, ac c ording t o p olic ies desc rib ed
earlier.
3 . Configure t h e p riv at e and int ernet z ones and assign rout er int erfac es t o t h eir resp ec t iv e z ones.
N ot e : Y ou only need t o c onfigure t h e p riv at e I nt ernet z one p air at p resent in order t o insp ec t c onnec t ions sourc ed
in t h e p riv at e z one t rav eling t o t h e I nt ernet z one.
T h is c om p let es t h e c onfigurat ion of t h e L ay er 7 insp ec t ion p olic y on t h e p riv at e I nt ernet z one- p air t o allow H T T P ,
H T T P S , D N S , and I CM P c onnec t ions from t h e c lient s z one t o t h e serv ers z one and t o ap p ly ap p lic at ion insp ec t ion
t o H T T P t raffic t o assure t h at unwant ed t raffic is not allowed t o p ass on T CP 8 0 , H T T P s serv ic e p ort .
C onf i g u r e Pr i v at e DM Z Poli c y
T h e p riv at e D M Z p olic y adds c om p lex it y b ec ause it req uires a b et t er underst anding of t h e net work t raffic b et ween z ones.
3 of 7
T h is p olic y ap p lies L ay er 7 insp ec t ion from t h e p riv at e z one t o t h e D M Z. T h is allows c onnec t ions from t h e p riv at e z one t o
t h e D M Z, and allows t h e ret urn t raffic . L ay er 7 insp ec t ion c arries t h e adv ant ages of t igh t er ap p lic at ion c ont rol, b et t er
sec urit y , and sup p ort for ap p lic at ions req uiring fix up . H owev er, L ay er 7 insp ec t ion, as m ent ioned, req uires a b et t er
underst anding of net work ac t iv it y , as L ay er 7 p rot oc ols t h at are not c onfigured for insp ec t ion would not b e allowed b et ween
z ones.
1 . D efine c lass- m ap s t h at desc rib e t h e t raffic t h at y ou want t o p erm it b et ween z ones, ac c ording t o p olic ies desc rib ed
earlier.
3 . Configure t h e p riv at e and D M Z z ones and assign rout er int erfac es t o t h eir resp ec t iv e z ones.
N ot e : Y ou only need t o c onfigure t h e p riv at e D M Z z one- p air at p resent in order t o insp ec t c onnec t ions sourc ed in
t h e p riv at e z one t rav eling t o t h e D M Z.
T h is c om p let es t h e c onfigurat ion of t h e L ay er 7 insp ec t ion p olic y on t h e p riv at e D M Z t o allow all T CP , U D P , and
I CM P c onnec t ions from t h e c lient s z one t o t h e serv ers z one. T h e p olic y does not ap p ly fix up for sub ordinat e
c h annels, b ut p rov ides an ex am p le of sim p le p olic y t o ac c om m odat e m ost ap p lic at ion c onnec t ions.
C onf i g u r e I nt e r ne t DM Z Poli c y
T h is p olic y ap p lies L ay er 7 insp ec t ion from t h e I nt ernet z one t o t h e D M Z. T h is allows c onnec t ions from t h e I nt ernet z one t o
t h e D M Z, and allows t h e ret urn t raffic from t h e D M Z h ost s t o t h e I nt ernet h ost s t h at originat ed t h e c onnec t ion. T h e I nt ernet
D M Z p olic y c om b ines L ay er 7 insp ec t ion wit h address group s defined b y A CL s t o rest ric t ac c ess t o sp ec ific serv ic es on
sp ec ific h ost s, group s of h ost s, or sub net s. T h is is ac c om p lish ed b y nest ing a c lass- m ap sp ec ify ing serv ic es wit h in anot h er
c lass- m ap referenc ing an A CL t o sp ec ify I P addresses.
1 . D efine c lass- m ap s and A CL s t h at desc rib e t h e t raffic t h at y ou want t o p erm it b et ween z ones, ac c ording t o p olic ies
desc rib ed earlier.
M ult ip le c lass- m ap s for serv ic es m ust b e used, as differing ac c ess p olic ies are ap p lied for ac c ess t o t wo different
serv ers. I nt ernet h ost s are allowed D N S and H T T P c onnec t ions t o 1 7 2 .1 6 .2 .2 , and S M T P c onnec t ions are allowed
t o 1 7 2 .1 6 .2 .3 . N ot e t h e differenc e in t h e c lass- m ap s. T h e c lass- m ap s sp ec ify ing serv ic es use t h e m at c h - any
k ey word t o allow any of t h e list ed serv ic es. T h e c lass- m ap s assoc iat ing A CL s wit h t h e serv ic e c lass- m ap s use t h e
m at c h - all k ey word t o req uire t h at b ot h c ondit ions in t h e c lass m ap m ust b e m et t o allow t raffic .
4 of 7
2 . Configure p olic y - m ap s t o insp ec t t raffic on t h e c lass- m ap s y ou j ust defined.
3 . Configure t h e I nt ernet and D M Z z ones and assign rout er int erfac es t o t h eir resp ec t iv e z ones. S k ip t h e D M Z
c onfigurat ion if y ou set it up in t h e p rev ious sec t ion.
N ot e : Y ou only need t o c onfigure t h e I nt ernet D M Z z one p air at p resent , t o insp ec t c onnec t ions sourc ed in t h e
I nt ernet z one t rav eling t o t h e D M Z z one.
T h is c om p let es t h e c onfigurat ion of t h e address- sp ec ific L ay er 7 insp ec t ion p olic y on t h e I nt ernet D M Z z one- p air.
S t at e f u l I ns p e c t i on T r ans p ar e nt Fi r e wall
C onf i g u r e S e r v e r s - C li e nt s Poli c y
T h e serv ers- c lient s p olic y ap p lies insp ec t ion using a user- defined serv ic e. L ay er 7 insp ec t ion is ap p lied from t h e serv ers
z one t o t h e c lient s z one. T h is allows X W indows c onnec t ions t o a sp ec ific p ort range from t h e serv ers z one t o t h e c lient s
z one, and allows t h e ret urn t raffic . X W indows is not a nat iv ely sup p ort ed p rot oc ol in P A M , so a user- c onfigured serv ic e in
P A M m ust b e defined so t h e ZFW c an rec ogniz e and insp ec t t h e ap p rop riat e t raffic .
T wo or m ore rout er int erfac es are c onfigured in an I E E E b ridge- group t o p rov ide I nt egrat ed R out ing and Bridging ( I R B) t o
p rov ide b ridging b et ween t h e int erfac es in t h e b ridge- group and rout ing t o ot h er sub net s v ia t h e Bridge V irt ual I nt erfac e
( BV I ) . T h e t ransp arent firewall p olic y will offer ap p ly firewall insp ec t ion for t raffic c rossing t h e b ridge , b ut not for t raffic
t h at leav es t h e b ridge- group v ia t h e BV I . T h e insp ec t ion p olic y only ap p lies t o t raffic c rossing t h e b ridge- group . T h erefore,
in t h is sc enario, t h e insp ec t ion would only b e ap p lied t o t raffic t h at m ov es b et ween t h e c lient s and serv ers z ones, wh ic h are
nest ed inside t h e p riv at e z one. T h e p olic y ap p lied b et ween t h e p riv at e z one, and p ub lic and D M Z z ones, only c om es int o
p lay wh en t raffic leav es t h e b ridge- group v ia t h e BV I . W h en t raffic leav es v ia t h e BV I from eit h er t h e c lient s or serv ers
z ones, t h e t ransp arent firewall p olic y would not b e inv ok ed.
X W indows c lient s ( wh ere ap p lic at ions are h ost ed) op en c onnec t ions for disp lay inform at ion t o c lient s ( wh ere user
is work ing) in a range st art ing at p ort 6 9 0 0 .
E ac h addit ional c onnec t ion uses suc c essiv e p ort s, so if a c lient disp lay s 1 0 different sessions on one h ost , t h e
serv er uses p ort s 6 9 0 0 - 6 9 0 9 . T h erefore, if y ou insp ec t t h e p ort range from 6 9 0 0 t o 6 9 0 9 , c onnec t ions op ened t o
p ort s b ey ond 6 9 0 9 would fail:
2 . R ev iew P A M doc um ent s t o address addit ional P A M q uest ions or c h ec k granular p rot oc ol insp ec t ion doc um ent at ion
for inform at ion ab out t h e det ails of int erop erab ilit y b et ween P A M and Cisc o I O S Firewall st at eful insp ec t ion.
3 . D efine c lass- m ap s t h at desc rib e t h e t raffic t h at y ou want t o p erm it b et ween z ones, ac c ording t o p olic ies desc rib ed
earlier.
5 of 7
5 . Configure t h e c lient and serv er z ones and assign rout er int erfac es t o t h eir resp ec t iv e z ones.
I f y ou c onfigured t h ese z ones and assigned int erfac es in t h e Client s- S erv ers P olic y Configurat ion sec t ion, y ou c an
sk ip t o t h e z one- p air definit ion. Bridging I R B c onfigurat ion is p rov ided for c om p let eness.
N ot e : Y ou only need t o c onfigure t h e serv ers- c lient s z one p air at p resent in order t o insp ec t c onnec t ions sourc ed
in t h e serv ers z one t rav eling t o t h e c lient s z one.
T h is c om p let es t h e c onfigurat ion of t h e user- defined insp ec t ion p olic y in t h e serv ers- c lient s z one- p air t o allow X
W indows c onnec t ions from t h e serv er z one t o t h e c lient z one.
C onf i g u r e C li e nt s - S e r v e r s Poli c y
T h e c lient - serv ers p olic y is less c om p lex t h an t h e ot h ers. L ay er 4 insp ec t ion is ap p lied from t h e c lient s z one t o t h e serv ers
z one. T h is allows c onnec t ions from t h e c lient s z one t o t h e serv ers z one, and allows ret urn t raffic . L ay er 4 insp ec t ion c arries
t h e adv ant age of sim p lic it y in t h e firewall c onfigurat ion, in t h at only a few rules are req uired t o allow m ost ap p lic at ion t raffic .
H owev er, L ay er 4 insp ec t ion also c arries t wo m aj or disadv ant ages.
A p p lic at ions suc h as FT P or st ream ing m edia serv ic es freq uent ly negot iat e an addit ional sub ordinat e c h annel from
t h e serv er t o t h e c lient . T h is func t ionalit y is usually ac c om m odat ed in a serv ic e fix up t h at m onit ors t h e c ont rol
c h annel dialog and allows t h e sub ordinat e c h annel. T h is c ap ab ilit y is not av ailab le in L ay er 4 insp ec t ion.
L ay er 4 insp ec t ion allows nearly all ap p lic at ion- lay er t raffic . I f net work use m ust b e c ont rolled so only a few
ap p lic at ions are p erm it t ed t h rough t h e firewall, an A CL m ust b e c onfigured on out b ound t raffic t o lim it t h e serv ic es
allowed t h rough t h e firewall.
Bot h rout er int erfac es are c onfigured in an I E E E b ridge group , so t h is firewall p olic y ap p lies t ransp arent firewall insp ec t ion.
T h is p olic y is ap p lied on t wo int erfac es in an I E E E I P b ridge group . T h e insp ec t ion p olic y only ap p lies t o t raffic c rossing
t h e b ridge group . T h is ex p lains wh y t h e c lient s and serv ers z ones are nest ed inside t h e p riv at e z one.
1 . D efine c lass- m ap s t h at desc rib e t h e t raffic t h at y ou want t o p erm it b et ween z ones, ac c ording t o p olic ies desc rib ed
earlier.
3 . Configure t h e c lient s and serv ers z ones and assign rout er int erfac es t o t h eir resp ec t iv e z ones.
6 of 7
4 . Configure t h e z one- p air and ap p ly t h e ap p rop riat e p olic y - m ap .
N ot e : Y ou only need t o c onfigure t h e c lient s- serv ers z one- p air at p resent , t o insp ec t c onnec t ions sourc ed in t h e
c lient s z one t rav eling t o t h e serv ers z one.
T h is c om p let es t h e c onfigurat ion of t h e L ay er 4 insp ec t ion p olic y for t h e c lient s- serv ers z one- p air t o allow all T CP ,
U D P , and I CM P c onnec t ions from t h e c lient z one t o t h e serv er z one. T h e p olic y does not ap p ly fix up for
sub ordinat e c h annels, b ut p rov ides an ex am p le of sim p le p olic y t o ac c om m odat e m ost ap p lic at ion c onnec t ions.
Bac k t o T op
N e x t S te p
Y ou h av e now c onfigured Zone b ased Firewall on y our rout er.
R efer t o Configurat ion O v erv iew P age t o c onfigure ot h er dev ic es in y our net work .
Bac k t o T op
T r ou b le s h oot t h e Pr oc e du r e
T h is sec t ion p rov ides inform at ion ab out c om m on p rob lem s t h at y ou m ay enc ount er. I f t h is inform at ion does not solv e y our
p rob lem , c ont ac t t h e S M B T ec h nic al A ssist anc e Cent er ( S M B T A C) for assist anc e.
Y ou are unab le t o c onnec t t o t h e rout er wit h S ec urit y R efer t o Configure Y our R out er wit h S ec urit y
D ev ic e M anager ( S D M ) . D ev ic e M anager.
Bac k t o T op
R e lat e d I nf or m at i on
1 9 9 2 - 2 0 0 6 Cisc o S y st em s, I nc . A ll righ t s reserv ed. T erm s and Condit ions, P riv ac y S t at em ent , Cook ie P olic y and T radem ark s of Cisc o S y st em s, I nc .
7 of 7