Advanced Zone-Based Firewall:
-Inside-to-Outside Traffic
Create a zones :
zone security Inside
description Inside network
zone security Outside
description Outside network
-Traffic permitted to any destination on the Internet (HTTP, HTTPS, FTP, ICMP)
-Traffic permitted to the Internet service provider’s (ISPs) servers (SMTP, POP3, DNS)
First create Class Map Matching the Internet Traffic:
class-map type inspect match-any InternetTraffic
match protocol http
match protocol ftp
match protocol icmp
match protocol https
Create class-map Matching Traffic Toward ISP Servers:
In the previous class-map ,we used the match-any and now for the traffic toward ISP Servers we use the match-all because we must specify two condition ,a list of protocol toward a set of IP Addresses so we need a match-all keyword, remember that:
Match-any is the equivalent of OR Logic.
match-all is the equivalent of AND Logic
So we must create one class-map called ISPTraffic to specify a list of protocol to be inspected and another class-map called ToISP matching the class ISPTraffic and an access-list called ISPServers which define a list of ip addresses of the servers located at the ISP:
class-map type inspect match-any ISPTraffic
match protocol dns
match protocol smtp
match protocol pop3
!
class-map type inspect match-all ToISP
match class-map ISPTraffic
match access-group name ISPServers
!
ip access-list extended ISPServers
permit ip any host 172.16.0.1
permit ip any host 172.16.0.2
Now we create an actin with a policy-map following the firewall policy as follow:
-Inspect all traffic in classes ToISP and InternetTraffic
-Drop and log all the other traffic
policy-map type inspect InsideToOutside
class type inspect ToISP
inspect
class type inspect InternetTraffic
inspect
class class-default
drop log
Now we create a zone-pair to define the direction and the action or the policy-map we want apply as follow:
zone-pair security InsideToOutside source Inside destination Outside
service-policy type inspect InsideToOutside
Finally assign the interfaces to the zone:
interface FastEthernet0/0
zone-member security Inside
!
interface Serial0/0
zone-member security Outside
With the dmz zone:
We create another zone:
zone security Dmz
description Dmz network
Define the class maps matching the basic protocol sets (ping, web traffic, mail delivery, and network management)
One class-map to inspect the ICMP echo and echo-reply:
class-map type inspect match-any ping
match access-group name IcmpEcho
!
ip access-list extended IcmpEcho
permit icmp any any echo
permit icmp any any echo-reply
One class-map matching the web traffic, either http or https
class-map type inspect match-any WebTraffic
match protocol http
match protocol https
One class-map matching FTP traffic for the file transfer:
class-map type inspect FileTransfer
match protocol ftp
One class-map for public management:
class-map type inspect match-any PublicManagement
match protocol ftp
match protocol ssh
match protocol snmp
One class-map matching the protocol SMTP for mail:
class-map type inspect match-any SMTP
match protocol smtp extended
One class-map matching the DNS protocol :
class-map type inspect match-any DNS
match protocol dns
we refined traffic class definitions where a specific protocol (for example SMTP) will be allowed in only a specific server (example the inside mail server):
First create a class-map matching the class-map defined for the SMTP protocol (configured above and called SMTP and and an access-list which define the internal mail server 10.0.0.10
class-map type inspect match-all MailDelivery
match class-map SMTP
match access-group name InternalServer
ip access-list extended InternalServer
permit ip any host 10.0.0.10
Next we create a policy-map to match the class-map MailDelivery:
policy-map type inspect DmzToInside
class type inspect MailDelivery
inspect
Next we create a zone pair to define the direction from the DMZ to Inside and the policy to be applied:
zone-pair security PerimeterToInside source DMZ destination Inside
service-policy type inspect DmzToInside
we configure an access-list listing the DMZ Server 192.168.0.2:
ip access-list extended DmzServer
permit ip any host 192.168.0.2
And we define a list of protocol in the following class-map:
Notice we just specify the classes configured above for each protocol and inject them in the class-map PublicProtocols with match class command ,instead of match protocols ,less tedious and more efficient than configuring each protocol with match protocol command:
class-map type inspect match-any PublicProtocols
match class-map SMTP
match class-map WebTraffic
match class-map DNS
match class-map ping
Next we create a class-map to match the list of protocols included in the class called PublicProtocols and the access-list called DmzServer,notice the match-all keyword used ,because we have two conditions:
class-map type inspect match-all PublicTraffic
match class-map PublicProtocols
match access-group name DmzServer
Now we create the policies :
1- traffic from inside to outside:
the policy-map matches two classes , WebTraffic and FileTransfer with the inspect action:
policy-map type inspect InsideToOutside
class type inspect WebTraffic
inspect
class type inspect FileTransfer
inspect
Then we create the zone-pair to define the direction from inside to outside and matching the policy map:
zone-pair security InsideToOutside source Inside destination Outside
service-policy type inspect InsideToOutside
2-Traffic from inside to DMZ:
The policy-map matches two classes ,PublicTraffic and PublicManagement with the inspect action:
policy-map type inspect InsideToDmz
class type inspect PublicTraffic
inspect
class type inspect PublicManagement
inspect
Then create a zone-pair to specify the direction from inside to dmz and the service policy to define the policy-map:
zone-pair security InsideToDmz source Inside destination Dmz
service-policy type inspect InsideToDmz
3-Traffic from DMZ to outside:
Create a policy-map matching the classes DNS SMTP and ping with the inspect action:
policy-map type inspect DmzToOutside
class type inspect DNS
inspect
class type inspect SMTP
inspect
class type inspect ping
inspect
Next create a zone pair to define the direction dmz to the outside and the policy-map:
zone-pair security DmzToOutside source Dmz destination Outside
service-policy type inspect DmzToOutside
4-Traffic from outside to DMZ:
create a policy map matching the class-map PublicTraffic with the inspect action:
policy-map type inspect OutsideToDmz
class type inspect PublicTraffic
inspect
Then create a zone-pair to define the direction from outside to DMZ :
-Inside-to-Outside Traffic
Create a zones :
zone security Inside
description Inside network
zone security Outside
description Outside network
-Traffic permitted to any destination on the Internet (HTTP, HTTPS, FTP, ICMP)
-Traffic permitted to the Internet service provider’s (ISPs) servers (SMTP, POP3, DNS)
First create Class Map Matching the Internet Traffic:
class-map type inspect match-any InternetTraffic
match protocol http
match protocol ftp
match protocol icmp
match protocol https
Create class-map Matching Traffic Toward ISP Servers:
In the previous class-map ,we used the match-any and now for the traffic toward ISP Servers we use the match-all because we must specify two condition ,a list of protocol toward a set of IP Addresses so we need a match-all keyword, remember that:
Match-any is the equivalent of OR Logic.
match-all is the equivalent of AND Logic
So we must create one class-map called ISPTraffic to specify a list of protocol to be inspected and another class-map called ToISP matching the class ISPTraffic and an access-list called ISPServers which define a list of ip addresses of the servers located at the ISP:
class-map type inspect match-any ISPTraffic
match protocol dns
match protocol smtp
match protocol pop3
!
class-map type inspect match-all ToISP
match class-map ISPTraffic
match access-group name ISPServers
!
ip access-list extended ISPServers
permit ip any host 172.16.0.1
permit ip any host 172.16.0.2
Now we create an actin with a policy-map following the firewall policy as follow:
-Inspect all traffic in classes ToISP and InternetTraffic
-Drop and log all the other traffic
policy-map type inspect InsideToOutside
class type inspect ToISP
inspect
class type inspect InternetTraffic
inspect
class class-default
drop log
Now we create a zone-pair to define the direction and the action or the policy-map we want apply as follow:
zone-pair security InsideToOutside source Inside destination Outside
service-policy type inspect InsideToOutside
Finally assign the interfaces to the zone:
interface FastEthernet0/0
zone-member security Inside
!
interface Serial0/0
zone-member security Outside
With the dmz zone:
We create another zone:
zone security Dmz
description Dmz network
Define the class maps matching the basic protocol sets (ping, web traffic, mail delivery, and network management)
One class-map to inspect the ICMP echo and echo-reply:
class-map type inspect match-any ping
match access-group name IcmpEcho
!
ip access-list extended IcmpEcho
permit icmp any any echo
permit icmp any any echo-reply
One class-map matching the web traffic, either http or https
class-map type inspect match-any WebTraffic
match protocol http
match protocol https
One class-map matching FTP traffic for the file transfer:
class-map type inspect FileTransfer
match protocol ftp
One class-map for public management:
class-map type inspect match-any PublicManagement
match protocol ftp
match protocol ssh
match protocol snmp
One class-map matching the protocol SMTP for mail:
class-map type inspect match-any SMTP
match protocol smtp extended
One class-map matching the DNS protocol :
class-map type inspect match-any DNS
match protocol dns
we refined traffic class definitions where a specific protocol (for example SMTP) will be allowed in only a specific server (example the inside mail server):
First create a class-map matching the class-map defined for the SMTP protocol (configured above and called SMTP and and an access-list which define the internal mail server 10.0.0.10
class-map type inspect match-all MailDelivery
match class-map SMTP
match access-group name InternalServer
ip access-list extended InternalServer
permit ip any host 10.0.0.10
Next we create a policy-map to match the class-map MailDelivery:
policy-map type inspect DmzToInside
class type inspect MailDelivery
inspect
Next we create a zone pair to define the direction from the DMZ to Inside and the policy to be applied:
zone-pair security PerimeterToInside source DMZ destination Inside
service-policy type inspect DmzToInside
we configure an access-list listing the DMZ Server 192.168.0.2:
ip access-list extended DmzServer
permit ip any host 192.168.0.2
And we define a list of protocol in the following class-map:
Notice we just specify the classes configured above for each protocol and inject them in the class-map PublicProtocols with match class command ,instead of match protocols ,less tedious and more efficient than configuring each protocol with match protocol command:
class-map type inspect match-any PublicProtocols
match class-map SMTP
match class-map WebTraffic
match class-map DNS
match class-map ping
Next we create a class-map to match the list of protocols included in the class called PublicProtocols and the access-list called DmzServer,notice the match-all keyword used ,because we have two conditions:
class-map type inspect match-all PublicTraffic
match class-map PublicProtocols
match access-group name DmzServer
Now we create the policies :
1- traffic from inside to outside:
the policy-map matches two classes , WebTraffic and FileTransfer with the inspect action:
policy-map type inspect InsideToOutside
class type inspect WebTraffic
inspect
class type inspect FileTransfer
inspect
Then we create the zone-pair to define the direction from inside to outside and matching the policy map:
zone-pair security InsideToOutside source Inside destination Outside
service-policy type inspect InsideToOutside
2-Traffic from inside to DMZ:
The policy-map matches two classes ,PublicTraffic and PublicManagement with the inspect action:
policy-map type inspect InsideToDmz
class type inspect PublicTraffic
inspect
class type inspect PublicManagement
inspect
Then create a zone-pair to specify the direction from inside to dmz and the service policy to define the policy-map:
zone-pair security InsideToDmz source Inside destination Dmz
service-policy type inspect InsideToDmz
3-Traffic from DMZ to outside:
Create a policy-map matching the classes DNS SMTP and ping with the inspect action:
policy-map type inspect DmzToOutside
class type inspect DNS
inspect
class type inspect SMTP
inspect
class type inspect ping
inspect
Next create a zone pair to define the direction dmz to the outside and the policy-map:
zone-pair security DmzToOutside source Dmz destination Outside
service-policy type inspect DmzToOutside
4-Traffic from outside to DMZ:
create a policy map matching the class-map PublicTraffic with the inspect action:
policy-map type inspect OutsideToDmz
class type inspect PublicTraffic
inspect
Then create a zone-pair to define the direction from outside to DMZ :
zone-pair security OutsideToDmz source Outside destination Dmz
service-policy type inspect OutsideToDmz
5-Traffic from DMZ to inside:
Create a policy-map matching the class MailDelivery (Internal SMTP Server) with the inspect action:
policy-map type inspect DmzToInside
class type inspect MailDelivery
inspect
Then create a zone-pair to define the direction from dmz to inside and the policy-map(or the action) we want apply:
zone-pair security DmzToInside source Dmz destination Inside
service-policy type inspect DmzToInside
Assign the interfaces to the zones:
interface FastEthernet0/0
zone-member security Inside
interface FastEthernet0/1
zone-member security Dmz
!
interface Serial0/0
zone-member security Outside
Nessun commento:
Posta un commento