Lab 222 - Zone-Based Firewall Part 1

Lab 222 - Zone-Based Firewall Part 1
Di Posting Oleh : Simple Learning
Kategori : Security

Prerequisites: CCNP level skills.

Topology

Pic 1. Topology Diagram.

Task 1
Consider R1 as the edge router. It's interface Fa0/0 is the OUTSIDE and Se0/0 is the INSIDE interface. Configure firewall on R1 using the following rules:
  • Allow all traffic from INSIDE to OUTSIDE
  • Allow only SSH traffic from OUTSIDE to R1's address 192.0.2.1
  • Allow BGP protocol between R1 and BB3 (to be implemented) and log all other dropped traffic
Use zone-based firewall syntax to accomplish the goal.

Solution

Task 1
Consider R1 as the edge router. It's interface Fa0/0 is the OUTSIDE and Se0/0 is the INSIDE interface. Configure firewall on R1 using the following rules:
  • Allow all traffic from INSIDE to OUTSIDE
  • Allow only SSH traffic from OUTSIDE to R1's address 192.0.2.1
  • Allow BGP protocol between R1 and BB3 (to be implemented) and log all other dropped traffic
Use zone-based firewall syntax to accomplish the goal.

R1 Config:

! Current routing configuration on R1:
!
ip route 0.0.0.0 0.0.0.0 192.0.2.254
!
router eigrp 1
 redistribute static metric 1 1 1 1 1
 network 10.0.1.1 0.0.0.0
 network 172.16.123.1 0.0.0.0
 network 172.16.215.1 0.0.0.0
 no auto-summary
!

!
! Current routing on BB3:
!
ip route 0.0.0.0 0.0.0.0 192.0.2.1
!


Zone-base firewall configuration on R1:

Step 1
Define the zones.

!
zone security INSIDE
zone security OUTSIDE
!


Step 2
Classify interesting traffic (traffic that is allowed from INSIDE to OUTSIDE).
Classify the traffic exceptions.


!
class-map type inspect match-all ICMP
 match protocol icmp
class-map type inspect match-all UDP
 match protocol udp
class-map type inspect match-all TCP
 match protocol tcp
!

! Traffic Exceptions
!
ip access-list extended SSH_TO_R1
 permit tcp any host 192.0.2.1 eq 22

!
class-map type inspect match-any OUTSIDE_TO_SELF_EXCEPTIONS
 match protocol bgp
 match access-group name SSH_TO_R1
!



Step 3
Configure policy regarding the interesting traffic.

!
policy-map type inspect INSIDE_TO_OUTSIDE_POLICY
 class type inspect TCP
  inspect
 class type inspect UDP
  inspect
 class type inspect ICMP
  inspect
!

!
policy-map type inspect OUTSIDE_TO_SELF_POLICY
 class type inspect OUTSIDE_TO_SELF_EXCEPTIONS
  pass
 class class-default
  drop log
!



Step 4
Configure associations between zones. Apply policy map to the zone pairings.

!
zone-pair security INSIDE_TO_OUTSIDE_PAIRING source INSIDE destination OUTSIDE
 service-policy type inspect INSIDE_TO_OUTSIDE_POLICY
!

!
zone-pair security OUTSIDE_TO_SELF_PAIRING source OUTSIDE destination self
 service-policy type inspect OUTSIDE_TO_SELF_POLICY
!


Step 5
Assign interfaces to the zones.

!
interface FastEthernet0/0
 description OUTSIDE
 ip address 192.0.2.1 255.255.255.0
 zone-member security OUTSIDE
 speed 100
 full-duplex
!

!
interface Serial0/0
 description INSIDE
 ip address 172.16.123.1 255.255.255.0
 zone-member security INSIDE
 encapsulation frame-relay
 clock rate 2000000
 frame-relay map ip 172.16.123.2 102 broadcast
 no frame-relay inverse-arp
!


Verification:
Pic. 2 Traffic INSIDE_TO_OUTSIDE.


Pic. 3 - Traffic OUTSIDE_TO_INSIDE (BB3_TO_SW1).
Pic. 4 - OUTSIDE_TO_R1 using SSH.

KEEP THE CONFIGURATION FOR THE NEXT LAB!

0 Response to "Lab 222 - Zone-Based Firewall Part 1"

Post a Comment