Successfully reported this slideshow.

Ios zone based-firewall

554 views

Published on

  • Be the first to comment

  • Be the first to like this

Ios zone based-firewall

  1. 1. IOS ZONE-BASED FIREWALL packetlife.net Terminology Inspection Class ConfigurationSecurity Zone ! Match by protocolA group of interfaces which share a common level of security class-map type inspect match-any ByProtocolZone Pair match protocol tcpA unidirectional pairing of source and destination zones to which a match protocol udpsecurity policy is applied match protocol icmpInspection Policy ! Match by access listAn inspect-type policy map used to statefully filter traffic by ip access-list extended MyACLmatching one or more inspect-type class maps permit ip 10.0.0.0 255.255.0.0 any !Parameter Map class-map type inspect match-all ByAccessListAn optional configuration of protocol-specific parameters referenced match access-group name MyACLby an inspection policy Security Zones Parameter Map Configuration parameter-map type inspect MyParameterMap Trusted Internet alert on audit-trail off dns-timeout 5 G0/0 G0/1 max-incomplete low 20000 MPLS WAN Internet max-incomplete high 25000 icmp idle-time 3 tcp synwait-time 3 Guest Inspection Policy Actions Drop Traffic is prevented from passing Corporate Guest Traffic is permitted to pass without LAN G0/2.10 G0/2.20 Wireless LAN Pass stateful inspection Traffic is subjected to stateful Inspect inspection; legitimate return traffic is! Defining security zones permitted in the opposite directionzone security Trustedzone security Guest Inspection Policy Configurationzone security Internet policy-map type inspect MyInspectionPolicy! Assigning interfaces to security zones ! Pass permitted stateless trafficinterface GigabitEthernet0/0 class VPN-Tunnel zone-member security Trusted pass! ! Inspect permitted stateful trafficinterface GigabitEthernet0/1 class Allowed-Traffic1 zone-member security Internet inspect! ! Stateful inspection with a parameter mapinterface GigabitEthernet0/2.10 class Allowed-Traffic2 zone-member security Trusted inspect MyParameterMap! ! Drop and log unpermitted trafficinterface GigabitEthernet0/2.20 class class-default zone-member security Guest drop log Zone Pair Configuration Troubleshooting! Service policies are applied to zone pairs show zone securityzone-pair security T2I source Trusted destination Internet show zone-pair security service-policy type inspect Trusted2Internet show policy-map type inspectzone-pair security G2I source Guest destination Internet service-policy type inspect Guest2Internet show class-map type inspect show parameter-map type inspectzone-pair security I2T source Internet destination Trusted service-policy type inspect Internet2Trusted debug zone security eventsby Jeremy Stretch v1.0

×