Howto: Cisco Firewall: Zone-based Firewall on Cisco Routers
Cisco introduced Zone-based Policy Firewall since it’s 12.4(6) IOS release. It helps organizing firewall policies on multi-interface routers. This small tutorial will show how to set up a simple firewall policy on a router that interconnects three networks:
- Internet (on FastEthernet 0)
- DMZ (on FastEthernet 1)
- Intranet (on FastEthernet 2)
The steps are:
- Define class-maps that describe the traffic that you want to permit between zones
- Configure policy-maps to inspect traffic on the class-maps you just defined
- Configure the clients and servers zones and assign router interfaces to their respective zones
- Configure the zone-pair and apply the appropriate policy-map
- Configure access-lists for strengthening the firewall
Note: This is a basic firewall setup. It is for demonstration purposes only, you should build a stronger one!
1. Defining class maps. From the intranet to the internet and vice versa we will allow all traffic types, and impose rules using acl-s.
class-map type inspect match-any intranet-internet-traffic match protocol tcp match protocol udp match protocol icmp class-map type inspect match-any internet-intranet-traffic match protocol tcp match protocol udp match protocol icmp
We’ll allow SSH, FTP, POP3, IMAP and HTTP from the intranet to the DMZ and no access from DMZ to the intranet:
class-map type inspect match-any intranet-dmz-traffic match protocol icmp match protocol ssh match protocol ftp match protocol pop3 match protocol imap match protocol http
The DMZ will be accessed from the internet only using FTP, HTTP, HTTPS, IMPAS, POP3S. From the DMZ to the internet we’ll allow all traffic.
class-map type inspect match-any internet-dmz-traffic match protocol ftp match protocol pop3s match protocol imaps match protocol http match protocol https class-map type inspect match-any dmz-internet-traffic match protocol icmp match protocol tcp match protocol udp
2. Configuring policy maps: we will need as many policy-maps as class-maps:
policy-map type inspect internet-to-intranet-policy class type inspect internet-intranet-traffic inspect class class-default drop policy-map type inspect intranet-to-internet-policy class type inspect intranet-internet-traffic inspect class class-default drop policy-map type inspect intranet-to-dmz-policy class type inspect intranet-dmz-traffic inspect class class-default drop policy-map type inspect dmz-to-internet-policy class type inspect dmz-internet-traffic inspect class class-default drop policy-map type inspect internet-to-dmz-policy class type inspect internet-dmz-traffic inspect class class-default drop
3. Configuring zone names and assigning them to interfaces:
zone security internet zone security intranet zone security dmz interface FastEthernet0 zone-member security internet interface FastEthernet1 zone-member security dmz interface FastEthernet2 zone-member security intranet
4. Configuring zone pairs to permit traffic between zones:
zone-pair security intranet-internet source intranet destination internet service-policy type inspect intranet-to-internet-policy zone-pair security internet-intranet source internet destination intranet service-policy type inspect internet-to-intranet-policy zone-pair security intranet-dmz source intranet destination dmz service-policy type inspect intranet-to-dmz-policy zone-pair security internet-dmz source internet destination dmz service-policy type inspect internet-to-dmz-policy zone-pair security dmz-internet source dmz destination internet service-policy type inspect dmz-to-internet-policy
5. Configuring access lists: For now we don’t want to allow any connections from the internet to the intranet, so we will use a rule that allows only icmp messages. This rule will be matched in the internet-intranet class map.
ip access-list extended internet-to-intranet-alc allow icmp any 192.168.1.0 0.0.0.255 deny ip any any class-map type inspect match-any internet-intranet-traffic match access-group name internet-to-intranet-acl
Note that the mask is written in reverse, so the mask in the acl is actually 255.255.255.0
