Configure Zone-Based Policy Firewall

Posted on November 14, 2010

0



Configuring zone-based policy firewall on a cisco IOS router is not as easy. To be able to understand the topology of the configuration I used some colors. The key hierarchy is the following:

  1. class-map
  2. policy-map
  3. zone-pair
  4. zone security for interface

I used in this small example the following topology:

Topology

Configuration topology:

Router parameters:

SW: Cisco IOS Software, C2600 Software (C2600-ADVSECURITYK9-M), Version 12.4(6)T7, R*
HW: Cisco 2621XM
* This feat is available from Cisco IOS Software Release 12.4(6)T (The IM inspection is only from 12.4(9)T)

Configuration of the router:

hostname Router
!
!
class-map type inspect match-any Outside_to_Inside
match access-group name web_in
class-map type inspect match-any Inside_to_Outside
match protocol http
match protocol https
match protocol icmp
match protocol pop3
match protocol dns
match protocol smtp
!
!
policy-map type inspect policy_Outside_to_Inside
class type inspect Outside_to_Inside
inspect
class class-default
policy-map type inspect policy_Inside_to_Outside
class type inspect Inside_to_Outside
inspect
class class-default
!
zone security Outside
description Outside untrusted zone
zone security Inside
description Inside trusted zone
zone-pair security Inside_to_Outside source Inside destination Outside
service-policy type inspect policy_Inside_to_Outside
zone-pair security Outside_to_Inside source Outside destination Inside
service-policy type inspect policy_Outside_to_Inside
!
!
!
interface FastEthernet0/0
ip address 50.50.50.1 255.255.255.0
ip nat outside
ip virtual-reassembly
zone-member security Outside
duplex auto
speed auto
!
interface Serial0/0
no ip address
shutdown
no fair-queue
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security Inside
duplex auto
speed auto
!
interface Serial0/1
no ip address
shutdown
!
!
ip http server
no ip http secure-server
ip nat inside source static tcp 192.168.1.2 80 50.50.50.2 80 extendable
!
ip access-list extended web_in
permit tcp host 50.50.50.71 host 192.168.1.2 eq www
!

Source documentation is here if you need more details.

Advertisements