These are the similar requirements as the write up done previously, but this time with Transparent Zone-Based Firewall.
R2's Fa0/1 is connected to R1 and is considered the INSIDE network. R2's Fa0/0 is connected to R3 and is considered the OUTSIDE network. R2's Se0/1/0 will connect to R4's S0/1. R1 and R3's FastEthernet interfaces are part of the 10.1.13.0/24 network, which requires R2 to bridge between the two interfaces.
I want to allow R1 to access R3's http service, but not be allowed to telnet to R3. I want R3 to be allowed to telnet to R1, but not be allowed to access R1's http service. I want both R1 and R3 to be able to access R4.
The
With ZFW, I first need to create the zones. In this case, I only need INSIDE and OUTSIDE.
R2(config)#zone security INSIDE
R2(config-sec-zone)#zone security OUTSIDE
Next I will classify the traffic. In this case, I need classes to match INSIDE to OUTSIDE, and OUTSIDE to INSIDE.
R2(config)#class-map type inspect match-any CMAP_INSIDE_TO_OUTSIDE
R2(config-cmap)#match protocol http
R2(config-cmap)#match protocol icmp
R2(config-cmap)#class-map type inspect match-any CMAP_OUTSIDE_TO_INSIDE
R2(config-cmap)#match protocol telnet
R2(config-cmap)#match protocol icmp
With the traffic classified, the next step is to create policy-maps.
R2(config)#policy-map type inspect PMAP_INSIDE_TO_OUTSIDE
R2(config-pmap)#class CMAP_INSIDE_TO_OUTSIDE
R2(config-pmap-c)#inspect
R2(config-pmap-c)#policy-map type inspect PMAP_OUTSIDE_TO_INSIDE
R2(config-pmap)#class CMAP_OUTSIDE_TO_INSIDE
R2(config-pmap-c)#inspect
Now I'll apply the policies to zone-pairs.
R2(config)#zone-pair security ZP_INSIDE_TO_OUTSIDE source INSIDE destination OUTSIDE
R2(config-sec-zone-pair)#service-policy type inspect PMAP_INSIDE_TO_OUTSIDE
R2(config-sec-zone-pair)#exit
R2(config)#zone-pair security ZP_OUTSIDE_TO_INSIDE source OUTSIDE destination INSIDE
R2(config-sec-zone-pair)#service-policy type inspect PMAP_OUTSIDE_TO_INSIDE
Next I'll assign the interfaces to their zones.
R2(config)#interface fa0/0
R2(config-if)#zone security OUTSIDE
R2(config-if)#interface fa0/1
R2(config-if)#zone security INSIDE
At this point, I should be able to ping, open an http session, but not telnet from R1 to R3.
R1#ping 10.1.13.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.13.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
Pings are good.
R1#copy http://jason:cisco@10.1.13.3/test.txt null:
Loading http://***********@10.1.13.3/test.txt !
1753 bytes copied in 0.689 secs (2544 bytes/sec)
HTTP works.
R1#telnet 10.1.13.3
Trying 10.1.13.3 ...
% Connection timed out; remote host not responding
Telnet does not.
Now I'll try the same from R3 to R1. I should be able to ping, telnet, but not establish http sessions from R3 to R1.
R3#ping 10.1.13.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.13.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Pings work.
R3#telnet 10.1.13.1
Trying 10.1.13.1 ... Open
User Access Verification
Password:
R1>exit
[Connection to 10.1.13.1 closed by foreign host]
Telnet is good.
R3#copy http://jason:cisco@10.1.13.1/test.txt null:
%Error opening http://jason:cisco@10.1.13.1/test.txt (I/O error)
As expected, HTTP does not.
From R2 I'll open an http session to R3 and on R2 I'll show policy-map type inspect zone-pair ZP_INSIDE_TO_OUTSIDE sessions.
R2#show policy-map type inspect zone-pair ZP_INSIDE_TO_OUTSIDE sessions
policy exists on zp ZP_INSIDE_TO_OUTSIDE
Zone-pair: ZP_INSIDE_TO_OUTSIDE
Service-policy inspect : PMAP_INSIDE_TO_OUTSIDE
Class-map: CMAP_INSIDE_TO_OUTSIDE (match-any)
Match: protocol http
4 packets, 96 bytes
30 second rate 0 bps
Match: protocol icmp
2 packets, 160 bytes
30 second rate 0 bps
Inspect
Number of Established Sessions = 1
Established Sessions
Session 667A7840 (10.1.13.1:51298)=>(10.1.13.3:80) http:tcp SIS_OPEN
Created 00:00:02, Last heard 00:00:02
Bytes sent (initiator:responder) [0:0]
Class-map: class-default (match-any)
Match: any
Drop
12 packets, 288 bytes
With http:tcp SIS_OPEN, I can see that the connection is reflected here.
From R1 or R3 I can ping R4. R4 can also ping both R1 and R3.
R1#ping 10.1.24.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.24.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms
R3#ping 10.1.24.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.24.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R4#ping 10.1.13.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.13.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R4#ping 10.1.13.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.13.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
This works because the BVI interface is considered to be part of the self zone.
Part 1
Part 2
Part 3
Part 4
Part 5
Part 6
Part 7
Part 8
Part 9
Part 10
Thanks for spending your valuable time in delivering the most valuable content here. Thanks for sharing. js bank - mcb car finance
ReplyDelete