Thursday, September 22, 2011

Transparent Zone-Based Firewall (Filtering with IOS Part 9)

I have R1, R2, R3, and R4. I want to use Transparent Zone-Based Firewall to help create a security policy that I can apply to R2.



These are the similar requirements as the write up done previously, but this time with Transparent Zone-Based Firewall.

R2's Fa0/1 is connected to R1 and is considered the INSIDE network. R2's Fa0/0 is connected to R3 and is considered the OUTSIDE network. R2's Se0/1/0 will connect to R4's S0/1. R1 and R3's FastEthernet interfaces are part of the 10.1.13.0/24 network, which requires R2 to bridge between the two interfaces.

I want to allow R1 to access R3's http service, but not be allowed to telnet to R3. I want R3 to be allowed to telnet to R1, but not be allowed to access R1's http service. I want both R1 and R3 to be able to access R4.

The is in place with all relevant interfaces enabled.

With ZFW, I first need to create the zones. In this case, I only need INSIDE and OUTSIDE.

R2(config)#zone security INSIDE 
R2(config-sec-zone)#zone security OUTSIDE

Next I will classify the traffic. In this case, I need classes to match INSIDE to OUTSIDE, and OUTSIDE to INSIDE.

R2(config)#class-map type inspect match-any CMAP_INSIDE_TO_OUTSIDE
R2(config-cmap)#match protocol http
R2(config-cmap)#match protocol icmp
R2(config-cmap)#class-map type inspect match-any CMAP_OUTSIDE_TO_INSIDE
R2(config-cmap)#match protocol telnet
R2(config-cmap)#match protocol icmp

With the traffic classified, the next step is to create policy-maps.

R2(config)#policy-map type inspect PMAP_INSIDE_TO_OUTSIDE
R2(config-pmap)#class CMAP_INSIDE_TO_OUTSIDE
R2(config-pmap-c)#inspect
R2(config-pmap-c)#policy-map type inspect PMAP_OUTSIDE_TO_INSIDE
R2(config-pmap)#class CMAP_OUTSIDE_TO_INSIDE
R2(config-pmap-c)#inspect

Now I'll apply the policies to zone-pairs.

R2(config)#zone-pair security ZP_INSIDE_TO_OUTSIDE source INSIDE destination OUTSIDE
R2(config-sec-zone-pair)#service-policy type inspect PMAP_INSIDE_TO_OUTSIDE 
R2(config-sec-zone-pair)#exit
R2(config)#zone-pair security ZP_OUTSIDE_TO_INSIDE source OUTSIDE destination INSIDE
R2(config-sec-zone-pair)#service-policy type inspect PMAP_OUTSIDE_TO_INSIDE

Next I'll assign the interfaces to their zones.

R2(config)#interface fa0/0
R2(config-if)#zone security OUTSIDE
R2(config-if)#interface fa0/1
R2(config-if)#zone security INSIDE

At this point, I should be able to ping, open an http session, but not telnet from R1 to R3.

R1#ping 10.1.13.1


Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.13.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

Pings are good.

R1#copy http://jason:cisco@10.1.13.3/test.txt null:
Loading http://***********@10.1.13.3/test.txt !
1753 bytes copied in 0.689 secs (2544 bytes/sec)

HTTP works.

R1#telnet 10.1.13.3
Trying 10.1.13.3 ... 
% Connection timed out; remote host not responding

Telnet does not.

Now I'll try the same from R3 to R1. I should be able to ping, telnet, but not establish http sessions from R3 to R1.

R3#ping 10.1.13.1


Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.13.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

Pings work.

R3#telnet 10.1.13.1
Trying 10.1.13.1 ... Open


User Access Verification


Password: 
R1>exit


[Connection to 10.1.13.1 closed by foreign host]

Telnet is good.

R3#copy http://jason:cisco@10.1.13.1/test.txt null:
%Error opening http://jason:cisco@10.1.13.1/test.txt (I/O error)

As expected, HTTP does not.

From R2 I'll open an http session to R3 and on R2 I'll show policy-map type inspect zone-pair ZP_INSIDE_TO_OUTSIDE sessions.

R2#show policy-map type inspect zone-pair ZP_INSIDE_TO_OUTSIDE sessions 


policy exists on zp ZP_INSIDE_TO_OUTSIDE
 Zone-pair: ZP_INSIDE_TO_OUTSIDE


  Service-policy inspect : PMAP_INSIDE_TO_OUTSIDE


    Class-map: CMAP_INSIDE_TO_OUTSIDE (match-any)
      Match: protocol http
        4 packets, 96 bytes
        30 second rate 0 bps
      Match: protocol icmp
        2 packets, 160 bytes
        30 second rate 0 bps


   Inspect


      Number of Established Sessions = 1
      Established Sessions
        Session 667A7840 (10.1.13.1:51298)=>(10.1.13.3:80) http:tcp SIS_OPEN
          Created 00:00:02, Last heard 00:00:02
          Bytes sent (initiator:responder) [0:0]


    Class-map: class-default (match-any)
      Match: any 
      Drop
        12 packets, 288 bytes

With http:tcp SIS_OPEN, I can see that the connection is reflected here.

From R1 or R3 I can ping R4. R4 can also ping both R1 and R3.

R1#ping 10.1.24.4


Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.24.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms


R3#ping 10.1.24.4


Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.24.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms


R4#ping 10.1.13.1


Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.13.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R4#ping 10.1.13.3


Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.13.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

This works because the BVI interface is considered to be part of the self zone.




Part 1
Part 2
Part 3
Part 4
Part 5
Part 6
Part 7
Part 8
Part 9
Part 10

No comments:

Post a Comment