Zone Based Firewall ( ZBF ) - 4 Zones - Small Datacenter

2 ISP for Internet access

 

ZBF-4zones.png

 

 

Introduction

 

  • Interface can be assigned to one zone only
  • Traffic is implicitly allowed to flow by default among interfaces that are members of the same zone.
  • All traffic to and from a given interface is implicitly blocked when the interface is assigned to a zone, except traffic to and from other interfaces in the same zone, and traffic to any interface on the router.
  • All traffic to any router interface is allowed until traffic is explicitly denied(Self-zone).
  • Traffic cannot flow between a zone member interface and any interface that is not a zone member. Pass, inspect, and drop actions can only be applied between two zones.
  • Interfaces that have not been assigned to a zone function as classical router ports and might still use classical stateful inspection/CBAC configuration.
  • The only exception to the preceding deny by default approach is the traffic to and from the router, which will be permitted by default. An explicit policy can be configured to restrict such traffic.

 

ZONE 1 - ISP1(WAN1)

ZONE 2 - LAN1

ZONE 3 - ISP2(WAN2)

ZONE 4 - LAN2

 

Traffic is allowed between zones:

1.ISP1-LAN1

2.LAN1-ISP1

3.ISP2-LAN2

4.LAN2-ISP2

 

CONFIGURATION

  • Configure vlans(switch module)
LAN1

(config)#vlan 3

(config-vlan)#name "LAN 1 - network 172.16.0.0/24"

(config-vlan)#exit

 

LAN2

(config)#vlan 192

(config-vlan)#name "LAN 2 - network 192.168.1.0/24"

(config-vlan)#exit

 

  • Configure interfaces
 WAN1

(config)#interface FastEthernet0/0

(config-if)#ip address 92.223.184.151 255.255.255.240

(config-if)#no shutdown

(config-if)#exit

 

 WAN2

(config)#interface FastEthernet0/1

(config-if)#ip address 87.204.203.2 255.255.248.0

(config-if)#no shutdown

(config-if)#exit

 

 LAN1

(config)#interface vlan 3

(config-if)#ip address 172.16.0.1 255.255.255.0

(config-if)#no shutdown

(config-if)#exit

 

 LAN2

(config)#interface vlan 192

(config-if)#ip address 192.168.1.1 255.255.255.0

(config-if)#no shutdown

(config-if)#exit

 

  • Configure default route

 

ip route 0.0.0.0 0.0.0.0 92.123.184.145

 

  • Configure management access(we will not use ZBF for management access - self zone)

(config)#access-list 22 permit 195.177.84.45

This host is allowed for managing zbf firewall remotely

(config)#line vty 0 4

(config-line)#access-class 22 in
(config-line)#exec-timeout 20 0

(config-line)# transport input all

(config-line)#password password

(config-line)#exit


  • Configure username and enable password

(config)#username admin password 0 password

(config)#enable secret 0 password
  •  Assign vlans to interfaces(switch module)
zbf-4zones-1.PNG
 

 Before assigning

 (config)#interface range fastEthernet 0/1/0-1

(config-if-range)#description "Network 172.16.0.0/24"

(config-if-range)#switchport access vlan 3

(config-if-range)#exit

(config)#interface range fastEthernet 0/1/2-3

(config-if-range)#description "Network 192.168.1.0/24"

(config-if-range)#switchport access vlan 192

(config-if-range)#exit

 zbf-4zones-2.PNGAfter assigning vlans

 
TRAFFIC FROM ISP1(WAN1) to LAN1
 
Requirements:
 - telnet,ssh,https,snmp and nagios only from Trusted hosts
 - access to vmware ESXi via vmware-client from Trusted hosts
 - vpn access, smtp,ftp and http from any host
 
  • Management class(telnet, ssh, snmp, nagios)

 (config)#object-group network Trusted_hosts

(config-network-group)#description "Hosts allowed for managing servers"

(config-network-group)#host 2.2.2.2

(config-network-group)#host 1.1.1.1

(config-network-group)#host mon.addura.net
Translating "mon.addura.net"...domain server (8.8.8.8) [OK]

 (config-network-group)#exit

 Object group with truested_hosts.

(config)#ip access-list extended Trusted_hosts

(config-ext-nacl)#permit ip object-group Trusted_hosts any

ACL for matching source ip of Trusted_hosts.

 

(config)#ip access-list extended management_traffic

(config-ext-nacl)#remark Remote_desktop

 

(config-ext-nacl)#permit tcp any any eq 3389

(config-ext-nacl)#remark Nagios_node

(config-ext-nacl)#permit tcp any any eq 5666

(config-ext-nacl)#remark Esxi_client

(config-ext-nacl)#permit tcp any any eq 902

(config-ext-nacl)#exit

ACL for undefined protocols

 

(config)#$ype inspect match-any Management_protocol

(config-cmap)#match protocol telnet

(config-cmap)#match protocol ssh

(config-cmap)#match protocol snmp

(config-cmap)#match protocol https

(config-cmap)#match access-group name management_traffic

(config-cmap)#description "Management_traffic"

(config-cmap)#exit

 This class-map is responsible for collecting management traffic only (match-any!)

 

(config)#class-map type inspect match-all Management_traffic

(config-cmap)#match class-map Management_protocol

(config-cmap)#match access-group name Trusted_hosts

(config-cmap)#description "Management access WAN1-LAN1"

(config-cmap)#exit

Class-map responsible for strict management acces


(config)#class-map type inspect match-any LAN1-access

(config-cmap)#match protocol ftp

(config-cmap)#match protocol http

(config-cmap)#match protocol smtp

(config-cmap)#description "Access to LAN1 from Internet(ISP1)"

(config-cmap)#exit

Class-map for the ftp,smtp,http access(any hosts)

 

(config)#class-map type inspect match-any VPN_access

(config-cmap)#match protocol pptp

(config-cmap)#match protocol l2tp

(config-cmap)#match protocol ipsec-msft

(config-cmap)#description VPN_access

(config-cmap)#exit

Class-map for VPN access(I saw few problems with this configuration  with VPN servers behind NAT)

%FW-6-DROP_PKT: Dropping Unknown-l4 session x.x.x.x:0 172.16.0.5:0 on zone-pair WAN1-LAN1 class class-default due to  DROP action found in policy-map with ip ident 0

Below solution which has to be applied in both direction with action "pass"

(config)#ip access-list extended vpn-traffic
(config-ext-nacl)#permit esp any any
(config-ext-nacl)#permit udp any any eq isakmp
(config-ext-nacl)#permit udp any any eq non500-isakmp
(config-ext-nacl)#permit tcp any any eq 1723
(config-ext-nacl)#permit udp any any eq 1701
(config-ext-nacl)#permit gre any any
(config-ext-nacl)#permit udp any eq isakmp any
(config-ext-nacl)#permit udp any eq non500-isakmp any
(config-ext-nacl)#permit tcp any eq 1723 any
(config-ext-nacl)#permit udp any eq 1701 any

(config-ext-nacl)#exit

ACL for matching vpn traffic

(config)#class-map type inspect match-all VPN_access

(config-cmap)#match access-group name vpn-traffic

(config-cmap)#description VPN_traffic

(config-cmap)#exit

Class-map for VPN(ACL)

 

  • Policy-map

(config)#policy-map type inspect WAN1-LAN1

(config-pmap)#class type inspec Management_traffic

(config-pmap-c)#inspect

(config-pmap)#class type inspec LAN1-access

(config-pmap-c)#inspect

(config-pmap-c)#exit

(config-pmap)#class type inspec VPN_access

(config-pmap-c)#inspect   or pass !!!

 (config-pmap-c)#pass 

(config-pmap-c)#exi

(config-pmap)#description "Policy-map ISP1-LAN1"

(config-pmap)#exit

Policy-map for traffic between zones WAN1 and LAN1.

For VPN access choose "inspect" when you use class-map with matching protocol or "pass" when you use ACL for matching vpn traffic

  • Security zones

(config)#zone security WAN1

(config-sec-zone)#description ISP1-Internet

(config-sec-zone)#exit

(config)#zone security LAN1

(config-sec-zone)#description Network_172

(config-sec-zone)#exit

  • Assign zones to interfaces

(config)#interface fastEthernet 0/0

(config-if)#zone-member security WAN1

(config-if)#exit

 

(config)#interface vlan 3

(config-if)#zone-member security LAN1

(config-if)#exit

 

  • Zone-pairs and assigning policy to zone-pair
(config)#zone-pair security WAN1-LAN1 source WAN1 destination LAN1
(config-sec-zone-pair)#description "Traffic from Internet(ISP1) to LAN1"

(config-sec-zone-pair)#service-policy type inspect WAN1-LAN1

  •  Configure natting
(config)#ip nat inside source static 172.16.0.5 92.223.184.155

(config)#ip nat source static 172.16.0.2 92.223.184.152

(config)#interface fastEthernet 0/0

(config-if)#ip nat outside

(config-if)#exit

(config)#interface vlan 3

(config-if)#ip nat inside

(config-if)#exit

 TRAFFIC FROM LAN1 to Internet via ISP1

 

  •  Configure class-map

(config)#class-map type inspect match-any Internet_access

(config-cmap)#match protocol icmp

(config-cmap)#match protocol ssh

(config-cmap)#match protocol telnet

(config-cmap)#match protocol ftp

(config-cmap)#match protocol ftps

(config-cmap)#match protocol dns

(config-cmap)#match protocol http

(config-cmap)#match protocol https

(config-cmap)#exit

Class-map for Internet access from LAN1 and LAN2

 

  •  Policy-map

(config)#policy-map type inspect LAN1-WAN1

(config-pmap)#class type inspect Internet_access

(config-pmap-c)#inspect

(config-pmap-c)#exit

(config-pmap)#class type inspect VPN_access

(config-pmap-c)#pass

(config-pmap-c)#exit

(config-pmap)#description "Traffic from LAN1 to Internet via ISP1"

(config-pmap)#exit

 VPN_access class-map was already done and needs to have return traffic(already configured).

  • Configure zone-pair

(config)#zone-pair security LAN1-WAN1 source LAN1 destination WAN1

(config-sec-zone-pair)#service-policy type inspect LAN1-WAN1

(config-sec-zone-pair)#description "Internet Traffic via ISP1"

(config-sec-zone-pair)#exit

 

  • Configure natting for Internet access

(config)#ip access-list extended nat-lan1

(config-ext-nacl)#permit ip 172.16.0.0 0.0.0.255 any

(config-ext-nacl)#remark NAT_for_LAN1

(config-ext-nacl)#exit

ACL for natting(network 172.16.0.0/24)

(config)#ip nat inside source list nat-lan1 interface fastEthernet 0/0 overload

Natting all traffic from network 172.16.0.0/24 to Interface (PAT).

 

 TRAFFIC FROM ISP2(WAN2) to LAN2

 

Requirements:
 - telnet,ssh,https,snmp and nagios only from Trusted hosts
 - smtp,ftp,ftps from any host
  •  Configure class-map

(config)#class-map type inspect match-any LAN2-access

(config-cmap)#match protocol ftp

(config-cmap)#match protocol ftps

(config-cmap)#match protocol smtp

(config-cmap)#description "Access to LAN2 via ISP2"

(config-cmap)#exit

Class-map for access to public services(smtp,ftp,ftps)

  • Configure policy-map

(config)#policy-map type inspect WAN2-LAN2

(config-pmap)#class type inspect Management_traffic

(config-pmap-c)#inspect

(config-pmap-c)#exit

(config-pmap)#class type inspect LAN2-access

(config-pmap-c)#inspect

(config-pmap-c)#exit

(config-pmap)#description "Traffic from ISP2(WAN2) to LAN2"

(config-pmap)#exit

  • Create zones, configure zone-pair and assign policy

(config)#zone security WAN2

(config-sec-zone)#description ISP2

(config-sec-zone)#exit

(config)#zone security LAN2

(config-sec-zone)#description Network_192

(config-sec-zone)#exit

Zones

(config)#interface fastEthernet 0/1

(config-if)#zone-member security WAN2

(config-if)#exit

(config)#interface vlan 192

(config-if)#zone-member security LAN2

(config-if)#exit

Zone-members

(config)#zone-pair security WAN2-LAN2 source WAN2 destination LAN2

 (config-sec-zone-pair)#service-policy type inspect WAN2-LAN2

(config-sec-zone-pair)#description "Traffic from Internet(ISP2) to LAN2"

(config-sec-zone-pair)#exit

Zone-pair and policy

  •  Natting
 
(config)#interface fastEthernet 0/1

(config-if)#ip nat outside

(config-if)#exit

(config)#interface vlan 192

(config-if)#ip nat inside

(config-if)#exit

Seeting nat inside and outside

(config)#ip nat inside source static tcp 192.168.1.2 21 interface FastEthernet0/1 21

(config)#ip nat inside source static tcp 192.168.1.2 22 interface FastEthernet0/1 22

(config)#ip nat inside source static tcp 192.168.1.2 25 interface FastEthernet0/1 25

 Natting 3 services to external interface

  •  Configure routing
Because we have 2 ISP and we wish to send data from 192.168.1.0/24 network via ISP 2 we have to create route-map
 

(config)#ip access-list extended lan2-route

(config-ext-nacl)#remark "Do not touch route to LAN1"

(config-ext-nacl)#deny ip 192.168.1.0 0.0.0.255 172.16.0.0 0.0.0.255

(config-ext-nacl)#remark "Route all traffic via ISP2"

(config-ext-nacl)#permit ip 192.168.1.0 0.0.0.255 any

(config-ext-nacl)#exit

Acl for matching traffic for "route-map".

(config)#route-map ISP2 permit 10

(config-route-map)#match ip address lan2-route

(config-route-map)#set ip next-hop 87.204.203.1

(config-route-map)#exit

Route-map for LAN2.

(config)#interface vlan 192

(config-if)#ip policy route-map ISP2

(config-if)#exit

Assigning policy to Interface.

 (config)#ip nat inside source route-map lan2-route interface fastEthernet 0/1 overload

 Natting necessary if

  TRAFFIC FROM LAN2 TO WAN2


  • Create policy-map(we will use Internet_access class-map)

(config)#policy-map type inspect LAN2-WAN2

(config-pmap)#class type inspect Internet_access

(config-pmap-c)#inspect

(config-pmap-c)#exit

(config-pmap)#class class-default

(config-pmap-c)#drop log

(config-pmap-c)#exit

(config-pmap)#description "Internet access only for LAN2 via ISP2"

(config-pmap)#exit

  • Configure zone-pair

(config)#zone-pair security LAN2-WAN2 source LAN2 destination WAN2

(config-sec-zone-pair)#service-policy type inspect LAN2-WAN2

(config-sec-zone-pair)#description "Internet for LAN2 via ISP2"

(config-sec-zone-pair)#exit

  •  Natting(PAT)

(config)#ip nat inside source list lan2-route interface FastEthernet0/1 overload

PAT for all traffic from LAN2.

From now for Internet traffic LAN1 will go via ISP1 and LAN2 via ISP2.

 

 

 After few weeks of testing remove action log from class-default.
 

 

dzbanek 2013-03-17

This site uses cookies. Some of the cookies we use are essential for parts of the site to operate and have already been set. You may delete and block all cookies from this site, but parts of the site will not work.