A new feature to the V4 blueprint for the CCIE R&S exam is Zone Based Firewall.
According to the blueprint you need to Implement Zone Based Firewall.
First stop would be the Documentation.
Navigation path is:
12.4T > Config Guides > Security, Services, and VPN > Securing the Data Plane Configuration Guide Library, Cisco IOS Release 12.4T > Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS Release 12.4T
For this post I am going to be using this simple topology first with two zones Inside and Outside, in a following post we will expand on this to include a DMZ zone.
Default rules of Zone Based Firewall
- Inter-zone communication is denied, traffic will be denied between different zones unless we specify a firewall policy.
- Intra-zone is permitted. This is traffic among interfaces in the same zone. You can control this in 15 code but not in the 12.4 used in this example.
- All Self-Zone traffic is permitted. The self zone is traffic destined to the router i.e ospf neighbor, ssh, the zone based firewall will block traffic going through the router unless it is permitted.
Step 1: Configure Zones
In this example I am only using two zones, Inside and Outside. We simply need to define these on the router.
Router 2 will be used as the zone based firewall.
R2(config)#zone security INSIDE R2(config-sec-zone)#zone security OUTSIDE
Step 2: Assign the interfaces to the zones
R2(config-if)#zone-member security INSIDE
R2(config-if)#zone-member security OUTSIDE
R2#sh run int f0/0
ip address 10.1.12.2 255.255.255.0
zone-member security INSIDE
ip ospf 1 area 0
R2#sh run int f0/1
ip address 10.1.23.2 255.255.255.0
zone-member security OUTSIDE
ip ospf 1 area 0
At this point in the configuration you will not be able to ping from R1 to R3 but you will be able to ping to R2. I have also configured ospf between the routers and you can see that the ospf neighbors have stayed up from R1 to R2 and from R3 to R2
Ping from R1 to R3 – will fail due to interfaces being assigned to security zones with no policies.
R1#ping 220.127.116.11 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 18.104.22.168, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) R1#
Ping from R1 to R2 will succeed and OSPF neighbor is still up – traffic going to Self Zone.
R1#ping 10.1.12.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.12.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 8/89/136 ms R1#sh ip ospf neigh Neighbor ID Pri State Dead Time Address Interface 10.1.12.2 1 FULL/DR 00:00:38 10.1.12.2 FastEthernet0/0 R1#
Now that you can see we have created a firewall between R1 and R3 we need to allow some traffic through, the first step is to create Zone Pairs.
A Zone Pair is used to connect two zones together. So if you want traffic to flow from Inside to Outside you need to create a zone pair for that and if you want traffic to flow from Outside to Inside you need to create a zone pair for that also. For this example I will be creating two zone pairs.
- OUTSIDE to INSIDE
- INSIDE to OUTSIDE
R2(config)#$zone-pair security OUTSIDE-to-INSIDE source OUTSIDE destination INSIDE
R2(config-sec-zone-pair)#zone-pair security INSIDE-to-OUTSIDE source INSIDE destination OUTSIDE
At this point a simple show run will let you see your handy work
sh run (output removed for clarity) zone security INSIDE zone security OUTSIDE zone-pair security INSIDE-to-OUTSIDE source INSIDE destination OUTSIDE zone-pair security OUTSIDE-to-INSIDE source OUTSIDE destination INSIDE
You can also use show zone-pair security – this also shows that the service policy has not been configured yet.
R2#sh zone-pair security Zone-pair name INSIDE-to-OUTSIDE Source-Zone INSIDE Destination-Zone OUTSIDE service-policy not configured Zone-pair name OUTSIDE-to-INSIDE Source-Zone OUTSIDE Destination-Zone INSIDE service-policy not configured