IOS based firewall question

cjthedj45cjthedj45 Member Posts: 331 ■■■□□□□□□□
Hi,

I was wondering if any of you could offer any advice. I have been tasked with setting up a test network. I have a 2801 router and 3750 switch. The network will require internet access which will be done via an adsl router connected to the 2801. The network will have 2 vlans a server and dmz. I plan to do the routing using a router on stick configuration although I believe routing can be turned on using the 3750.


I have been studying the CCNA security CBT and it shows a DMZ, Inside and Outside zone and each of these have a seperate interface on the router to separate the zones. My problem is that I have switch in the middle so there cannot be an interface off the router for each zone as they are connected via the switch. My outside interface is fine but then I have a server vlan and DMZ vlan that are both connected over a trunk.

my current config is

outside interface on router is fa0/4 This is fine a create a zone for this.

These both use a trunk so there is only one interface at the router end. I need two to create a zone for each
on the switch DMZ routes traffic over gi1/1 which is a trunk
on the switch Server Vlan traffic goes over gi1/1 which is a trunk

Any advice is much appreciated

Comments

  • Forsaken_GAForsaken_GA Member Posts: 4,024
    well, if you're doing ROAS, then I assume you're setting up subinterfaces in order to be able to route between them. Does the firewall not see the subints as valid interfaces?
  • cjthedj45cjthedj45 Member Posts: 331 ■■■□□□□□□□
    Hi Forsaken,

    Oops I forgot about the subinterfaces. I can see how your suggestion would work although as I'm just planning I'm unable to test if the SDM will see the subinterface or whether it only see's physical interfaces. Does anyone know if the SDM used to configure IOS based firewall will let you configure zones using subinterfaces or does it have to be physical interfaces?

    Thanks Forsaken.
  • peanutnogginpeanutnoggin Member Posts: 1,096 ■■■□□□□□□□
    cjthedj45 wrote: »
    Hi Forsaken,

    Oops I forgot about the subinterfaces. I can see how your suggestion would work although as I'm just planning I'm unable to test if the SDM will see the subinterface or whether it only see's physical interfaces. Does anyone know if the SDM used to configure IOS based firewall will let you configure zones using subinterfaces or does it have to be physical interfaces?

    Thanks Forsaken.

    The SDM will see the subinterfaces just as it would a physical interface. I run this on my lab on 1760s all the time! I use a physical connection to the switch, trunk it, use the subinterfaces as the inside and the serial interface (connected to FR switch) as the outside. I also have a WIC-1enet that I use as a DMZ port. I hope this helps.
    We cannot have a superior democracy with an inferior education system!

    -Mayor Cory Booker
  • ilcram19-2ilcram19-2 Banned Posts: 436
    i recommedn zone-based firewall and i rather do it on the CLI the SDM i really hate how the SDM makes the configuration look like crap, is pretty stright forward once you get it if u need more help i can give a few config examples that i've deploy

    Zone-Based Policy Firewall Design and Application Guide - Cisco Systems
  • peanutnogginpeanutnoggin Member Posts: 1,096 ■■■□□□□□□□
    ilcram19-2 wrote: »
    i recommedn zone-based firewall and i rather do it on the CLI the SDM i really hate how the SDM makes the configuration look like crap, is pretty stright forward once you get it if u need more help i can give a few config examples that i've deploy

    Zone-Based Policy Firewall Design and Application Guide - Cisco Systems

    I totally agree with you... But if his/her experience is minimal with the ZBF, doing it via SDM would be easier than trying to figure out (by Wednesday) how to configure via the CLI. Just my thoughts.
    We cannot have a superior democracy with an inferior education system!

    -Mayor Cory Booker
  • cjthedj45cjthedj45 Member Posts: 331 ■■■□□□□□□□
    PeanutNoggin and Ilcram thanks for the link and advice. I will probably set it up using the SDM as it is my first real exsposure to the IOS based firewall. Although Jermey does say at the end of the video that it is really worthwhile setting it up from scratch through the CLI.

    Does anyone know what exactly is applied when choosing the advanced option and selecting DMZ interface. You are asked to choose services that will be hosted in the DMZ zone and you need to enter their IP address and port they use. You don't have to do this for other Zones just the DMZ. I'm not sure if it defines a class map and policy map so the traffic can flow between the zones.
  • cjthedj45cjthedj45 Member Posts: 331 ■■■□□□□□□□
    I think I may have answered my own question. It would appear if you do choose the advanced firewall wizard then this will allow you to set up the DMZ so it can be accessed VIA the outside interface. For example if somebody was trying to access one of your web servers from the internet then this would be permitted. I also need to allow other access into the dmz from the inside interface but I don't think you can configure this from the Advanced firewall wizard. I think you need to this by creating class maps and policys maps.
  • ilcram19-2ilcram19-2 Banned Posts: 436
    it will make it really hard to read using the SDM here is what i would do


    i like to use this to log all sessions
    parameter-map type inspect ZBF
    audit-trail on

    here you will allow session starinf from the inside to the outside
    class-map type inspect match-any inside-outside-class
    match protocol dns
    match protocol https
    match protocol pop3
    match protocol tcp
    match protocol icmp
    match protocol smtp

    zone security inside
    zone security outside

    policy-map type inspect inside-outside-policy
    class type inspect inside-outside-class
    inspect ZBF
    class class-default
    drop log


    zone-pair security inside-to-internet source inside destination outside
    service-policy type inspect inside-outside-policy

    interface outside-0/0
    zone-member security outside

    interface fastethernet 0/0.1
    zone-member security inside

    use that as a template you can also use acl to only allow host to host or port to port for example
    ip access-list inside-outside-acl
    permit tcp host 1.1.1.1 host 2.2.2.2 9090

    class-map type inspect match-any inside-outside-class
    match access-group name inside-outside-acl
  • cjthedj45cjthedj45 Member Posts: 331 ■■■□□□□□□□
    ilcram thanks so much for providing the template. I have planned eveything else fro the test network and today was mean't for planning so I have a day in hand. Now that I have your template I will use today to plan the ISO firewall config with the CLI and Implement tomorrow. I'm expecting the Senior network engineer in soon so hopefully he is happy with my plans. I just wanted to say thanks to everyone who has contributed on this post. Your helped has proved really valuable.
  • DevilWAHDevilWAH Member Posts: 2,997 ■■■■■■■■□□
    ilcram19-2 wrote: »
    i recommedn zone-based firewall and i rather do it on the CLI the SDM i really hate how the SDM makes the configuration look like crap, is pretty stright forward once you get it if u need more help i can give a few config examples that i've deploy

    Zone-Based Policy Firewall Design and Application Guide - Cisco Systems


    My advice if you want to learn the CLI is to start by using the sdm, then preview the code but dont apply it. Just copy it to notepad or some thing.

    Then just trace through it, starting with the policies applied to the zone pairs and following them backwards.

    I learnt by taking the raw SDM config, and then rewritting it in a new document layed out tidley with nice comments, and clear lables. which i then pasted in to my router. After that it all clear and simple and this really teaches you how the elements of the config fit togather.

    I still use a mixture of both SDM and CLI, as sometime with many hundrads of lines of config it can take longer to find your place then it does to go in to the SDM and simple add in a port number or a network to an ACL.
    • If you can't explain it simply, you don't understand it well enough. Albert Einstein
    • An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
Sign In or Register to comment.