What am I doing wrong with this zone firewall setup
thomas130
Member Posts: 184
Hi guys for collague I have to complete this question
]Configure the number1 router to act as a zone-based firewall. Configure the router to protect the network occupied by number1-PC from the network occupied by number2-PC, but allow the networking represented by Loopback0 to be accessible by the network occupied by Right-PC. Both on seperate routers
This was my solution, I can no longer ping each host however I can still ping the interface is there something I am missing. I new to this whole zone based firewall
zone security left
exit
zone security right
interface FastEthernet0/0
zone-member security left
interface Serial 0/0/0
zone-member security right
class-map type inspect match-any class-block
match any
policy-map type inspect policy-deny
class type inspect class-block
drop
zone-pair security left-to-right source left destination right
service-policy type inspect policy-deny
zone-pair security right-to-left source right destination left
service-policy type inspect policy-deny
]Configure the number1 router to act as a zone-based firewall. Configure the router to protect the network occupied by number1-PC from the network occupied by number2-PC, but allow the networking represented by Loopback0 to be accessible by the network occupied by Right-PC. Both on seperate routers
This was my solution, I can no longer ping each host however I can still ping the interface is there something I am missing. I new to this whole zone based firewall
zone security left
exit
zone security right
interface FastEthernet0/0
zone-member security left
interface Serial 0/0/0
zone-member security right
class-map type inspect match-any class-block
match any
policy-map type inspect policy-deny
class type inspect class-block
drop
zone-pair security left-to-right source left destination right
service-policy type inspect policy-deny
zone-pair security right-to-left source right destination left
service-policy type inspect policy-deny
Comments
-
Slowhand Mod Posts: 5,161 Modsorry I should of put this in ccna security
As for your question, I'm afraid I'm not going to be a whole lot of help. I've worked with ZBF, but not enough to nail down what's wrong with your config. Hopefully, one of our resident Cisco security geeks. . . ahem, "gurus" can figure it out.
Free Microsoft Training: Microsoft Learn
Free PowerShell Resources: Top PowerShell Blogs
Free DevOps/Azure Resources: Visual Studio Dev Essentials
Let it never be said that I didn't do the very least I could do. -
MikeO5422 Member Posts: 74 ■■□□□□□□□□This is a pretty solid config as far as I can see. Just don't forget that the loopback interface is in the self zone until you explicitly assign it to a zone. This means all traffic to it and from it is allowed until explicitly denied. I am not sure if you can apply policy maps to the self zone. I think you would have to make the loopback interface a member of a zone and apply a policy map and define zone pairs and so on.
I certainly am not a ZBF expert so debate and correct as necessary, but that's my two cents -
blindrox Member Posts: 10 ■□□□□□□□□□Hi guys for collague I have to complete this question
]
policy-map type inspect policy-deny
class type inspect class-block
drop
I'm new to ZBF myself - but isn't this "drop" essentially blocking all traffic? Have you tried changing this to pass or inspect? -
dirtyharry Member Posts: 72 ■■□□□□□□□□You should provide more information. It sounds like you don't have a zone/zone-pair configured for the loopback interface at all (if that's what you mean by, "I can still ping the interface"). One of the rules of ZBF is that interfaces in separate zones can't pass traffic unless they have zone-pairs that allow it. And interfaces in zones can't pass traffic to interfaces not in a zone. You should add log to your drop command to see what is happening.
I did something similar in my lab when studying. I have an inside network, and an outside network. The inside network is being protected from icmp. Everything else is passed (in both directions). I used the same pmap and clsmap names as you did.
192.168.0.0/24 = inside
10.255.5.0/24 = outside
class-map type inspect match-any class-block
match protocol icmp ! you have 'match any' here... that wasn't a valid command on my router.
!
!
policy-map type inspect policy-deny
class type inspect class-block
drop log ! dropping what's in clsmap class-block
class class-default
pass log ! passing everything else
!
zone security INSIDE
zone security OUTSIDE
!
zone-pair security INSIDE-TO-OUTSIDE source INSIDE destination OUTSIDE
service-policy type inspect policy-deny
zone-pair security OUTSIDE-TO-INSIDE source OUTSIDE destination INSIDE
service-policy type inspect policy-deny
!
!
!
interface Loopback1
ip address 172.30.255.1 255.255.255.255
!
interface FastEthernet0/0
description OUTSIDE
ip address 10.255.5.200 255.255.255.0
zone-member security OUTSIDE
!
interface FastEthernet0/1
description INSIDE
ip address 192.168.0.1 255.255.255.0
zone-member security INSIDE
!
log when I ping from outside to inside (or vice versa since the same service-policy is applied on both zone-pairs):
*Apr 6 17:10:34.747: %FW-6-DROP_PKT: Dropping icmp session 10.255.5.27:0 192.168.0.20:0 on zone-pair OUTSIDE-TO-INSIDE class class-block due to DROP action found in policy-map with ip ident 0
*Apr 6 17:11:10.871: %FW-6-LOG_SUMMARY: 4 packets were dropped from 10.255.5.27:8 => 192.168.0.20:0 (target:class)-(OUTSIDE-TO-INSIDE:class-block)
log when I pass any other traffic outside to inside:
*Apr 6 17:11:28.819: %FW-6-PASS_PKT: (target:class)-(OUTSIDE-TO-INSIDE:class-default) Passing tcp pkt 10.255.5.27:5390 => 192.168.0.20:23 with ip ident 0
*Apr 6 17:12:33.767: %FW-6-PASS_PKT: (target:class)-(OUTSIDE-TO-INSIDE:class-default) Passing tcp pkt 10.255.5.27:5455 => 192.168.0.20:23 with ip ident 0
Of course, you can extrapolate on this by instead of passing class-default on both zone-pairs, you could pass inside-to-outside and inspect outside-to-inside. You could assign your lo interface to a new zone that would have a different policy or assign it to the inside or outside (right or left) depending on who it needs to talk to...
You may want to read through this document: Zone-Based Policy Firewall - Cisco Systems
Edit: The loopback interface in my config isn't being used.