What am I doing wrong with this zone firewall setup

thomas130thomas130 Member Posts: 184
Hi guys for collague I have to complete this question

]Configure the number1 router to act as a zone-based firewall. Configure the router to protect the network occupied by number1-PC from the network occupied by number2-PC, but allow the networking represented by Loopback0 to be accessible by the network occupied by Right-PC. Both on seperate routers


This was my solution, I can no longer ping each host however I can still ping the interface is there something I am missing. I new to this whole zone based firewall

zone security left
exit
zone security right

interface FastEthernet0/0
zone-member security left
interface Serial 0/0/0
zone-member security right

class-map type inspect match-any class-block
match any

policy-map type inspect policy-deny
class type inspect class-block
drop

zone-pair security left-to-right source left destination right
service-policy type inspect policy-deny
zone-pair security right-to-left source right destination left
service-policy type inspect policy-deny

Comments

  • thomas130thomas130 Member Posts: 184
    sorry I should of put this in ccna security
  • SlowhandSlowhand Mod Posts: 5,161 Mod
    thomas130 wrote: »
    sorry I should of put this in ccna security
    Ask and ye shall receive. icon_wink.gif

    As for your question, I'm afraid I'm not going to be a whole lot of help. I've worked with ZBF, but not enough to nail down what's wrong with your config. Hopefully, one of our resident Cisco security geeks. . . ahem, "gurus" can figure it out.

    Free Microsoft Training: Microsoft Learn
    Free PowerShell Resources: Top PowerShell Blogs
    Free DevOps/Azure Resources: Visual Studio Dev Essentials

    Let it never be said that I didn't do the very least I could do.
  • MikeO5422MikeO5422 Member Posts: 74 ■■□□□□□□□□
    This is a pretty solid config as far as I can see. Just don't forget that the loopback interface is in the self zone until you explicitly assign it to a zone. This means all traffic to it and from it is allowed until explicitly denied. I am not sure if you can apply policy maps to the self zone. I think you would have to make the loopback interface a member of a zone and apply a policy map and define zone pairs and so on.

    I certainly am not a ZBF expert so debate and correct as necessary, but that's my two cents :)
  • blindroxblindrox Member Posts: 10 ■□□□□□□□□□
    thomas130 wrote: »
    Hi guys for collague I have to complete this question

    ]
    policy-map type inspect policy-deny
    class type inspect class-block
    drop

    I'm new to ZBF myself - but isn't this "drop" essentially blocking all traffic? Have you tried changing this to pass or inspect?
  • dirtyharrydirtyharry Member Posts: 72 ■■□□□□□□□□
    You should provide more information. It sounds like you don't have a zone/zone-pair configured for the loopback interface at all (if that's what you mean by, "I can still ping the interface"). One of the rules of ZBF is that interfaces in separate zones can't pass traffic unless they have zone-pairs that allow it. And interfaces in zones can't pass traffic to interfaces not in a zone. You should add log to your drop command to see what is happening.

    I did something similar in my lab when studying. I have an inside network, and an outside network. The inside network is being protected from icmp. Everything else is passed (in both directions). I used the same pmap and clsmap names as you did.

    192.168.0.0/24 = inside
    10.255.5.0/24 = outside




    class-map type inspect match-any class-block
    match protocol icmp ! you have 'match any' here... that wasn't a valid command on my router.
    !
    !
    policy-map type inspect policy-deny
    class type inspect class-block
    drop log ! dropping what's in clsmap class-block
    class class-default
    pass log ! passing everything else
    !
    zone security INSIDE
    zone security OUTSIDE
    !
    zone-pair security INSIDE-TO-OUTSIDE source INSIDE destination OUTSIDE
    service-policy type inspect policy-deny
    zone-pair security OUTSIDE-TO-INSIDE source OUTSIDE destination INSIDE
    service-policy type inspect policy-deny
    !
    !
    !
    interface Loopback1
    ip address 172.30.255.1 255.255.255.255
    !
    interface FastEthernet0/0
    description OUTSIDE
    ip address 10.255.5.200 255.255.255.0
    zone-member security OUTSIDE
    !
    interface FastEthernet0/1
    description INSIDE
    ip address 192.168.0.1 255.255.255.0
    zone-member security INSIDE
    !


    log when I ping from outside to inside (or vice versa since the same service-policy is applied on both zone-pairs):

    *Apr 6 17:10:34.747: %FW-6-DROP_PKT: Dropping icmp session 10.255.5.27:0 192.168.0.20:0 on zone-pair OUTSIDE-TO-INSIDE class class-block due to DROP action found in policy-map with ip ident 0

    *Apr 6 17:11:10.871: %FW-6-LOG_SUMMARY: 4 packets were dropped from 10.255.5.27:8 => 192.168.0.20:0 (target:class)-(OUTSIDE-TO-INSIDE:class-block)

    log when I pass any other traffic outside to inside:

    *Apr 6 17:11:28.819: %FW-6-PASS_PKT: (target:class)-(OUTSIDE-TO-INSIDE:class-default) Passing tcp pkt 10.255.5.27:5390 => 192.168.0.20:23 with ip ident 0

    *Apr 6 17:12:33.767: %FW-6-PASS_PKT: (target:class)-(OUTSIDE-TO-INSIDE:class-default) Passing tcp pkt 10.255.5.27:5455 => 192.168.0.20:23 with ip ident 0





    Of course, you can extrapolate on this by instead of passing class-default on both zone-pairs, you could pass inside-to-outside and inspect outside-to-inside. You could assign your lo interface to a new zone that would have a different policy or assign it to the inside or outside (right or left) depending on who it needs to talk to...

    You may want to read through this document: Zone-Based Policy Firewall - Cisco Systems

    Edit: The loopback interface in my config isn't being used.
Sign In or Register to comment.