Friday, July 22, 2011

Zone-based Firewall (quickie)

=====================
zone-based firewall example
=====================

Quickie Steps
1. create class-map
2. create policy-map
3. create zones
4. add members (interfaces) to zones
5. create zone-pair rules


1) class-map type inspect match-any CMAP1
match protocol tcp
match protocol udp
match protocol icmp
2) policy-map type inspect PMAP1
class type inspect CMAP1
inspect
3) zone security inside
zone security outside
4) int fa0/0
zone-member security inside
int fa0/1
zone-member security outside
5) zone-pair sec IN2OUT source inside destination outside
service-policy type inspect PMAP1

---------------
Explanations
---------------
1) Create a class-map to identify types of packets that you would like to match or inspect. Ensure to use "inspect" as a class-map type and use "match-any". The default parameter is "match-all". Use match protocol command to match desired protocols.

2) Create a policy-map to define actions. In this case, the action is to "inspect."

3) Define zones. I have defined two zones: "inside" and "outside".

4) Add members to the predefined zones. I have marked interface FastEthernet 0/0 as "inside" and FastEthernet 0/1 as "outside".

5) Finally and most importantly, create a zone-pair. This command completes the zone-based firewall by defining a relationship between the two zones. In this case, the PMAP1 policy-map will be enforced when packets are traveling from inside to outside.

No comments:

Post a Comment