KB ID 0000937
Problem
IOS 11.2 gave us CBAC, and IOS 12.4(6)T gave us the Zone Based Firewall. You can still use either, (providing you are running the correct IOS, or in the case of version 15 and upwards, added the correct license, ‘securityK9’). For older IOS versions usually you want the advipservices version of the IOS).
Solution
Run the following command to see if you have the correct license installed.
[box]
Petes-Router#show license features
[/box]
Cisco IOS Setup CBAC (IOS Firewall Classic)
1. Declare the protocols you want to inspect.
[box]
Petes-Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Petes-Router(config)#ip inspect name IOS-FW tcp Petes-Router(config)#ip inspect name IOS-FW udp Petes-Router(config)#ip inspect name IOS-FW icmp
[/box]
2. Apply that inspection inbound on the inside interface (that’s traffic going out).
[box]
Petes-Router(config)#interface FastEthernet 0/1 Petes-Router(config-if)#ip inspect IOS-FW in Petes-Router(config-if)#exit Petes-Router(config)#
[/box]
4. Apply the inspection inbound on the outside interface (for traffic coming in). And then save the changes.
Note: If you have VPN traffic this will NOT break it.
[box]
Petes-Router(config)#interface Dialer0 Petes-Router(config-if)#ip inspect IOS-FW in Petes-Router(config-if)#exit Petes-Router(config)#exit *Mar 1 00:05:29.875: %SYS-5-CONFIG_I: Configured from console by console Petes-Router#wr mem Building configuration... [OK] Petes-Router#
[/box]
Cisco Zone Based Firewall Setup
The config on ZBF can get quite complicated, I’m simply going to allow traffic out, and block all traffic coming in (apart from traffic that will be coming in over VPN).
Note: CBAC Settings (if used), must be removed before configuring ZBF.
1. The first thing to do is setup the zones, I only have a LAN an WAN to worry about.
[box]
Petes-Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Petes-Router(config)#zone security SZ-INSIDE Petes-Router(config-sec-zone)#description Local Area Network Petes-Router(config-sec-zone)#zone security SZ-OUTSIDE Petes-Router(config-sec-zone)#description Wide Area Network (Internet) Petes-Router(config-sec-zone)#exit
[/box]
2. Create two ACLs to decide which traffic you want to allow in and out. Note: I’ve also added the subnets for my remote VPN network. I will allow out www (TCP 80), https (TCP 443), and DNS (TCP 53). Inbound everything is blocked apart from my VPN traffic.
Note: I’m not covering setting up the VPN, if you want to know how to do that, see the following article;
Cisco Router – Configure Site to Site IPSEC VPN
Then for each ACL I’m creating a class-map, it’s the class-map that decides what traffic will be inspected, (by inspected, in ZBF terms we mean allowed).
[box]
Petes-Router(config)#ip access-list extended ACL-OUTBOUND Petes-Router(config-ext-nacl)#permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 Petes-Router(config-ext-nacl)#permit tcp 192.168.1.0 0.0.0.255 any eq www Petes-Router(config-ext-nacl)#permit tcp 192.168.1.0 0.0.0.255 any eq 443 Petes-Router(config-ext-nacl)#permit tcp 192.168.1.0 0.0.0.255 any eq 53 Petes-Router(config-ext-nacl)#class-map type inspect match-all CM-OUTBOUND Petes-Router(config-cmap)#match access-group name ACL-OUTBOUND Petes-Router(config-ext-nacl)#exit Petes-Router(config)#ip access-list extended ACL-INBOUND Petes-Router(config-ext-nacl)#permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
[/box]
3. Define what to do with the (matched) traffic with a policy-map, this can be set to inspect, log , or drop. We set it to inspect our traffic, and drop, then log everything else.
[box]
Petes-Router(config)#policy-map type inspect PM-OUTBOUND Petes-Router(config-pmap)#class type inspect CM-OUTBOUND Petes-Router(config-pmap-c)#inspect %No specific protocol configured in class CM-OUTBOUND for inspection. All protocols will be inspected Note: The Above is not really true - we have defined the port in the ACL Petes-Router(config-pmap-c)#class class-default Petes-Router(config-pmap-c)#drop log Petes-Router(config-pmap-c)#exit Petes-Router(config-pmap)#exit Petes-Router(config)#policy-map type inspect PM-INBOUND Petes-Router(config-pmap)#class type inspect CM-INBOUND Petes-Router(config-pmap-c)#inspect %No specific protocol configured in class CM-INBOUND for inspection. All protocols will be inspected Note: The Above is fine, it drops everything that's not VPN traffic anyway. Petes-Router(config-pmap-c)#class class-default Petes-Router(config-pmap-c)#drop log Petes-Router(config-pmap-c)#exit Petes-Router(config-pmap)#exit
[/box]
4. The last task is to create zone-pairs for the outbound and inbound traffic, then apply our policy-map to them with a service-policy.
[box]
Petes-Router(config)#security ZP-OUTBOUND source SZ-INSIDE destination SZ-OUTSIDE Petes-Router(config-sec-zone-pair)#service-policy type inspect PM-OUTBOUND Petes-Router(config-sec-zone-pair)#exit Petes-Router(config)#security ZP-INBOUND source SZ-OUTSIDE destination SZ-INSIDE Petes-Router(config-sec-zone-pair)#service-policy type inspect PM-INBOUND Petes-Router(config-sec-zone-pair)#exit
[/box]
5. Save the changes, sit back, light your pipe, and admire your handiwork.
[box]
Petes-Router(config)#exit Petes-Router#write mem Building configuration... [OK]
[/box]
Related Articles, References, Credits, or External Links
NA