0% found this document useful (0 votes)
70 views

IOS Zone-Based Firewall

The document discusses IOS zone-based firewall terminology and configuration. It defines security zones, zone pairs, inspection policies, and parameter maps. It then shows an example configuration that defines zones, assigns interfaces, creates inspection policies and maps, and applies them to zone pairs.

Uploaded by

Walter Valverde
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
70 views

IOS Zone-Based Firewall

The document discusses IOS zone-based firewall terminology and configuration. It defines security zones, zone pairs, inspection policies, and parameter maps. It then shows an example configuration that defines zones, assigns interfaces, creates inspection policies and maps, and applies them to zone pairs.

Uploaded by

Walter Valverde
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 1

IOS ZONE-BASED FIREWALL

Terminology Security Zone


A group of interfaces which share a common level of security

packetlife.net
Inspection Class Configuration

Zone Pair
A unidirectional pairing of source and destination zones to which a security policy is applied

! Match by protocol class-map type inspect match-any ByProtocol match protocol tcp match protocol udp match protocol icmp ! Match by access list ip access-list extended MyACL permit ip 10.0.0.0 255.255.0.0 any ! class-map type inspect match-all ByAccessList match access-group name MyACL

Inspection Policy
An inspect-type policy map used to statefully filter traffic by matching one or more inspect-type class maps

Parameter Map
An optional configuration of protocol-specific parameters referenced by an inspection policy

Security Zones

Parameter Map Configuration

Trusted

Internet

MPLS WAN

G0/0

G0/1

Internet

parameter-map type inspect MyParameterMap alert on audit-trail off dns-timeout 5 max-incomplete low 20000 max-incomplete high 25000 icmp idle-time 3 tcp synwait-time 3

Guest
Corporate LAN Guest Wireless LAN

Inspection Policy Actions Drop Traffic is prevented from passing

G0/2.10

G0/2.20

Pass

Traffic is permitted to pass without stateful inspection

! Defining security zones zone security Trusted zone security Guest zone security Internet ! Assigning interfaces to security zones interface GigabitEthernet0/0 zone-member security Trusted ! interface GigabitEthernet0/1 zone-member security Internet ! interface GigabitEthernet0/2.10 zone-member security Trusted ! interface GigabitEthernet0/2.20 zone-member security Guest

Traffic is subjected to stateful Inspect inspection; legitimate return traffic is permitted in the opposite direction Inspection Policy Configuration
policy-map type inspect MyInspectionPolicy ! Pass permitted stateless traffic class VPN-Tunnel pass ! Inspect permitted stateful traffic class Allowed-Traffic1 inspect ! Stateful inspection with a parameter map class Allowed-Traffic2 inspect MyParameterMap ! Drop and log unpermitted traffic class class-default drop log

Zone Pair Configuration


! Service policies are applied to zone pairs zone-pair security T2I source Trusted destination Internet service-policy type inspect Trusted2Internet zone-pair security G2I source Guest destination Internet service-policy type inspect Guest2Internet zone-pair security I2T source Internet destination Trusted service-policy type inspect Internet2Trusted

Troubleshooting show zone security show zone-pair security show policy-map type inspect show class-map type inspect show parameter-map type inspect debug zone security events v1.0

by Jeremy Stretch

You might also like