Cisco’s zone based firewall is normally used with layer 3 interfaces but you can also use it as a transparent firewall. If you have no idea what zone based firewalls are then I suggest you first take a look at my basis ZBF configuration example. If you haven’t configured layer 2 bridging before then you should start with the transparent IOS firewall example. Having said that, let’s configure a Zone based firewall in transparent mode. This is the topology that I will be using:
Above we have 3 routers. R1 and R3 are in the same layer 2 segment because we’ll configure R2 to bridge the FastEthernet 0/0 and 0/1 interfaces. Once this is done we’ll configure the Zone Based Firewall. I will use a very simple example, by default all inter-zone traffic is denied. I want to configure R2 so that it will permit only ICMP traffic from R1 to R3 (and the return traffic). Let’s get started!
Configuration
First we’ll configure bridging:
R2(config)#bridge crb
R2(config)#bridge 1 protocol ieee
R2(config)#interface fastEthernet 0/0
R2(config-if)#bridge-group 1
R2(config)#interface fastEthernet 0/1
R2(config-if)#bridge-group 1
I don’t need a layer 3 interface on R2 so we’ll go for concurrent routing and bridging with IEEE spanning-tree. The two FastEhernet interfaces have been added to the bridge group.
If you decide to use bridge irb, the layer 3 bridge interface will automatically belong to the ZBF self zone.
I will create a LAN and WAN zone. R1 will be in the LAN zone and R3 in the WAN zone. We’ll also add the interfaces to the correct zone and create a zone pair for traffic from our LAN to the WAN.
R2(config)#zone security LAN
R2(config)#zone security WAN
R2(config)#interface fastEthernet 0/0
R2(config-if)#zone-member security LAN
R2(config)#interface fastEthernet 0/1
R2(config-if)#zone-member security WAN
R2(config)#zone-pair security LAN-TO-WAN source LAN destination WAN
With the zones in place, we can create a security policy. We’ll use NBAR to match on ICMP traffic and create a policy-map that uses the inspect rule:
R2(config)#class-map type inspect ICMP
R2(config-cmap)#match protocol icmp
R2(config)#policy-map type inspect LAN-TO-WAN
R2(config-pmap)#class ICMP
R2(config-pmap-c)#inspect
Last but not least we have to attach that policy-map to the zone pair:
R2(config)#zone-pair security LAN-TO-WAN
R2(config-sec-zone-pair)#service-policy type inspect LAN-TO-WAN
That’s everything we have to configure. Time to find out if everything is working…
Verification
The first thing you should do is check if your bridge works:
R2#show bridge 1
Total of 300 station blocks, 298 free
Codes: P - permanent, S - self
Bridge Group 1:
Address Action Interface Age RX count TX count
c202.23f6.0000 forward FastEthernet0/1 0 5 4
c200.23f6.0000 forward FastEthernet0/0 0 11 10
Bridging on R2 seems to be working, it has learned the MAC addresses of R1 and R3. We’ll send some pings from R3 to R1 to see if our ZBF transparent firewall is working:
R3#ping 192.168.13.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.13.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
I can’t ping which is as expected because all inter-zone traffic is dropped by default. Let’s try to ping from R1 to R3:
R1#ping 192.168.13.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.13.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5)R2#show policy-map type inspect zone-pair
Zone-pair: LAN-TO-WAN
Service-policy inspect : LAN-TO-WAN
Class-map: ICMP (match-all)
Match: protocol icmp
Inspect
Packet inspection statistics [process switch:fast switch]
icmp packets: [1:29]
Session creations since subsystem startup or last reset 2
Current session counts (estab/half-open/terminating) [1:0:0]
Maxever session counts (estab/half-open/terminating) [1:1:0]
Last session created 00:00:04
Last statistic reset never
Last session creation rate 1
Maxever session creation rate 1
Last half-open session total 0
Class-map: class-default (match-any)
Match: any
Drop (default action)
0 packets, 0 bytes
That’s working fine! If you look at the output above you can see that ICMP packets are permitted. I hope this basic example helps you to understand how to configure the zone based firewall in transparent mode.
hostname R1
!
ip cef
!
interface FastEthernet0/0
ip address 192.168.13.1 255.255.255.0
!
endhostname R2
!
ip cef
!
class-map type inspect match-all ICMP
match protocol icmp
!
policy-map type inspect LAN-TO-WAN
class type inspect ICMP
inspect
class class-default
drop
!
zone security LAN
zone security WAN
zone-pair security LAN-TO-WAN source LAN destination WAN
service-policy type inspect LAN-TO-WAN
!
bridge crb
!
interface FastEthernet0/0
no ip address
zone-member security LAN
bridge-group 1
!
interface FastEthernet0/1
no ip address
zone-member security WAN
bridge-group 1
!
bridge 1 protocol ieee
!
endhostname R3
!
ip cef
!
interface FastEthernet0/0
ip address 192.168.13.3 255.255.255.0
!
endIf you have any questions feel free to leave a comment!
No comments:
Post a Comment