CCNA Security – Firewalls

Firewall solutions:

  • packet filtering (ACLs)
  • proxy (through another macine, additional features: caching, filtering, etc.)
  • stateful filtering (allows the response back)

Stateful filtering:

  • reflexive ACLs
  • CBAC (Content Based Access Control)
  • Zone Based Firewall

Steps to create Zone Based Firewall:

  1. Identify zones (interface)
  2. Identify traffic (class maps)
  3. Identify action (policy maps)
  4. Identify zone pairs
  5. Identify policy to zone pair mappings (service policy)

Action can be:

  • inspect
  • allow to pass
  • drop

 

Zone Based Firewall

! default configuration of the interfaces
configure terminal
interface f0/0
ip address 192.168.10.1 255.255.255.0
no shutdown
interface f0/1
ip address 10.10.10.1 255.255.255.0
no shutdown

! default route
ip route 0.0.0.0 0.0.0.0 192.168.10.1

! create admin user
username admin privilege 15 secret password

! enable http and https for CCP
ip http server
ip http secure-server
ip http authentication local

! configure PAT
access-list 1 permit 10.0.0.0 0.255.255.255
ip nat inside source list 1 interface f0/0 overload
interface f0/1
ip nat inside
interface f0/0
ip nat outside
exit

! create zones
zone security OUTSIDE
exit
zone security INSIDE
exit

interface f0/0
zone-member security OUTSIDE
exit
interface f0/1
zone-member security INSIDE
exit

! create classmap
class-map type inspect  match-any INSPECTED
match protocol icmp
match protocol tcp
match protocol udp
exit

! create policy
policy-map type inspect POLICY
class-type inspect INSPECTED
inspect
exit

! create zone-pairs
zone-pair security INSIDE-OUTSIDE source INSIDE destination OUTSIDE
service-policy type inspect POLICY
exit

! check configuration
show policy-map type inspect zone-pair
show policy-map type inspect zone-pair session