Tuesday, 1 March 2011

Cisco zone Based Firewall

Zone based firewalls

New concept to introduced stateful packet inspection in routers after CBAC

Any two interfaces in same zone can transfer traffic
And two interfaces not in any security zone can share traffic
but zone 1 and Zone two intrefaces cannot share traffic untill unless we do the foloowing

1. create zone pair
2. create service policy whihc traffic to allow through

we use same old MQC framework class map and policy map and service policy

an additional thing is Paramater Map

to apply policy map

class-map type inspect match all CMAP_TCP
match protocol TCP
match access group 999

parapameter-map type inspect myparams
audit-trail on
max-incomplete high 1000

policy-map type inspect PMAP_OUT
class type inspect CMAP_TCP
inspcect myparams

zone security INSIDE
zone security OUTSIDE

interface fa0/0
zone-member security INSIDE

interface fa0/1
zone-member security OUTSIDE

zone-pair security OUTBOUND INSIDE dest OUTSIDE
service-policy type inspect PMAP_OUT

So finally all tcp and access list 999 traffic will make

sh zone security
sh zone-pair security
show policy-map type inspect zone-pair sessions
show class-map type inspect

No comments:

Post a Comment