Zone based firewalls
New concept to introduced stateful packet inspection in routers after CBAC
Any two interfaces in same zone can transfer traffic
And two interfaces not in any security zone can share traffic
but zone 1 and Zone two intrefaces cannot share traffic untill unless we do the foloowing
1. create zone pair
2. create service policy whihc traffic to allow through
we use same old MQC framework class map and policy map and service policy
an additional thing is Paramater Map
to apply policy map
class-map type inspect match all CMAP_TCP
match protocol TCP
match access group 999
!
parapameter-map type inspect myparams
audit-trail on
max-incomplete high 1000
!
policy-map type inspect PMAP_OUT
class type inspect CMAP_TCP
inspcect myparams
!
zone security INSIDE
zone security OUTSIDE
interface fa0/0
zone-member security INSIDE
interface fa0/1
zone-member security OUTSIDE
zone-pair security OUTBOUND INSIDE dest OUTSIDE
service-policy type inspect PMAP_OUT
So finally all tcp and access list 999 traffic will make
Troubleshooting
sh zone security
sh zone-pair security
show policy-map type inspect zone-pair sessions
show class-map type inspect
No comments:
Post a Comment