Another learning block in the 642-637 exam and more being dragged into the 21st century kicking and screaming! No more CBAC, its all zone based now, and with added MQC configuration style. Heres a few rules to start us off:
- Interfaces can be in 1 zone only.
- Many interfaces can be in a single zone.
- Non-zoned interfaces act as normal router interfaces
- Once an interface is in a zone, no traffic is allowed by default (rules must be added)
- Zone to zone policies are unidirectional.
Ok, so lets do a quick test, I’ll use my trusty 1841 with the security feature set to demonstrate a two zone firewall set up for internet access from the inside, trusted zone to the outside, internet zone.
Step 1 – Set up the zones:
zone security INSIDE zone security OUTSIDE
Step 2 – Add the interfaces into the zones:
interface FastEthernet0/0 zone-member security INSIDE interface Dialer0 zone-member security OUTSIDE
Step 3 – Identify the outbound traffic
class-map type inspect match-any MY_PROTOCOLS match protocol http match protocol dns match protocol https
Step 4 – Make the Policy Map
policy-map type inspect MY_MAP class type inspect MY_PROTOCOLS inspect
Step 5 – Create the Zone Pair and assign the Policy Map
zone-pair security IN_2_OUT source INSIDE destination OUTSIDE service-policy type inspect MY_MAP
Right, pretty simple? Now we need to run a few confirmation commands to make sure its working
Router#sh zone security zone self Description: System defined zone zone INSIDE Member Interfaces: FastEthernet0/0 zone OUTSIDE Member Interfaces: Dialer0
Router#show policy-map type inspect zone-pair IN_2_OUT Zone-pair: IN_2_OUT Service-policy inspect : MY_MAP Class-map: MY_PROTOCOLS (match-any) Match: protocol http 158 packets, 6648 bytes 30 second rate 0 bps Match: protocol dns 290 packets, 13340 bytes 30 second rate 0 bps Match: protocol https 198 packets, 8584 bytes 30 second rate 0 bps Inspect Packet inspection statistics [process switch:fast switch] tcp packets: [40:31944] udp packets: [579:0] dns packets: [579:0] Session creations since subsystem startup or last reset 637 Current session counts (estab/half-open/terminating) [6:0:0] Maxever session counts (estab/half-open/terminating) [72:23:8] Last session created 00:00:40 Last statistic reset never Last session creation rate 4 Last half-open session total 0 Class-map: class-default (match-any) Match: any Drop (default action) 673 packets, 27493 bytes