Zone Based Firewall
ZBF (Zone Based Firewall) is the stateful firewall that is available
on Cisco IOS routers, introduced in 2006. ZBF supports deep packet inspection
just like an ASA. ZBF works based on the concept of security zones. You can
name the zones whatever you want. In ZBF we don’t assign access-list to the interface. We create zones and the interface will be configured to the
different zones (one interface can only be a member of one zone) and security
policies will be assigned. The default policy is to block all the traffic unless
we explicitly allow it.
- Zone-Based Model: Interfaces are assigned to zones, and inspection policy is applied to traffic moving between these zones.
- Flexible Configuration: Allows for more granular control of traffic based on zones rather than just interfaces.
- Stateful Inspection: Maintains the state of active sessions and inspects traffic accordingly.
- Successor to CBAC: ZBF is considered the successor to Context-Based Access Control (CBAC), offering enhanced security features.
let's see the configuration on ZBF:-
Topology:-
Goal:
- configure the topology as per the topology
- assign IP addresses as per the topology
- configure EIGRP 100 and advertise all the interfaces
- configure router-2 for ZBF.
- configure zones INSIDE for LAN and OUTSIDE zone for internet
- configure ACL extended
- allow PC 2 to ping server 30.1.1.11
- allow telnet from INSIDE
- leave rest for the default
- verify the configurations telnet, ping, and show commands.
(first, configure the IP addresses on PC-1 and PC-2 inside the zone)
Checking for duplicate address...
PC1 : 10.1.1.10 255.0.0.0 gateway 10.1.1.1
NAME : PC1[1]
IP/MASK : 10.1.1.10/8
GATEWAY : 10.1.1.1
DNS :
MAC : 00:50:79:66:68:00
LPORT : 10026
RHOST:PORT : 127.0.0.1:10027
MTU: : 1500
PC2> ip 10.1.1.11 255.0.0.0 10.1.1.1
Checking for duplicate address...
PC1 : 10.1.1.11 255.0.0.0 gateway 10.1.1.1
NAME : PC2[1]
IP/MASK : 10.1.1.11/8
GATEWAY : 10.1.1.1
DNS :
MAC : 00:50:79:66:68:01
LPORT : 10028
RHOST:PORT : 127.0.0.1:10029
MTU: : 1500
PC1> ping 10.1.1.11
84 bytes from 10.1.1.11 icmp_seq=1 ttl=64 time=0.583 ms
84 bytes from 10.1.1.11 icmp_seq=2 ttl=64 time=0.495 ms
84 bytes from 10.1.1.11 icmp_seq=3 ttl=64 time=0.511 ms
84 bytes from 10.1.1.11 icmp_seq=4 ttl=64 time=0.780 ms
84 bytes from 10.1.1.11 icmp_seq=5 ttl=64 time=0.759 ms
Configure the IP addresses between the routers and LAN interfaces
R1(config)#interface fastethernet 0/0
R1(config-if)#ip address 10.1.1.1 255.0.0.0
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#interface serial 4/0
R1(config-if)#ip address 192.168.1.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit
R2(config)#interface serial 4/0
R2(config-if)#ip address 192.168.1.2 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#exit
R2(config)#interface serial 4/1
R2(config-if)#ip address 192.168.2.1 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#exit
R3(config)#interface serial 4/1
R3(config-if)#ip address 192.168.2.2 255.255.255.0
R3(config-if)#no shutdown
R3(config-if)#exit
R3(config)#interface fastethernet 0/0
R3(config-if)#ip address 30.1.1.1 255.0.0.0
R3(config-if)#no shutdown
R3(config-if)#exit
Configure the IP addresses on server-1 and server-2 in the outside zone
server2> ip 30.1.1.10 255.0.0.0 30.1.1.1
Checking for duplicate address...
PC1 : 30.1.1.10 255.0.0.0 gateway 30.1.1.1
NAME : server2[1]
IP/MASK : 30.1.1.10/8
GATEWAY : 30.1.1.1
DNS :
MAC : 00:50:79:66:68:04
LPORT : 10034
RHOST:PORT : 127.0.0.1:10035
MTU: : 1500
Checking for duplicate address...
PC1 : 30.1.1.11 255.0.0.0 gateway 30.1.1.1
NAME : server[1]
IP/MASK : 30.1.1.11/8
GATEWAY : 30.1.1.1
DNS :
MAC : 00:50:79:66:68:05
LPORT : 10036
RHOST:PORT : 127.0.0.1:10037
MTU: : 1500
Configure routing between routers and advertise directly connected interfaces
R1(config)#router eigrp 100
R1(config-router)#network 192.168.1.0
R1(config-router)#network 10.0.0.0
R1(config-router)#no auto-summary
R1(config-router)#exit
R2(config)#router eigrp 100
R2(config-router)#network 192.168.1.0
R2(config-router)#network 192.168.2.1
R2(config-router)#no auto-summary
R2(config-router)#exit
R3(config)#router eigrp 100
R3(config-router)#network 192.168.2.0
R3(config-router)#network 30.0.0.0
R3(config-router)#no auto-summary
R3(config-router)#exit
verify the connectivity with ping from PC-1 to server-1
PC1> show ip
NAME : PC1[1]
IP/MASK : 10.1.1.10/8
GATEWAY : 10.1.1.1
PC1> ping 30.1.1.10
84 bytes from 30.1.1.10 icmp_seq=1 ttl=61 time=115.597 ms
84 bytes from 30.1.1.10 icmp_seq=2 ttl=61 time=94.468 ms
84 bytes from 30.1.1.10 icmp_seq=3 ttl=61 time=94.519 ms
84 bytes from 30.1.1.10 icmp_seq=4 ttl=61 time=78.793 ms
84 bytes from 30.1.1.10 icmp_seq=5 ttl=61 time=78.209 ms
As you can see the connectivity is good, now configure the telnet config on router-1 and router-2 for testing do not configure the login password.
R1(config-line)#no login
R1(config-line)#exit
*Jun 17 11:54:55.771: %SYS-5-CONFIG_I: Configured from console by console
R1#telnet 192.168.2.2
Trying 192.168.2.2 ... Open
R3>
R3>
R3>
Our inside router-1 can telnet router-3, same way configure telnet on router-3
R3(config)#line vty 0 4
R3(config-line)#lo
R3(config-line)#no login
R3(config-line)#exit
R3(config)#end
R3#
R3#
R3#telnet 192.168.1.1
Trying 192.168.1.1 ... Open
R1>
R1>
R1>
R1>
Now configure zone name INSIDE for our LAN traffic and OUTSIDE zone
R2(config)#zone security INSIDER2(config-sec-zone)#exit
R2(config)#zone security OUTSIDE
R2(config-sec-zone)#exit
R2(config-if)#zone-member security INSIDE
R2(config-if)#exit
R2(config-if)#zone-member security OUTSIDE
R2(config-if)#exit
the default policy is to block all the traffic unless we explicitly allow it. so now configure ACL and permit 10.1.1.11 to ping and permit 10.1.1.1 for telnet.
R2(config)#ip access-list extended 150
R2(config-ext-nacl)#permit icmp host 10.1.1.11 any echo
R2(config-ext-nacl)#permit tcp host 10.1.1.1 host 30.1.1.1 eq telnet
R2(config-ext-nacl)#exit
Extended IP access list 150
10 permit icmp host 10.1.1.11 any echo (3 matches)
30 permit tcp host 10.1.1.1 host 30.1.1.1 eq telnet (1 match)
configure a class map to classify the traffic for inspected
R2(config-cmap)#match access-group 150
configure policy map to define ZBF policies on classified traffic
R2(config)#policy-map type inspect INSIDE-OUTSIDE-POLICY
R2(config-pmap)#class type inspect INSIDE-OUTSIDE-CLASS
R2(config-pmap-c)#inspect
R2(config-pmap-c)#exit
R2(config-pmap)#exit
configure zone pair
R2(config)#zone-security INSIDE-OUTSIDE-PAIR source INSIDE destination OUTSIDER2(config-sec-zone-pair)#service-policy type inspect INSIDE-OUTSIDE-POLICY
R2(config-sec-zone-pair)#exit
from router-1 try to access router-3 with telnet
Trying 30.1.1.1 ... Open
R3>
R3>
R3>
R3>show ip interface br
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 30.1.1.1 YES manual up up
Serial4/1 192.168.2.2 YES manual up up
as you can see router-1 can access router-3 remotely with telnet, because we allow it
R3#telnet 10.1.1.1 /source-interface fastEthernet 0/0
Trying 10.1.1.1 ...
% Connection timed out; remote host not responding
but router-3 can not access router-1 with telnet because we didn't allow it. by default, all the traffic is blocked.
NAME : PC1[1]
IP/MASK : 10.1.1.10/8
GATEWAY : 10.1.1.1
30.1.1.11 icmp_seq=1 timeout
30.1.1.11 icmp_seq=2 timeout
30.1.1.11 icmp_seq=3 timeout
30.1.1.11 icmp_seq=4 timeout
30.1.1.11 icmp_seq=5 timeout
from the above output, you see that PC-1 can not ping servers because we didn't allow it. we allow PC-2 10.1.1.11 too ping any network
NAME : PC2[1]
IP/MASK : 10.1.1.11/8
GATEWAY : 10.1.1.1
PC2> ping 30.1.1.11
84 bytes from 30.1.1.11 icmp_seq=1 ttl=61 time=127.289 ms
84 bytes from 30.1.1.11 icmp_seq=2 ttl=61 time=94.466 ms
84 bytes from 30.1.1.11 icmp_seq=3 ttl=61 time=94.540 ms
84 bytes from 30.1.1.11 icmp_seq=4 ttl=61 time=93.967 ms
84 bytes from 30.1.1.11 icmp_seq=5 ttl=61 time=94.784 ms
Zone-pair name INSIDE-OUTSIDE-PAIR
Source-Zone INSIDE Destination-Zone OUTSIDE
service-policy INSIDE-OUTSIDE-POLICY
Extended IP access list 150
10 permit icmp host 10.1.1.11 any echo (3 matches)
30 permit tcp host 10.1.1.1 host 30.1.1.1 eq telnet (1 match)
R2#show zone security INSIDE
zone INSIDE
Member Interfaces:
Serial4/0
R2#show zone security OUTSIDE
zone OUTSIDE
Member Interfaces:
Serial4/1
if you like this blog please visit to our YouTube channel https://www.youtube.com/@internetworkss
1 comment:
Thanks so much
Post a Comment