Tuesday 18 June 2024

What is Cisco IOS Zone Based Firewall on router? How to configure ZBF on Cisco Routers?

 Zone Based Firewall

ZBF (Zone Based Firewall) is the stateful firewall that is available on Cisco IOS routers, introduced in 2006. ZBF supports deep packet inspection just like an ASA. ZBF works based on the concept of security zones. You can name the zones whatever you want. In ZBF we don’t assign access-list to the interface. We create zones and the interface will be configured to the different zones (one interface can only be a member of one zone) and security policies will be assigned. The default policy is to block all the traffic unless we explicitly allow it.

 

  • Zone-Based Model: Interfaces are assigned to zones, and inspection policy is applied to traffic moving between these zones.
  • Flexible Configuration: Allows for more granular control of traffic based on zones rather than just interfaces.
  • Stateful Inspection: Maintains the state of active sessions and inspects traffic accordingly.
  • Successor to CBAC: ZBF is considered the successor to Context-Based Access Control (CBAC), offering enhanced security features.


let's see the configuration on ZBF:-

Topology:-




Goal:

  • configure the topology as per the topology 
  • assign IP addresses as per the topology 
  • configure EIGRP 100 and advertise all the interfaces 
  • configure router-2 for ZBF. 
  • configure zones INSIDE for LAN and OUTSIDE  zone for internet
  • configure ACL extended 
  • allow PC 2 to ping server 30.1.1.11
  • allow telnet from INSIDE
  • leave rest for the default
  • verify the configurations telnet, ping, and show commands. 



(first, configure the IP addresses on PC-1 and PC-2 inside the zone)

PC1> ip 10.1.1.10 255.0.0.0 10.1.1.1
Checking for duplicate address...
PC1 : 10.1.1.10 255.0.0.0 gateway 10.1.1.1

PC1> show ip
NAME        : PC1[1]
IP/MASK     : 10.1.1.10/8
GATEWAY     : 10.1.1.1

DNS         :
MAC         : 00:50:79:66:68:00
LPORT       : 10026
RHOST:PORT  : 127.0.0.1:10027
MTU:        : 1500

PC2> ip 10.1.1.11 255.0.0.0 10.1.1.1
Checking for duplicate address...
PC1 : 10.1.1.11 255.0.0.0 gateway 10.1.1.1

PC2> show ip
NAME        : PC2[1]
IP/MASK     : 10.1.1.11/8
GATEWAY     : 10.1.1.1

DNS         :
MAC         : 00:50:79:66:68:01
LPORT       : 10028
RHOST:PORT  : 127.0.0.1:10029
MTU:        : 1500

PC1> ping 10.1.1.11
84 bytes from 10.1.1.11 icmp_seq=1 ttl=64 time=0.583 ms
84 bytes from 10.1.1.11 icmp_seq=2 ttl=64 time=0.495 ms
84 bytes from 10.1.1.11 icmp_seq=3 ttl=64 time=0.511 ms
84 bytes from 10.1.1.11 icmp_seq=4 ttl=64 time=0.780 ms
84 bytes from 10.1.1.11 icmp_seq=5 ttl=64 time=0.759 ms

Configure the IP addresses between the routers and LAN interfaces


R1(config)#interface fastethernet 0/0
R1(config-if)#ip address 10.1.1.1 255.0.0.0
R1(config-if)#no shutdown
R1(config-if)#exit

R1(config)#interface serial 4/0
R1(config-if)#ip address 192.168.1.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit

R2(config)#interface serial 4/0
R2(config-if)#ip address 192.168.1.2 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#exit

R2(config)#interface serial 4/1
R2(config-if)#ip address 192.168.2.1 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#exit

R3(config)#interface serial 4/1
R3(config-if)#ip address 192.168.2.2 255.255.255.0
R3(config-if)#no shutdown
R3(config-if)#exit

R3(config)#interface fastethernet 0/0
R3(config-if)#ip address 30.1.1.1 255.0.0.0
R3(config-if)#no shutdown
R3(config-if)#exit

Configure the IP addresses on server-1 and server-2 in the outside zone


server2> ip 30.1.1.10 255.0.0.0 30.1.1.1
Checking for duplicate address...
PC1 : 30.1.1.10 255.0.0.0 gateway 30.1.1.1

server2> show ip
NAME        : server2[1]
IP/MASK     : 30.1.1.10/8
GATEWAY     : 30.1.1.1

DNS         :
MAC         : 00:50:79:66:68:04
LPORT       : 10034
RHOST:PORT  : 127.0.0.1:10035
MTU:        : 1500

server> ip 30.1.1.11 255.0.0.0 30.1.1.1
Checking for duplicate address...
PC1 : 30.1.1.11 255.0.0.0 gateway 30.1.1.1

server> show ip
NAME        : server[1]
IP/MASK     : 30.1.1.11/8
GATEWAY     : 30.1.1.1

DNS         :
MAC         : 00:50:79:66:68:05
LPORT       : 10036
RHOST:PORT  : 127.0.0.1:10037
MTU:        : 1500


Configure routing between routers and advertise directly connected interfaces


R1(config)#router eigrp 100
R1(config-router)#network 192.168.1.0
R1(config-router)#network 10.0.0.0
R1(config-router)#no auto-summary
R1(config-router)#exit

R2(config)#router eigrp 100
R2(config-router)#network 192.168.1.0
R2(config-router)#network 192.168.2.1
R2(config-router)#no auto-summary
R2(config-router)#exit

R3(config)#router eigrp 100
R3(config-router)#network 192.168.2.0
R3(config-router)#network 30.0.0.0
R3(config-router)#no auto-summary
R3(config-router)#exit


verify the connectivity with ping from PC-1 to server-1


PC1> show ip
NAME        : PC1[1]
IP/MASK     : 10.1.1.10/8
GATEWAY     : 10.1.1.1


PC1> ping 30.1.1.10
84 bytes from 30.1.1.10 icmp_seq=1 ttl=61 time=115.597 ms
84 bytes from 30.1.1.10 icmp_seq=2 ttl=61 time=94.468 ms
84 bytes from 30.1.1.10 icmp_seq=3 ttl=61 time=94.519 ms
84 bytes from 30.1.1.10 icmp_seq=4 ttl=61 time=78.793 ms
84 bytes from 30.1.1.10 icmp_seq=5 ttl=61 time=78.209 ms


As you can see the connectivity is good, now configure the telnet config on router-1 and router-2 for testing do not configure the login password. 



R1(config)#line vty 0 4
R1(config-line)#no login
R1(config-line)#exit

*Jun 17 11:54:55.771: %SYS-5-CONFIG_I: Configured from console by console
R1#telnet 192.168.2.2
Trying 192.168.2.2 ... Open

R3>
R3>
R3>
R3>


Our inside router-1 can telnet router-3, same way configure telnet on router-3



R3(config)#line vty 0 4
R3(config-line)#lo
R3(config-line)#no login
R3(config-line)#exit
R3(config)#end
R3#
R3#
R3#telnet 192.168.1.1
Trying 192.168.1.1 ... Open
R1>
R1>
R1>
R1>


Now configure zone name INSIDE for our LAN traffic and OUTSIDE zone 

R2(config)#zone security INSIDE
R2(config-sec-zone)#exit
R2(config)#zone security OUTSIDE
R2(config-sec-zone)#exit

R2(config)#interface serial 4/0
R2(config-if)#zone-member security INSIDE
R2(config-if)#exit

R2(config)#interface serial 4/1
R2(config-if)#zone-member security OUTSIDE
R2(config-if)#exit

the default policy is to block all the traffic unless we explicitly allow it. so now configure ACL and permit 10.1.1.11 to ping and permit 10.1.1.1 for telnet. 


R2(config)#ip access-list extended 150
R2(config-ext-nacl)#permit icmp host 10.1.1.11 any echo
R2(config-ext-nacl)#permit tcp host 10.1.1.1 host 30.1.1.1 eq telnet
R2(config-ext-nacl)#exit

R2#show access-lists 150
Extended IP access list 150
    10 permit icmp host 10.1.1.11 any echo (3 matches)
    30 permit tcp host 10.1.1.1 host 30.1.1.1 eq telnet (1 match)


configure a class map to classify the traffic for inspected


R2(config)#class-map type inspect INSIDE-OUTSIDE-CLASS
R2(config-cmap)#match access-group 150
R2(config-cmap)#exit

configure policy map to define ZBF policies on classified traffic


R2(config)#policy-map type inspect INSIDE-OUTSIDE-POLICY
R2(config-pmap)#class type inspect INSIDE-OUTSIDE-CLASS
R2(config-pmap-c)#inspect
R2(config-pmap-c)#exit
R2(config-pmap)#exit

configure zone pair

R2(config)#zone-security INSIDE-OUTSIDE-PAIR source INSIDE destination OUTSIDE
R2(config-sec-zone-pair)#service-policy type inspect INSIDE-OUTSIDE-POLICY
R2(config-sec-zone-pair)#exit


from router-1 try to access router-3 with telnet


R1#telnet 30.1.1.1 telnet /source-interface fastEthernet 0/0
Trying 30.1.1.1 ... Open
R3>
R3>
R3>

R3>show ip interface br
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            30.1.1.1        YES manual up                    up
Serial4/1                  192.168.2.2     YES manual up                    up


as you can see router-1 can access router-3 remotely with telnet, because we allow it 


R3#telnet 10.1.1.1 /source-interface fastEthernet 0/0
Trying 10.1.1.1 ...
% Connection timed out; remote host not responding


but router-3 can not access router-1 with telnet because we didn't allow it. by default, all the traffic is blocked. 


PC1> show ip
NAME        : PC1[1]
IP/MASK     : 10.1.1.10/8
GATEWAY     : 10.1.1.1




PC1> ping 30.1.1.11
30.1.1.11 icmp_seq=1 timeout
30.1.1.11 icmp_seq=2 timeout
30.1.1.11 icmp_seq=3 timeout
30.1.1.11 icmp_seq=4 timeout
30.1.1.11 icmp_seq=5 timeout

from the above output, you see that PC-1 can not ping servers because we didn't allow it. we allow PC-2 10.1.1.11 too ping any network

PC2> show ip
NAME        : PC2[1]
IP/MASK     : 10.1.1.11/8
GATEWAY     : 10.1.1.1


PC2> ping 30.1.1.11
84 bytes from 30.1.1.11 icmp_seq=1 ttl=61 time=127.289 ms
84 bytes from 30.1.1.11 icmp_seq=2 ttl=61 time=94.466 ms
84 bytes from 30.1.1.11 icmp_seq=3 ttl=61 time=94.540 ms
84 bytes from 30.1.1.11 icmp_seq=4 ttl=61 time=93.967 ms
84 bytes from 30.1.1.11 icmp_seq=5 ttl=61 time=94.784 ms



R2#show zone-pair security
Zone-pair name INSIDE-OUTSIDE-PAIR
    Source-Zone INSIDE  Destination-Zone OUTSIDE
    service-policy INSIDE-OUTSIDE-POLICY



R2#show access-lists 150
Extended IP access list 150
    10 permit icmp host 10.1.1.11 any echo (3 matches)
    30 permit tcp host 10.1.1.1 host 30.1.1.1 eq telnet (1 match)


R2#show zone security INSIDE
zone INSIDE
  Member Interfaces:
    Serial4/0


R2#show zone security OUTSIDE
zone OUTSIDE
  Member Interfaces:
    Serial4/1


if you like this blog please visit to our YouTube channel https://www.youtube.com/@internetworkss


1 comment:

Anonymous said...

Thanks so much

How to configure the DHCP server on a Cisco ASA device?

How to configure the DHCP server on a Cisco ASA device?    DHCP (Dynamic Host Configuration Protocol) servers provide all the basic informat...