Zone based firewall on Cisco

Zone Based Firewall.
Let’s say we have a router which is connected to Internet, LAN and also is connected to our office Server Farm. It has 3 interfaces and we create 3 zones — INTERNET, LAN, DMZ.
We will have to create in total 6 policies:

LAN → INTERNET
INTERNET → LAN
LAN → DMZ
DMZ → LAN
DMZ → INTERNET
INTERNET → DMZ

Our office security policy is :
1. We allow all traffic from LAN → INTERNET and return traffic to created connection (INSPECT word means that stateful firewall concept is applied)
2. We don’t allow any traffic initiated from INTERNET -> LAN. (created by default, no rules needed)
3. LAN → DMZ : We allow 22, 80, 443, UDP 67, 68 (DHCP), UDP 53 (DNS), ICMP.
4. DMZ → LAN: Block everything (created by default, no rules needed)
5. DMZ → INTERNET: Allow NTP, 80, 443, DNS. Deny everything else, we don’t need to access from servers anywhere.
6. INTERNET → DMZ: Allow 80, 443, 22 and IPSEC (IP 50, 51, TCP/UDP 500), ICMP.

1 STEP.
1. Define zones in Cisco router:

Router(config)# zone security INTERNET
Router(config)# zone security LAN
Router(config)# zone security DMZ

2. Define class-maps for different type of traffic:

sub-steps are needed to create a access list to specify different ports, which are not available under “match protocol” statements:
– ACL for all:

Router(config)# ip access list extended INSPECTALL
Router(config-ext-nacl)# permit ip any any
Router(config-ext-nacl)# permit tcp any any
Router(config-ext-nacl)# permit udp any any

– ACL for DHCP:
Router(config)# ip access list extended DHCP
Router(config-ext-nacl)# permit udp any any eq 67
Router(config-ext-nacl)# permit udp any any eq 68

– ACL for IPSEC:
Router(config)# ip access list extended IPSEC
Router(config-ext-nacl)# 50 permit 50 any any
Router(config-ext-nacl)# 51 permit 51 any any
Router(config-ext-nacl)# permit udp any any eq 500
Router(config-ext-nacl)# permit tcp any any eq 68

Router(config)# class-map type inspect match-any LAN-INTERNET
match access-group name INSPECT ALL

Router(config)# class-map type inspect match-any LAN-DMZ
Router(config-cmap)# match protocol ssh
Router(config-cmap)# match protocol http
Router(config-cmap)# match protocol https
Router(config-cmap)# match protocol icmp
Router(config-cmap)# match protocol dns
Router(config-cmap)# match access-group name DHCP

Router(config)# class-map type inspect match-any DMZ-INTERNET
Router(config-cmap)# match protocol ntp
Router(config-cmap)# match protocol http
Router(config-cmap)# match protocol https
Router(config-cmap)# match protocol icmp
Router(config-cmap)# match protocol dns

Router(config)# class-map type inspect match-any INTERNET-DMZ
Router(config-cmap)# match protocol http
Router(config-cmap)# match protocol https
Router(config-cmap)# match protocol icmp
Router(config-cmap)# match protocol ssh
Router(config-cmap)# match access-group name IPSEC

3. Define policy for class-maps
Router(config)# policy-map type inspect LAN-INTERNET
Router(config-pmap)# class type inspect LAN-INTERNET
Router(config-pmap)# inspect

Router(config)# policy-map type inspect LAN-DMZ
Router(config-pmap)# class type inspect LAN-DMZ
Router(config-pmap)# inspect

Router(config)# policy-map type inspect DMZ-INTERNET
Router(config-pmap)# class type inspect DMZ-INTERNET
Router(config-pmap)# inspect

Router(config)# policy-map type inspect INTERNET-DMZ
Router(config-pmap)# class type inspect INTERNET-DMZ
Router(config-pmap)# inspect

4. Match zone pairs with policies
Router(config)# zone-pair security LAN-INTERNET source LAN destination INTERNET
service-policy type inspect LAN-INTERNET

Router(config)# zone-pair security LAN-DMZ source LAN destination DMZ
Router(config-sec-zone-pair)# service-policy type inspect LAN-DMZ

Router(config)# zone-pair security DMZ-INTERNET source DMZ destination INTERNET
Router(config-sec-zone-pair)# service-policy type inspect DMZ-INTERNET

Router(config)# zone-pair security INTERNET-DMZ source INTERNET destination DMZ
Router(config-sec-zone-pair)# service-policy type inspect INTERNET-DMZ

5. Put interfaces to corresponding zones
Router(config)# interface fa0/0
Router(config-if)# zone-member security LAN

Router(config)# interface fa0/1
Router(config-if)# zone-member security INTERNET

Router(config)# interface fa1/0
Router(config-if)# zone-member security DMZ

Show commands:

show zone security
show zone-pair security
show policy-map type inspect zone-pair
show policy-map type inspect zone-pair | begin LAN-INTERNET