13.1 Key Terms
zones
= The grouping of multiple interfaces under a similar security policy together,
such as inside or outside.
zone
pairs = The traffic flow, for initial traffic, unidirectionally between
two zones. An example is a zone pair that begins in the inside zone and goes to
the outside zone. Policies can then be applied to initial traffic that is
moving the direction of the zone pair (in our case, from inside to outside).
class
map type inspect = This special type of class map defines specific
classes and types of traffic to be used for further inspection in Zone-Based
Firewalls on IOS routers.
policy
map type inspect = The policy map type is associated with Zoned-Based
Firewalls on the IOS. The ASA also has specific purpose policy maps for deep
packet inspection.
service
policy = Just like in MQC for quality of service (QoS), this is the
device that ties a policy to an interface (QoS) or to a zone pair (ZBF). On an
ASA, this is the command element that links a policy to one or more interfaces.
PAT
= Port Address Translation. This is a subset of NAT, with multiple devices
being mapped to a single address. It is also referred to as a many-to-one
translation.
13.2 Things to
Remember
13.2.1 Policy Map Actions
Policy Action
> Description
=> When to Use It
Inspect
> Permit and statefully inspect the traffic
=> This should
be used on transit traffic initiated by users who expect to get replies from
devices on the other side of the firewall.
Pass
> Permits/allows the traffic but does not create an
entry in the stateful database
=> Traffic that
does not need a reply. Also in the case of protocols that do not support
inspection, this policy could be applied to the zone pair for specific outbound
traffic, and be applied to a second zone pair for inbound traffic.
Drop
> Deny the packet
=> Traffic you
do not want to allow between the zones where this policy map is applied.
Log
> Log the packets
=> If you want
to see log information about packets
that were dropped
because of policy, you can add
this option.
13.2.2 Traffic Interaction Between Zones
Ingress Interface Member of Zone > Egress Interface Member of Zone > Zone Pair Exists, with Applied Policy
> Result
No > No
> Does not matter > Traffic is forwarded.
No > Yes (any
zone) > Does not matter > Traffic is dropped.
Yes (zone A) > Yes
(zone A) > Does not matter >
Traffic is forwarded.
Yes (zone A) > Yes
(zone B) > No > Traffic is dropped.
Yes (zone A) > Yes
(zone B) > Yes > Policy is applied. If
policy is inspect or pass, the initial traffic is forwarded. If the policy is
drop, the initial traffic is dropped.
13.2.3 Self Zone Traffic Behavior
Source Traffic Member of Zone > Destination Traffic Member of Zone > Zone Pair Exists, with a Policy Applied > Result
Self > Zone A
> No > Traffic is passed.
Zone A > Self
> No > Traffic is passed.
Self > Zone A
> Yes > Policy is applied.
Zone A > Self
> Yes > Policy is applied.
13.3 Command
References
Command >
Description
show
class-map type inspect > Show ZBF-related class maps
show
policy-map type inspect > Show ZBF related policy maps
class-map
type inspect match-any MY-CLASS-MAP > Create a ZBF-related class map
that will be a match if any of its entries is a match
policy-map
type inspect MY-POLICY-MAP > Create a ZBF-related policy map
class
type inspect MY-CLASS-MAP > Used inside of a ZBF policy map to call
on the classification services of a zone-based class map
zone-pair
security in-to-out source inside destination outside > Create a zone
pair that identifies an initial unidirectional flow of traffic
show
ip nat translations * > Show current active address translations
occurring on the router
13.4 Command
Examples
Components That
Make Up the ZBF
R3 (config)# class-map
type inspect match-any MY-CLASS-MAP
R3 (config-map)# match
protocol telnet
R3 (config-map)# match
protocol icmp
R3 (config-map)# exit
R3 (config)# policy-map
type inspect MY-POLICY-MAP
R3 (config-pmap)# class
type inspect MY-CLASS-MAP
R3 (config-pmap-c)# inspect
R3 (config-pmap-c)# exit
R3 (config-pmap)#
exit
R3 (config)# zone
security inside
R3 (config-sec-zone)# exit
R3 (config)# zone
security outside
R3 (config-sec-zone)# exit
R3 (config-sec-zone)# zone-pair security in-to-out source inside destination outside
R3 (config-sec-zone-pair)# service-policy type inspect MY-POLICY-MAP
R3 (config-sec-zone-pair)# exit
R3 (config)# interface
GigabitEthernet3/0
R3 (config-if)# description
Belongs to outside zone
R3 (config-if)# zone-member
security outside
R3 (config-if)# exit
R3 (config)# interface
GigabitEthernet1/0
R3 (config-if)# description
Belongs to inside zone
R3 (config-if)# zone-member
security inside
R3 (config-if)# exit
R3 (config)#
Verifying the
Configuration from the Command Line
R3# show class-map
type inspect
R3# show
policy-map type inspect zone-pair ccp-zp-in-out sessions
Implementing NAT
R3 (config)# access-list
2 permit 10.0.0.0 0.0.0.255
R3 (config)# interface
GigabitEthernet3/0
R3 (config-if)# ip
nat outside
R3 (config-if)# exit
R3 (config)# interface
GigabitEthernet1/0
R3 (config-if)# ip
nat inside
R3 (config-if)# exit
R3 (config)# ip
nat inside source list 2 interface GigabitEthernet3/0 overload
R3# show ip nat
translations
Comments
Post a Comment