Let’s have a look at a very basic configuration first;
1. Zone Security
zone security OUTSIDE zone security INSIDE
2. Zone Member
interface fa0/0 zone-member security OUTSIDE interface fa0/1 zone-member security INSIDE
3. Zone Pair
zone-pair security ZP-OUTSIDE-to-INSIDE source OUTSIDE destination INSIDE zone-pair security ZP-INSIDE-to-OUTSIDE source INSIDE destination OUTSIDE ! ! A service policy needs to be attached to the zone-pair which is shown in the later half of this post
Up till here, we have built the foundation of a ZBFW policy and have all the basic stuff laid out. Now comes the major part of it where we define the L3/L4 or L7 class-maps and policy-maps while using ACLs to classify traffic.
4. Class Maps
– Use L7 class-maps. You can also nest an L7 class-map in another L7 class-map
class-map type inspect match-any CM-INSIDE-to-OUTSIDE match protocol tcp match protocol udp match protocol icmp ! access-list 101 permit ip 123.12.23.0 255.255.255.0 host 136.123.12.1 ! class-map type inspect match-all CM-OUTSIDE-to-INSIDE match access-group 101
match-any – Use when either of the match criteria should be matched. Example, TCP or UDP.
match-all – Use when all the matching criteria should be matched. Example, an ACL with protocol HTTP.
5. Policy Maps
policy-map type inspect PM-INSIDE-to-OUTSIDE class type inspect CM-INSIDE-to-OUTSIDE inspect class class-default drop ! policy-map type inspect PM-OUTSIDE-to-INSIDE class type inspect CM-OUTSIDE-to-INSIDE inspect class class-default drop log
6. Apply the policy-map to a zone-pair
Bookmark to follow my CCIE Security v4 journey -> https://networkology.net/ccie-security/
With the policy-map:
policy-map type inspect PM-OUTSIDE-to-INSIDE
class type inspect CM-OUTSIDE-to-INSIDE
inspect
class class-default
drop log
I’d be replacing it with:
policy-map type inspect PM-OUTSIDE-to-INSIDE
class class-default
drop log
To prevent any access from outside. If you were to allow external access you would have to be using a very secure protocol such as SSH.