Hi there and welcome back to this series on the Cisco Configuration Professional (CCP). We have begun configuring labs and so far, we have done three labs: ACLs, NAT and Security audit. In this article, we will be dealing with the zone-based firewall. CCP has made this configuration pretty easy through the firewall wizards (Next…Next) and we also have the option to tweak the configuration when it is done.

Our network diagram is shown below:

ZoneBasedFirewall05132014

The configuration tasks for our lab #4 are as follows:

  1. Using the Basic Firewall Configuration Wizard of CCP, configure the zone-based firewall on RTR1 using two zones: inside and outside. Interface Fa0/1 should be the outside (untrusted) interface and Fa0/0 should be the trusted interface. Leave all other interfaces unmarked.
  2. Inspect TCP, UDP and other default CCP wizard protocols from the inside zone to the outside zone.
  3. Allow ONLY ICMP traffic from the outside zone to inside zone.
  4. Test your configuration:
  • * Telnet traffic from the CCP host (10.0.0.100) to RTR2’s Lo0 interface (2.2.2.2) should be allowed and inspected;
  • * RTR2’s Lo0 interface should be able to ping the CCP Host;
  • * Assume you have an HTTP server running on the CCP Host. RTR2’s Lo0 should not be able to access that HTTP server. The logs should reveal the denial.

Your entire configuration should be done through the Cisco Configuration Professional tool.

Configuration solutions

Task 1

As we should already be familiar with, the CCP tool provides wizards to simplify many of the configurations that we need to do. I will select the RTR1 as the community member and navigate to Configure > Security > Firewall > Firewall.

Notice from the above screenshot that there are two firewall wizards: Basic Firewall and Advanced Firewall. Both wizards have descriptions under them along with use case scenarios shown on the right. The Basic Firewall wizard provides a simple firewall policy: many inside interfaces with one outside interface. It does not provide DMZ services. The Advanced Firewall wizard on the other hand is more flexible as we will see in another article.

This task specifies one inside and one outside zone so we will use the Basic Firewall wizard. It is selected by default so I will just click the Launch the selected task button.

Note: The default firewall wizard screen will configure Zone Based Firewall. If you intend to configure CBAC instead, then you have to click the Switch to Classic Firewall link.

The first screen we get gives us information about the Basic Firewall configuration wizard. Notice that TCP, UDP and other protocols will be inspected from the inside zone to the outside zone. Also, HTTP port misuse for IM and P2P applications can be configured to be blocked. Finally, all traffic from the outside zone to the inside zone will be denied. You may have noticed a conflict with one of our tasks here but let’s continue.

On the next screen, I have selected the interfaces that will serve as demarcation for the zones: Fa0/0 for the inside zone and Fa0/1 for the outside zone. All other interfaces (loopbacks) have been left unselected. The warning that the interface through which CCP is accessed should not be marked as untrusted does not apply to us in this case but what if your CCP host is on the outside interface? That’s an assignment for you to figure out.

Because I have some interfaces that are unmarked, I get the warning dialog shown above. I will ignore this warning for now and continue. You may also get a voice-related warning dialog box if your router supports voice.

Finally, I get a warning dialog informing me that I cannot launch CCP from the outside interface.

My CCP host is on the inside zone (Fa0/0) so I don’t need to worry about this warning. I will just select OK to move on.

Task #2

From the above screenshot, we can see that the CCP firewall wizard provides pre-configured policies: High Security, Medium Security and Low Security. These policies apply to applications such as instant messaging and peer-to-peer traffic. High Security will block such traffic; Medium Security will track such traffic; Low Security does not track or block such traffic. For our task, Low Security will work fine because it will inspect TCP and UDP traffic from the inside to the outside zone. We can also use the Preview Commands button to see what configuration will apply for the different security policies.

When we are done with our configuration, the firewall configuration summary screen is displayed.

Notice that there are some default policies that will be applied by the wizard such as policies to/from the self zone. We will consider the self zone in a separate article. We will click on the Finish button and send the configuration to the router.

Due to the fact that we have EIGRP running on our network, CCP asks if we want EIGRP updates to pass through the firewall. I will leave it checked and click on OK.

It’s like a rain of warning dialog boxes here. We have NAT configured on RTR1 and CCP has also detected that so it gives us the option to modify the firewall configuration so that the NAT configuration is not affected.

I will select Yes and because our NAT inside interface (Lo1 and Lo2) are not part of any zone, I get an information dialog box that firewall passthrough will not be applied.

The configuration to be sent to the router is as shown below:

access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 192.168.12.0 0.0.0.255 any
ip access-list extended SDM_EIGRP
remark CCP_ACL Category=1
permit eigrp any any
exit
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
exit
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
exit
class-map type inspect match-any SDM_EIGRP
match access-group name SDM_EIGRP
exit
class-map type inspect match-any SDM_EIGRP_TRAFFIC
match class-map SDM_EIGRP
exit
class-map type inspect match-all ccp-protocol-http
match protocol http
exit
class-map type inspect match-all SDM_EIGRP_PT
match class-map SDM_EIGRP_TRAFFIC
exit
class-map type inspect match-all ccp-invalid-src
match access-group 100
exit
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
exit
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
exit
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
exit
class-map type inspect match-any ccp-h323-inspect
match protocol h323
exit
class-map type inspect match-any ccp-sip-inspect
match protocol sip
exit
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
exit
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
no drop
inspect
exit
class class-default
no drop
pass
exit
exit
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
exit
class type inspect ccp-protocol-http
no drop
inspect
exit
class type inspect ccp-insp-traffic
no drop
inspect
exit
class type inspect ccp-h323-inspect
no drop
inspect
exit
class type inspect ccp-h225ras-inspect
no drop
inspect
exit
exit
policy-map type inspect ccp-permit
class type inspect SDM_EIGRP_PT
no drop
pass
exit
class class-default
exit
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
exit
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
exit
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
exit
interface FastEthernet0/1
zone-member security out-zone
exit
interface FastEthernet0/0
zone-member security in-zone
exit

Once your configuration has been successfully delivered, CCP gives us (yet) another information dialog box about the success and then we are taken to the Edit Firewall Policy screen.

Summary

Let’s put a pause on this article for now. In the next article, I will start by explaining the configuration that CCP sent to the router and then we finish up our tasks and finally the tests.

In this article we have begun our fourth lab which is on zone-based firewall. We have seen that CCP provides two firewall configuration wizards: Basic and Advanced. The Basic Firewall wizard provides simple inside and outside zones policy while the Advanced Firewall wizard provides more flexibility including DMZ services.

I hope you have enjoyed this article (and series) and I also hope you will visit the blog again for the continuation of this article.

Further reading