Hi there and welcome back to this series on the Cisco Configuration Professional (CCP). We have begun configuring labs and so far, we have done three labs: ACLs, NAT and Security audit. In this article, we will be dealing with the zone-based firewall. CCP has made this configuration pretty easy through the firewall wizards (Next…Next) and we also have the option to tweak the configuration when it is done.
Our network diagram is shown below:
The configuration tasks for our lab #4 are as follows:
Using the Basic Firewall Configuration Wizard of CCP, configure the zone-based firewall on RTR1 using two zones: inside and outside. Interface Fa0/1 should be the outside (untrusted) interface and Fa0/0 should be the trusted interface. Leave all other interfaces unmarked.
Inspect TCP, UDP and other default CCP wizard protocols from the inside zone to the outside zone.
Allow ONLY ICMP traffic from the outside zone to inside zone.
Test your configuration:
* Telnet traffic from the CCP host (10.0.0.100) to RTR2’s Lo0 interface (126.96.36.199) should be allowed and inspected;
* RTR2’s Lo0 interface should be able to ping the CCP Host;
* Assume you have an HTTP server running on the CCP Host. RTR2’s Lo0 should not be able to access that HTTP server. The logs should reveal the denial.
Your entire configuration should be done through the Cisco Configuration Professional tool.
As we should already be familiar with, the CCP tool provides wizards to simplify many of the configurations that we need to do. I will select the RTR1 as the community member and navigate to Configure > Security > Firewall > Firewall.
Notice from the above screenshot that there are two firewall wizards: Basic Firewall and Advanced Firewall. Both wizards have descriptions under them along with use case scenarios shown on the right. The Basic Firewall wizard provides a simple firewall policy: many inside interfaces with one outside interface. It does not provide DMZ services. The Advanced Firewall wizard on the other hand is more flexible as we will see in another article.
This task specifies one inside and one outside zone so we will use the Basic Firewall wizard. It is selected by default so I will just click the Launch the selected task button.
Note: The default firewall wizard screen will configure Zone Based Firewall. If you intend to configure CBAC instead, then you have to click the Switch to Classic Firewall link.
The first screen we get gives us information about the Basic Firewall configuration wizard. Notice that TCP, UDP and other protocols will be inspected from the inside zone to the outside zone. Also, HTTP port misuse for IM and P2P applications can be configured to be blocked. Finally, all traffic from the outside zone to the inside zone will be denied. You may have noticed a conflict with one of our tasks here but let’s continue.
On the next screen, I have selected the interfaces that will serve as demarcation for the zones: Fa0/0 for the inside zone and Fa0/1 for the outside zone. All other interfaces (loopbacks) have been left unselected. The warning that the interface through which CCP is accessed should not be marked as untrusted does not apply to us in this case but what if your CCP host is on the outside interface? That’s an assignment for you to figure out.
Because I have some interfaces that are unmarked, I get the warning dialog shown above. I will ignore this warning for now and continue. You may also get a voice-related warning dialog box if your router supports voice.
Finally, I get a warning dialog informing me that I cannot launch CCP from the outside interface.
My CCP host is on the inside zone (Fa0/0) so I don’t need to worry about this warning. I will just select OK to move on.
From the above screenshot, we can see that the CCP firewall wizard provides pre-configured policies: High Security, Medium Security and Low Security. These policies apply to applications such as instant messaging and peer-to-peer traffic. High Security will block such traffic; Medium Security will track such traffic; Low Security does not track or block such traffic. For our task, Low Security will work fine because it will inspect TCP and UDP traffic from the inside to the outside zone. We can also use the Preview Commands button to see what configuration will apply for the different security policies.
When we are done with our configuration, the firewall configuration summary screen is displayed.
Notice that there are some default policies that will be applied by the wizard such as policies to/from the self zone. We will consider the self zone in a separate article. We will click on the Finish button and send the configuration to the router.
Due to the fact that we have EIGRP running on our network, CCP asks if we want EIGRP updates to pass through the firewall. I will leave it checked and click on OK.
It’s like a rain of warning dialog boxes here. We have NAT configured on RTR1 and CCP has also detected that so it gives us the option to modify the firewall configuration so that the NAT configuration is not affected.
I will select Yes and because our NAT inside interface (Lo1 and Lo2) are not part of any zone, I get an information dialog box that firewall passthrough will not be applied.
The configuration to be sent to the router is as shown below:
access-list 100 remark CCP_ACL Category=128 access-list 100 permit ip host 255.255.255.255 any access-list 100 permit ip 127.0.0.0 0.255.255.255 any access-list 100 permit ip 192.168.12.0 0.0.0.255 any ip access-list extended SDM_EIGRP remark CCP_ACL Category=1 permit eigrp any any exit class-map type inspect match-any ccp-h225ras-inspect match protocol h225ras exit class-map type inspect match-any ccp-cls-icmp-access match protocol icmp match protocol tcp match protocol udp exit class-map type inspect match-any SDM_EIGRP match access-group name SDM_EIGRP exit class-map type inspect match-any SDM_EIGRP_TRAFFIC match class-map SDM_EIGRP exit class-map type inspect match-all ccp-protocol-http match protocol http exit class-map type inspect match-all SDM_EIGRP_PT match class-map SDM_EIGRP_TRAFFIC exit class-map type inspect match-all ccp-invalid-src match access-group 100 exit class-map type inspect match-any ccp-cls-insp-traffic match protocol cuseeme match protocol dns match protocol ftp match protocol https match protocol icmp match protocol imap match protocol pop3 match protocol netshow match protocol shell match protocol realmedia match protocol rtsp match protocol smtp extended match protocol sql-net match protocol streamworks match protocol tftp match protocol vdolive match protocol tcp match protocol udp exit class-map type inspect match-all ccp-icmp-access match class-map ccp-cls-icmp-access exit class-map type inspect match-all ccp-insp-traffic match class-map ccp-cls-insp-traffic exit class-map type inspect match-any ccp-h323-inspect match protocol h323 exit class-map type inspect match-any ccp-sip-inspect match protocol sip exit class-map type inspect match-any ccp-skinny-inspect match protocol skinny exit policy-map type inspect ccp-permit-icmpreply class type inspect ccp-icmp-access no drop inspect exit class class-default no drop pass exit exit policy-map type inspect ccp-inspect class type inspect ccp-invalid-src drop log exit class type inspect ccp-protocol-http no drop inspect exit class type inspect ccp-insp-traffic no drop inspect exit class type inspect ccp-h323-inspect no drop inspect exit class type inspect ccp-h225ras-inspect no drop inspect exit exit policy-map type inspect ccp-permit class type inspect SDM_EIGRP_PT no drop pass exit class class-default exit zone security in-zone zone security out-zone zone-pair security ccp-zp-self-out source self destination out-zone service-policy type inspect ccp-permit-icmpreply exit zone-pair security ccp-zp-in-out source in-zone destination out-zone service-policy type inspect ccp-inspect exit zone-pair security ccp-zp-out-self source out-zone destination self service-policy type inspect ccp-permit exit interface FastEthernet0/1 zone-member security out-zone exit interface FastEthernet0/0 zone-member security in-zone exit
Once your configuration has been successfully delivered, CCP gives us (yet) another information dialog box about the success and then we are taken to the Edit Firewall Policy screen.
Let’s put a pause on this article for now. In the next article, I will start by explaining the configuration that CCP sent to the router and then we finish up our tasks and finally the tests.
In this article we have begun our fourth lab which is on zone-based firewall. We have seen that CCP provides two firewall configuration wizards: Basic and Advanced. The Basic Firewall wizard provides simple inside and outside zones policy while the Advanced Firewall wizard provides more flexibility including DMZ services.
I hope you have enjoyed this article (and series) and I also hope you will visit the blog again for the continuation of this article.
Zone-Based Policy Firewall Design and Application Guide: http://www.cisco.com/c/en/us/support/docs/security/ios-firewall/98628-zone-design-guide.html
CCNA Security Certification Series – #1 Cisco Firewall Technologies: http://resources.intenseschool.com/ccna-security-certification-series-1-cisco-firewall-technologies/