configuring IOS firewall Zone Based --> remotely

ROBERTO TACCON · ‎05-30-2009

Hi to all,

need to deploy the folling IOS firewall Zone Based configuration to a running remotely router.

I'M CONNECTED WITH SSH ...

HOW IS IT POSSIBLE WITHOUT DISCONNETING ME ?

!

class-map type inspect match-any untrust-trust-cmap

match protocol telnet

match protocol ssh

!

policy-map type inspect untrust-trust-pmap

class type inspect untrust-trust-cmap

inspect

class class-default

!

class-map type inspect match-any trust-untrust-cmap

match protocol tcp

match protocol udp

!

policy-map type inspect trust-untrust-pmap

class type inspect trust-untrust-cmap

inspect

class class-default

!

zone security trust

zone security untrust

!

zone-pair security trust-untrust source trust destination untrust

service-policy type inspect trust-untrust-pmap

!

zone-pair security untrust-trust source untrust destination trust

service-policy type inspect untrust-trust-pmap

!

interface FastEthernet0/0

zone-member security trust

int dialer 0

zone-member security untrust

interface ATM0/0

zone-member security untrust

Regards

Roberto Taccon

plumbis · ‎06-01-2009

This is always very risky. I would suggest that you issue the "reload in " command before trying to configure any interfaces as zone-members. I would stage the entire policy-map based configuration first, then I would configure the zone-member pairs in the "inside", "outside", "self" order, but there is 0 guarantee this will work. If you do lock yourself out the "reload in" command will reload the router and you can ssh back to the box after it finishes rebooting.

good luck!

ROBERTO TACCON · ‎06-02-2009

Hi,

thanks for the info (I know the reload command and also the rollback command).

Q1) When I try to insert on the 1st interface the "zone-member security trust" or "zone-member security untrust" I LOST THE ROUTER CAUSE THE OTHER INTERFACES ARE NOT CONFIGURED: HOW I CAN ACTIVATE THE ZONE-MEMBER COMMAND ON THE ROUTER WITHOUT LOST IT ?

Q2) it's possible (like Juniper JUNOS) made alla the new configuration and execute the "commit now" when I've finished ?

Q3) Is there any other feature on cisco IOS to allow to configure the router, check the configuration and only AFTER put it on the running config (the only tip i?ve found is to modify the startup config and load in or merge the running config with another conf...)?

***

Using Cisco Config Rollback

Replace the Running Configuration with the Latest Good Archive After Two Minutes Unless the Change Being Made Is Confirmed

Router#show archive

There are currently 4 archive configurations saved.

The next archive file will be named disk0:/config-archive-4

Archive # Name

0

1 disk0:/config-archive-1

2 disk0:/config-archive-2

3 disk0:/config-archive-3 <- Most Recent

Router#config replace disk0:/config-archive-3 time 120

If the configuration was successful, apply the changes

Router#config confirm

â€¢ If the config changes caused the user to be locked out, the router will automatically revert to the last saved archive configuration after two minutes, and connectivity will be restored

Regards

Roberto Taccon