Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Need Help with the default Zone Based Security Policy on my 881W

All,

While I'm very familiar with access lists, I'm not familiar at all with Zone Based Security Policies.  With that in mind, could somebody give me a verbal desciption of the default Zone Based Security Policy setup on my Cisco 881W router?  I've tried to disect it, but am totally lost.  Here are the relevant config lines:

--------------------------------------

class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
  inspect
class class-default
  pass
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
  drop log
class type inspect ccp-protocol-http
  inspect
class type inspect ccp-insp-traffic
  inspect
class class-default
  drop
policy-map type inspect ccp-permit
class class-default
  drop
!
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit

!

interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1412

!

interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1452
ip flow ingress
ip nat outside
ip virtual-reassembly
zone-member security out-zone
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname XXXXXXXXX
ppp chap password 7 XXXXXXXXX
!

-------------------------------------------

In addition to understanding how this is setup on my inside and outside interfaces, I want to add a rule that allows UDP 514 from specific Internet hosts via Dialer0) to the inside of my network in Vlan1.  So, any additional comments on that would also be helpful.

Thank you very much for the help!

James E

Everyone's tags (1)
1 REPLY
Cisco Employee

Re: Need Help with the default Zone Based Security Policy on my

High level explaination on ZBFW:

1) Determine zone for each interface, in your case: in-zone for vlan 1, and out-zone for Dialer 0 interface


2) For every interface to communicate with others, you would need to configure zone pairing. In your case:

--Traffic sourcing from the router towards the out-zone (dialer0 interface), example: VPN traffic outbound, ping out from the router, outbound telnet from the router, etc:

zone-pair security ccp-zp-self-out source self destination out-zone
  service-policy type inspect ccp-permit-icmpreply


-- Traffic sourcing from in-zone (vlan 1 subnet) towards the internet (outside) - out-zone (out Dialer0 interface), example: host from VLAN 1 accessing the Internet:

zone-pair security ccp-zp-in-out source in-zone destination out-zone
  service-policy type inspect ccp-inspect


-- Traffic sourcing from out-zone (Internet) towards the router dialer0 interface, example: when trying to telnet/ssh into the router from the internet:

zone-pair security ccp-zp-out-self source out-zone destination self
  service-policy type inspect ccp-permit


3) Once you determine the zone-pair, you would need to determine policy for each of the zone pairing. From the above, the "service-policy" is the policy configuration that is assigned to that zone-pairing.


4) To configure policy, you would need to configure class-map to match the traffic that you would like to allow/inspect. For example: if you would like to allow http access from your internal zone towards the Internet, here is how you would configure it:


access-list 101 permit tcp any any eq 80

class-map  type inspect match-any http-class
  match access-group 101

policy-map type inspect outbound-policy
  class type inspect http-class
   inspect

zone-pair security ccp-zp-in-out source in-zone destination out-zone
  service-policy type inspect outbound-policy


You can only assign 1 policy to zone-pair, so if you need to add more policy, you just configure more class-map and configure it under the existing outbound-policy map.


From the above example, if you would like to allow SMTP traffic outbound, you can add the following:

class-map type inspect match-any smtp-class

     match protocol smtp

policy-map type inspect outbound-policy
  class type inspect smtp-class
   inspect


OR/ alternatively you can also add into the "http-class" that was configured as follows:

class-map  type inspect match-any http-class
  match access-group 101

  match protocol smtp


Hope that helps. Please rate useful post as for every rating, Cisco is matching $1 for the Haiti Earthquake. Thanks.

1060
Views
3
Helpful
1
Replies
CreatePlease to create content