Ios Zone Based Firewall Cheat Sheet

ADVERTISEMENT

IOS Z
-B
F
ONE
ASED
IREWALL
packetlife.net
Terminology
Inspection Class Configuration
Security Zone
! Match by protocol
A group of interfaces which share a common level of security
class-map type inspect match-any ByProtocol
match protocol tcp
Zone Pair
match protocol udp
A unidirectional pairing of source and destination zones to which a
match protocol icmp
security policy is applied
Inspection Policy
! Match by access list
An inspect-type policy map used to statefully filter traffic by
ip access-list extended MyACL
matching one or more inspect-type class maps
permit ip 10.0.0.0 255.255.0.0 any
!
Parameter Map
class-map type inspect match-all ByAccessList
An optional configuration of protocol-specific parameters referenced
match access-group name MyACL
by an inspection policy
Parameter Map Configuration
Security Zones
parameter-map type inspect MyParameterMap
Trusted
Internet
alert on
audit-trail off
dns-timeout 5
G0/0
G0/1
max-incomplete low 20000
MPLS WAN
Internet
max-incomplete high 25000
icmp idle-time 3
tcp synwait-time 3
Guest
Inspection Policy Actions
Drop Traffic is prevented from passing
Corporate
Guest
Traffic is permitted to pass without
LAN
Wireless LAN
Pass
G0/2.10
G0/2.20
stateful inspection
Traffic is subjected to stateful
Inspect
inspection; legitimate return traffic is
! Defining security zones
permitted in the opposite direction
zone security Trusted
zone security Guest
Inspection Policy Configuration
zone security Internet
policy-map type inspect MyInspectionPolicy
! Assigning interfaces to security zones
! Pass permitted stateless traffic
interface GigabitEthernet0/0
class VPN-Tunnel
zone-member security Trusted
pass
!
! Inspect permitted stateful traffic
interface GigabitEthernet0/1
class Allowed-Traffic1
zone-member security Internet
inspect
!
! Stateful inspection with a parameter map
interface GigabitEthernet0/2.10
class Allowed-Traffic2
zone-member security Trusted
inspect MyParameterMap
!
! Drop and log unpermitted traffic
interface GigabitEthernet0/2.20
class class-default
zone-member security Guest
drop log
Zone Pair Configuration
Troubleshooting
show zone security
! Service policies are applied to zone pairs
zone-pair security T2I source Trusted destination Internet
show zone-pair security
service-policy type inspect Trusted2Internet
show policy-map type inspect
zone-pair security G2I source Guest destination Internet
show class-map type inspect
service-policy type inspect Guest2Internet
show parameter-map type inspect
zone-pair security I2T source Internet destination Trusted
debug zone security events
service-policy type inspect Internet2Trusted
by Jeremy Stretch
v1.0

ADVERTISEMENT

00 votes

Related Articles

Related forms

Related Categories

Parent category: Education
Go