Cisco Zone-Based Policy Firewall基础介绍
介绍
- Zone-Based Policy Firewall基础
- Zone-Based Policy Firewall实验
Zone-Based Policy Firewall基础
Zone-Based Policy Firewall(ZFW)是一种安全策略。当两个接口属于相同的Zone的时候流量可以互通,但是如果两个接口属于不同的zone的时候,默认不可互通。如果想让zone和zone之间进行通信需要单独配置相应的策略,使其互通。
Zone-Based Policy Firewall(ZFW)概念的引入相比ACL(访问控制列表),更易于管理并且ZFW提供了应用层匹配,并提供了限速的功能,更好的提供服务。
Zone的概念:
相同zone 可以互相互通。
不同zone 不能互通除非做相应的策略
不属于任何zone的任何方法都不能和zone进行通信
Zone-Based Policy Firewall实验
拓扑
需求:
R2Ping通R4
R3Ping通R5
R4可以Ping通R2,R4不能ping通R3
R5TelnetR2,不能TelnetR3上
配置步骤:
1. 创建zone,并将接口划分到zone上
R1(config)#zone security zone-name
R1(config-if)#zone-member security zone-name
2. 配置class-map
class-map type inspect {match-all | match-any} class-map-name
其中inspect代表”Firewall Class Map”
选择match-all或 match-any
match-all:所有都match上,这个class才match上
match-any:match任意一个条件,class就可以match上
3. 配置match条件
R1(config-cmap)#match ?
access-group Access group
class-map Class map
protocol PAM Protocol
security-group Security Group
user-group User Group
4. 配置policy-map关联class-map,并指定动作
policy-map type inspect policy-map-name
class type inspect class-map-name
{ drop | inspect | pass | police}
R1(config-pmap-c)#?
Policy-map class configuration commands:
drop Drop the packet
exit Exit from class action configuration mode
inspect Context-based Access Control Engine
no Negate or set default values of a command
pass Pass the packet
police Police
service-policy Deep Packet Inspection Engine
drop:丢弃流量。
inspect:数据包状态检查。
pass:流量通过
police:流量管制(限速)
注:pass和inspect动作。
pass只是放通单向流量,如果网络中有交互式数据流,例如tcp或icmp等,那么配置pass动作的时候需要考虑回向流量。
而inspect,可以事先检测流量,是否放通,如果检测通过无需重新配置,回向流量不做策略也能放通。
有关数据包状态检查,可参见:Cisco ASA 5500 Series Configuration Guide using the CLI, 8.2 Stateful Inspection Overview
5. 配置zone-pair关联policy-map
zone-pair security zone-pair-name source zone-name destination zone-name
service-policy type inspect policy-map-name
关键配置
!
interface Ethernet0/0
ip address 12.1.1.1 255.255.255.0
zone-member security 1
ip ospf 1 area 0
!
interface Ethernet0/1
ip address 13.1.1.1 255.255.255.0
zone-member security 1
ip ospf 1 area 0
!
interface Ethernet0/2
ip address 14.1.1.1 255.255.255.0
zone-member security 2
ip ospf 1 area 0
!
interface Ethernet0/3
ip address 15.1.1.1 255.255.255.0
zone-member security 2
ip ospf 1 area 0
!
interface Ethernet1/0
no ip address
shutdown
!
interface Ethernet1/1
ip address 16.1.1.1 255.255.255.0
ip ospf 1 area 0
!!
ip access-list extended R4-ping-R2-access-list
permit ip host 14.1.1.4 host 12.1.1.2
ip access-list extended R5-telnet-R2-access-list
permit ip host 15.1.1.5 host 12.1.1.2
!!
class-map type inspect match-all zone1-to-zone2-telnet-class-map
match protocol telnet
class-map type inspect match-all zone2-to-zone1-telnet-class-map
match access-group name R5-telnet-R2-access-list
match protocol telnet
class-map type inspect match-all zone1-to-zone2-icmp-class-map
match protocol icmp
class-map type inspect match-all zone2-to-zone1-icmp-class-map
match access-group name R4-ping-R2-access-list
match protocol icmp
!
policy-map type inspect zone2-to-zone1-policy-map
class type inspect zone2-to-zone1-icmp-class-map
inspect
class type inspect zone2-to-zone1-telnet-class-map
inspect
class class-default
drop
policy-map type inspect zone1-to-zone2-policy-map
class type inspect zone1-to-zone2-icmp-class-map
inspect
class type inspect zone1-to-zone2-telnet-class-map
inspect
class class-default
drop
!
zone security 1
zone security 2
zone-pair security zone1-to-zone2-zone-pair source 1 destination 2
service-policy type inspect zone1-to-zone2-policy-map
zone-pair security zone2-to-zone1-zone-pair source 2 destination 1
service-policy type inspect zone2-to-zone1-policy-map
!
视频部分参见:https://www.youtube.com/watch?v=5vrDeMxQC8E
参考文献
- Zone-Based Policy Firewall Design and Application Guide
- Cisco ASA 5500 Series Configuration Guide using the CLI, 8.2
2017年10月12日更新
没有评论:
发表评论