Scribd
Upload
60 views26 pages

Firewall Types

Uploaded by

raniaelkotby
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
60 views26 pages

Firewall Types

Uploaded by

raniaelkotby
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 26

2018

Implementing Firewall
Technologies

For

CCNA Security Students

By
Eng. Abeer Hosni
1- Established Keyword (Legacy):

Objectives:
Configure filtering on R1 so that only WWW, SSL and telnet traffic is permitted if only
sourced from the CLIENT to the SERVER.

Configuration:
CLIENT(config)#int f0/0
CLIENT(config-if)#ip address 192.168.1.100 255.255.255.0
CLIENT(config-if)#no shutdown
CLIENT(config-if)#exit
CLIENT(config)#no ip routing
CLIENT(config)#ip default-gateway 192.168.1.1

SERVER(config)#line vty 0 4
SERVER(config-line)#password 123
SERVER(config-line)#login
SERVER(config-line)#exit
SERVER(config)#ip http server
SERVER(config)#ip http secure-server
SERVER(config)#int f0/1
SERVER(config-if)#ip address 11.0.0.100 255.255.255.0
SERVER(config-if)#no shutdown
SERVER(config-if)#exit
SERVER(config)#no ip routing
SERVER(config)#ip default-gateway 11.0.0.1

R1(config)#int f0/0
R1(config-if)#ip address 192.168.1.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#int f0/1
R1(config-if)#ip address 11.0.0.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#access-list 100 permit tcp host 11.0.0.100 eq 80 host 192.168.1.100 gt 1023
established
R1(config)#access-list 100 permit tcp host 11.0.0.100 eq 443 host 192.168.1.100 gt 1023
established
R1(config)#access-list 100 permit tcp host 11.0.0.100 eq 23 host 192.168.1.100 gt 1023
established
R1(config)#int f0/1
R1(config-if)#ip access-group 100 in

Verification:
The "established" keyword is used to indicate an established connection for TCP protocol.
An established connection can be considered as the TCP protocol traffic originating from
your network, not from an external network.
This means that the packets belong to an existing connection if the (TCP) segment has the
Acknowledgment (ACK) or Reset (RST) bit set.

CLIENT#ping 11.0.0.100 (Ping is not allowed)


Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 11.0.0.100, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

CLIENT#telnet 11.0.0.100 (tenet is allowed)


Trying 11.0.0.100 ... Open

CLIENT#telnet 11.0.0.100 80 (HTTP is allowed)


Trying 11.0.0.100, 80 ... Open

CLIENT#telnet 11.0.0.100 443 (HTTPS is allowed)


Trying 11.0.0.100, 443 ... Open

Let’s try any other protocol:


CLIENT#telnet 11.0.0.100 25
Trying 11.0.0.100, 25 ...
% Connection timed out; remote host not responding

All traffic from SERVER will be denied.

SERVER#ping 192.168.1.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.100, timeout is 2 seconds:
UUUUU
Success rate is 0 percent (0/5)

SERVER#telnet 192.168.1.100
Trying 192.168.1.100 ...
% Destination unreachable; gateway or host down

SERVER#telnet 192.168.1.100 80
Trying 192.168.1.100, 80 ...
% Destination unreachable; gateway or host down

SERVER#telnet 192.168.1.100 443


Trying 192.168.1.100, 443 ...
% Destination unreachable; gateway or host down

The “% Destination unreachable; gateway or host down” message on the SERVER


indicates that there is a firewall on the router. To hide this message so that any attacker
knows nothing about this and also to not cause any overload on the router, we can run
the following command:

R1(config)#int f0/1
R1(config-if)#no ip unreachables

SERVER#telnet 192.168.1.100
Trying 192.168.1.100 ...
% Connection timed out; remote host not responding

R1#show access-list
Extended IP access list 100
10 permit tcp host 11.0.0.100 eq www host 192.168.1.100 gt 1023 established (5
matches)
20 permit tcp host 11.0.0.100 eq 443 host 192.168.1.100 gt 1023 established (3
matches)
30 permit tcp host 11.0.0.100 eq telnet host 192.168.1.100 gt 1023 established (16
matches)

2- Time-based ACL (Legacy):

Objectives:
Configure filtering on R1 so that the CLIENT can telnet to the SERVER on work hours
only, from 9 AM to 5 PM.

Configuration:
CLIENT(config)#int f0/0
CLIENT(config-if)#ip address 192.168.1.100 255.255.255.0
CLIENT(config-if)#no shutdown
CLIENT(config-if)#exit
CLIENT(config)#no ip routing
CLIENT(config)#ip default-gateway 192.168.1.1

SERVER(config)#line vty 0 4
SERVER(config-line)#password 123
SERVER(config-line)#login
SERVER(config-line)#exit
SERVER(config)#int f0/1
SERVER(config-if)#ip address 11.0.0.100 255.255.255.0
SERVER(config-if)#no shutdown
SERVER(config-if)#exit
SERVER(config)#no ip routing
SERVER(config)#ip default-gateway 11.0.0.1
R1#clock set 3:9:00 2 feb 2016
R1#config t
R1(config)#int f0/0
R1(config-if)#ip address 192.168.1.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#int f0/1
R1(config-if)#ip address 11.0.0.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#time-range WORK_HOURS
R1(config-time-range)#periodic weekdays 9:00 to 17:00
R1(config-time-range)#exit
R1(config)#access-list 100 permit tcp host 192.168.1.100 host 11.0.0.100 eq 23 time-
range WORK_HOURS
R1(config)#int f0/0
R1(config-if)#ip access-group 100 in

Verification:
Time based ACL is used to activate entry based on clock. It can be an absolute or
periodic time.
R1#show clock
03:18:31.351 UTC Tue Feb 2 2016

R1#show time-range
time-range entry: WORK_HOURS (inactive)
periodic weekdays 9:00 to 17:00
used in: IP ACL entry

CLIENT#telnet 11.0.0.100
Trying 11.0.0.100 ...
% Destination unreachable; gateway or host down

If we change the time on the router to match the time range:

R1#clock set 10:30:00 2 feb 2016


R1#show clock
10:30:10.839 UTC Tue Feb 2 2016
R1#show time-range
time-range entry: WORK_HOURS (active)
periodic weekdays 9:00 to 17:00
used in: IP ACL entry

CLIENT#telnet 11.0.0.100
Trying 11.0.0.100 ... Open

R1#show access-list
Extended IP access list 100
10 permit tcp host 192.168.1.100 host 11.0.0.100 eq telnet time-range WORK_HOURS
(active) (14 matches)
3- Dynamic ACL (Lock and Key) (Legacy):

Objectives:
Configure dynamic ACL on R1 so that CLIENT1 or CLIENT2 can open TCP sessions on
SERVER based on authentication.

Configuration:
CLIENT1(config)#int f0/0
CLIENT1(config-if)#ip address 192.168.1.100 255.255.255.0
CLIENT1(config-if)#no shutdown
CLIENT1(config-if)#exit
CLIENT1(config)#no ip routing
CLIENT1(config)#ip default-gateway 192.168.1.1

CLIENT2(config)#int f0/0
CLIENT2(config-if)#ip address 192.168.1.101 255.255.255.0
CLIENT2(config-if)#no shutdown
CLIENT2(config-if)#exit
CLIENT2(config)#no ip routing
CLIENT2(config)#ip default-gateway 192.168.1.1

SERVER(config)#int f0/1
SERVER(config-if)#ip address 11.0.0.100 255.255.255.0
SERVER(config-if)#no shutdown
SERVER(config-if)#exit
SERVER(config)#no ip routing
SERVER(config)#ip default-gateway 11.0.0.1
SERVER(config)#line vty 0 4
SERVER(config-line)#password 123
SERVER(config-line)#login

R1(config)#int f0/0
R1(config-if)#ip address 192.168.1.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#int f0/1
R1(config-if)#ip address 11.0.0.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#line vty 0 4
R1(config-line)#password 123
R1(config-line)#login
R1(config-line)#exit
R1(config)#enable secret 456
R1(config)#access-list 100 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.1 eq 23
R1(config)#access-list 100 dynamic ALLOW_TO_SERVER permit tcp 192.168.1.0
0.0.0.255 host 11.0.0.100
R1(config)#int f0/0
R1(config-if)#ip access-group 100 in

Verification:
Dynamic ACL is used to open a hole in the ACL based on authentication. It’s considered a
legacy technology as it has been replaced by easy VPN and SSL VPN.
CLIENT1#telnet 11.0.0.100
Trying 11.0.0.100 ...
% Destination unreachable; gateway or host down

CLIENT1#telnet 192.168.1.1
Trying 192.168.1.1 ... Open
User Access Verification
Password:
R1>ena (Physically on CLIENT1)
Password:
R1#access-enable (Physically on CLIENT1)
R1#exit (Physically on CLIENT1)
[Connection to 192.168.1.1 closed by foreign host]

CLIENT1#telnet 11.0.0.100
Trying 11.0.0.100 ... Open

R1#show access-lists
Extended IP access list 100
10 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.1 eq telnet (165 matches)
20 Dynamic ALLOW_TO_SERVER permit tcp 192.168.1.0 0.0.0.255 host 11.0.0.100
permit tcp 192.168.1.0 0.0.0.255 host 11.0.0.100 (10 matches)

- The problem now is that the access list on the router allows the entire
192.168.1.0/24 network to access the SERVER.

CLIENT2#telnet 11.0.0.100
Trying 11.0.0.100 ... Open

R1#clear access-template 100 ALLOW_TO_SERVER 192.168.1.0 0.0.0.255 host


11.0.0.100

R1#show access-list
Extended IP access list 100
10 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.1 eq telnet
20 Dynamic ALLOW_TO_SERVER permit tcp 192.168.1.0 0.0.0.255 host 11.0.0.100

CLIENT1#telnet 192.168.1.1
Trying 192.168.1.1 ... Open
User Access Verification
Password:
R1>ena
Password:
R1#access-enable host
R1#exit
[Connection to 192.168.1.1 closed by foreign host]
CLIENT1#telnet 11.0.0.100
Trying 11.0.0.100 ... Open

CLIENT2#telnet 11.0.0.100
Trying 11.0.0.100 ...
% Destination unreachable; gateway or host down

R1#show access-list
Extended IP access list 100
10 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.1 eq telnet (180 matches)
20 Dynamic ALLOW_TO_SERVER permit tcp 192.168.1.0 0.0.0.255 host 11.0.0.100
permit tcp host 192.168.1.100 host 11.0.0.100 (9 matches)

Notice now that only host 192.168.1.100 is permitted to access host 11.0.0.100

- Another problem arises now. The dynamic ACL has no age out. There are two
solutions for this problem:
1- Configure the access-enable command with the timeout option.

R1#clear access-template 100 ALLOW_TO_SERVER host 192.168.1.100 host


11.0.0.100

CLIENT1#telnet 192.168.1.1
Trying 192.168.1.1 ... Open
User Access Verification
Password:
R1>ena
Password:
R1#access-enable host timeout 30 (In minutes)
R1#exit
CLIENT1#telnet 11.0.0.100
Trying 11.0.0.100 ... Open

R1#show access-list
Extended IP access list 100
10 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.1 eq telnet (1365 matches)
20 Dynamic ALLOW_TO_SERVER permit tcp 192.168.1.0 0.0.0.255 host 11.0.0.100
permit tcp host 192.168.1.100 host 11.0.0.100 (8 matches) (time left 1772)
Note: the timer starts just after starting the connection to the SERVER. This is an
absolute timeout.
2- Timeout can be configured while creating the dynamic ACL statement.

R1(config)#no access-list 100


R1(config)#access-list 100 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.1 eq 23
R1(config)#access-list 100 dynamic ALLOW_TO_SERVER timeout 30 permit tcp
192.168.1 .0 0.0.0.255 host 11.0.0.100 (In minutes)

CLIENT1#telnet 192.168.1.1
Trying 192.168.1.1 ... Open
User Access Verification
Password:
R1>ena
Password:
R1#access-enable host
R1#exit
CLIENT1#telnet 11.0.0.100
Trying 11.0.0.100 ... Open

R1#show access-list
Extended IP access list 100
10 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.1 eq telnet (636 matches)
20 Dynamic ALLOW_TO_SERVER permit tcp 192.168.1.0 0.0.0.255 host 11.0.0.100
permit tcp host 192.168.1.100 host 11.0.0.100 (18 matches)

Note: This is an idle timeout.

- Another problem is that user R1 has to enter the enable mode of the router R1
which causes security problems. This can be solved using two solutions:
1- Using the autocommand under the line vty to be applied to all users:
R1(config)#line vty 0 4
R1(config-line)#autocommand access-enable host

CLIENT1#telnet 192.168.1.1
Trying 192.168.1.1 ... Open
User Access Verification
Password:
[Connection to 192.168.1.1 closed by foreign host]

R1#show access-list
Extended IP access list 100
10 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.1 eq telnet (678 matches)
20 Dynamic ALLOW_TO_SERVER permit tcp 192.168.1.0 0.0.0.255 host
11.0.0.100
permit tcp host 192.168.1.100 host 11.0.0.100

2- Configure an account for the user with the option autocommand:


R1#clear access-template 100 ALLOW_TO_SERVER host 192.168.1.100 host
11.0.0.100
R1(config)#username abeer autocommand access-enable host
R1(config)#username abeer password 123
R1(config)#line vty 0 4
R1(config-line)#no login
R1(config-line)#no password
R1(config-line)#login local

CLIENT1#telnet 192.168.1.1
Trying 192.168.1.1 ... Open
User Access Verification
Username: abeer
Password:
[Connection to 192.168.1.1 closed by foreign host]

R1#show access-list
Extended IP access list 100
10 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.1 eq telnet (744 matches)
20 Dynamic ALLOW_TO_SERVER permit tcp 192.168.1.0 0.0.0.255 host
11.0.0.100
permit tcp host 192.168.1.100 host 11.0.0.100

Hint:
Be very careful when using the autocommand command as it has no help. If you
type the option “access-enable host” in a wrong format, you will end up logging
out of the router without opening a hole the dynamic ACL.
4- Reflexive ACL (Legacy):

Objectives:
Configure Reflexive ACL on R1 so that it allows all traffic sourced from the CLIENT to the
SERVER, not vice versa.

Configuration:
CLIENT(config)#int f0/0
CLIENT(config-if)#ip address 192.168.1.100 255.255.255.0
CLIENT(config-if)#no shutdown
CLIENT(config-if)#exit
CLIENT(config)#no ip routing
CLIENT(config)#ip default-gateway 192.168.1.1

SERVER(config)#line vty 0 4
SERVER(config-line)#password 123
SERVER(config-line)#login
SERVER(config-line)#exit
SERVER(config)#ip http server
SERVER(config)#ip http secure-server
SERVER(config)#int f0/1
SERVER(config-if)#ip address 11.0.0.100 255.255.255.0
SERVER(config-if)#no shutdown
SERVER(config-if)#exit
SERVER(config)#no ip routing
SERVER(config)#ip default-gateway 11.0.0.1

R1(config)#int f0/0
R1(config-if)#ip address 192.168.1.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#int f0/1
R1(config-if)#ip address 11.0.0.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#ip access-list extended IN_TO_OUT
R1(config-ext-nacl)#permit ip 192.168.1.0 0.0.0.255 any reflect STATE_TABLE
R1(config)#ip access-list extended OUT_TO_IN
R1(config-ext-nacl)#evaluate STATE_TABLE
R1(config-ext-nacl)#exit
R1(config)#int f0/1
R1(config-if)#ip access-group IN_TO_OUT out
R1(config-if)#ip access-group OUT_TO_IN in

Verification:
Reflexive ACL is better than using the word established. But it doesn’t inspect
applications. Outbound ACL triggers mirror entry in a state table. Inbound ACL checks
that state table.
It has limitations that it doesn’t work well with some applications like VOIP, active FTP
and traceroute. As in these applications the destination replies as if it were the source.
Also it causes problems to AH and ESP VPN connections.

SERVER#192.168.1.100
Trying 192.168.1.100 ...
% Destination unreachable; gateway or host down

SERVER#ping 192.168.1.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.100, timeout is 2 seconds:
UUUUU
Success rate is 0 percent (0/5)

CLIENT#telnet 11.0.0.100
Trying 11.0.0.100 ... Open

CLIENT#telnet 11.0.0.100 80
Trying 11.0.0.100, 80 ... Open

CLIENT#telnet 11.0.0.100 443


Trying 11.0.0.100, 80 ... Open

CLIENT#ping 11.0.0.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 11.0.0.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/28/36 ms

R1#show access-list
Extended IP access list IN_TO_OUT
10 permit tcp 192.168.1.0 0.0.0.255 any reflect STATE_TABLE (73 matches)
20 permit udp 192.168.1.0 0.0.0.255 any reflect STATE_TABLE
30 permit icmp 192.168.1.0 0.0.0.255 any reflect STATE_TABLE (11 matches)
Extended IP access list OUT_TO_IN
10 evaluate STATE_TABLE
Reflexive IP access list STATE_TABLE
permit icmp host 11.0.0.100 host 192.168.1.100 (20 matches) (time left 297)

- Reflexive ACL has limitations with traceroute:


CLIENT#trace 11.0.0.100
Type escape sequence to abort.
Tracing the route to 11.0.0.100
1 192.168.1.1 16 msec 24 msec 8 msec
2 * * *
<Output omitted>

To allow traceroute, we have to edit the ACL as follows:

R1(config)#ip access-list extended OUT_TO_IN


R1(config-ext-nacl)#1 permit icmp any 192.168.1.0 0.0.0.255 time-exceeded
OR)
R1(config-ext-nacl)#1 permit icmp any 192.168.1.0 0.0.0.255 ttl-exceeded
R1(config-ext-nacl)#2 permit icmp any 192.168.1.0 0.0.0.255 port-unreachable

CLIENT#traceroute 11.0.0.100
Type escape sequence to abort.
Tracing the route to 11.0.0.100

1 192.168.1.1 68 msec 72 msec 32 msec


2 11.0.0.100 36 msec 44 msec 24 msec

R1#show access-list
Extended IP access list IN_TO_OUT
10 permit tcp 192.168.1.0 0.0.0.255 any reflect STATE_TABLE (73 matches)
20 permit udp 192.168.1.0 0.0.0.255 any reflect STATE_TABLE (329 matches)
30 permit icmp 192.168.1.0 0.0.0.255 any reflect STATE_TABLE (11 matches)
Extended IP access list OUT_TO_IN
1 permit icmp any 192.168.1.0 0.0.0.255 time-exceeded
2 permit icmp any 192.168.1.0 0.0.0.255 port-unreachable (6 matches)
10 evaluate STATE_TABLE
Reflexive IP access list STATE_TABLE
permit udp host 11.0.0.100 eq 33439 host 192.168.1.100 eq 49282 (1 match) (time
left 295)
permit udp host 11.0.0.100 eq 33438 host 192.168.1.100 eq 49281 (1 match) (time
left 295)
permit udp host 11.0.0.100 eq 33437 host 192.168.1.100 eq 49280 (1 match) (time
left 295)

- Local traffic is not classified by outbound ACL:


R1#ping 11.0.0.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 11.0.0.100, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R1#traceroute 11.0.0.100
Type escape sequence to abort.
Tracing the route to 11.0.0.100
1 * * *
<Output omitted>
- To allow local traffic using two ways:
1- Explicitly permit entries in inbound ACL:
R1(config)#ip access-list extended OUT_TO_IN
R1(config-ext-nacl)#permit ip any host 11.0.0.1
R1(config-ext-nacl)#do ping 11.0.0.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 11.0.0.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/20/24 ms
2- Local policy based routing:
R1(config)#int loop 1
R1(config-if)#ip address 1.1.1.1 255.255.255.255
R1(config-if)#exit
R1(config)#route-map LOCAL_POLICY
R1(config-route-map)# set interface loopback 1
R1(config-route-map)#exit
R1(config)#ip local policy route-map LOCAL_POLICY
R1# debug ip policy
R1#ping 11.0.0.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 11.0.0.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/20/24 ms

Hint:
The default timeout for entries in reflexive ACL is 300 sec. To change the default,
run the following command.

R1(config)#ip reflexive-list timeout 600

Where time is in seconds.


5- TCP Intercept:
- Mitigation for half-open “embryonic” TCP sessions.
- TCP intercept tries to prevent this in two ways:
 Intercept mode (less common):
Proxy for all connections. Only connect to the server after the 3-way handshake
completes.
 Watch mode:
Passively monitors session establishment. Send TCP RST if the 3-way handshake
doesn’t complete in time.

R(config)#ip tcp intercept mode <intercept|watch>


R(config)#ip tcp intercept watch-timeout [time in seconds]
R(config)#ip tcp intercept list 110 (must be extended ACL)
R(config)#ip tcp intercept drop-mode <oldest|random>

- For 1100 incomplete sessions by default, the router will start to drop the packets.

To verify:
R#show tcp intercept connections
R#show tcp intercept statistics
6- CBAC(Context-Based Access Control): (Stateful
ACL)

Objectives:
Configure R1 to inspect all TCP, UDP and ICMP sourced from the LAN network to the
SERVER.

Configuration:
CLIENT(config)#int f0/0
CLIENT(config-if)#ip address 192.168.1.100 255.255.255.0
CLIENT(config-if)#no shutdown
CLIENT(config-if)#exit
CLIENT(config)#no ip routing
CLIENT(config)#ip default-gateway 192.168.1.1

SERVER(config)#line vty 0 4
SERVER(config-line)#password 123
SERVER(config-line)#login
SERVER(config-line)#exit
SERVER(config)#ip http server
SERVER(config)#ip http secure-server
SERVER(config)#int f0/1
SERVER(config-if)#ip address 11.0.0.100 255.255.255.0
SERVER(config-if)#no shutdown
SERVER(config-if)#exit
SERVER(config)#no ip routing
SERVER(config)#ip default-gateway 11.0.0.1

R1(config)#int f0/0
R1(config-if)#ip address 192.168.1.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#int f0/1
R1(config-if)#ip address 11.0.0.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#access-list 100 permit ip 192.168.1.0 0.0.0.255 any
R1(config)#access-list 101 deny tcp any any
R1(config)#access-list 101 deny udp any any
R1(config)#access-list 101 deny icmp any any
R1(config)#int f1/0
R1(config-if)#ip access-group 100 out
R1(config-if)#ip access-group 101 in

Now all traffic from CLIENT to SERVER is denied since the reverse way is denied access.
CLIENT#ping 11.0.0.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 11.0.0.100, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

We will configure the inspection rules:

R1(config)#ip inspect name PERMIT tcp


R1(config)#ip inspect name PERMIT udp
R1(config)#ip inspect name PERMIT icmp
R1(config)#int f0/1
R1(config-if)#ip inspect PERMIT out

All traffic should be permitted now from LAN to WAN, not vice versa.

CLIENT#ping 11.0.0.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 11.0.0.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/65/228 ms
CLIENT#telnet 11.0.0.100
Trying 11.0.0.100 ... Open

CLIENT#telnet 11.0.0.100 80
Trying 11.0.0.100, 80 ... Open

CLIENT#telnet 11.0.0.100 443


Trying 11.0.0.100, 443 ... Open

SERVER#ping 192.168.1.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.100, timeout is 2 seconds:
UUUUU
Success rate is 0 percent (0/5)

SERVER#telnet 192.168.1.100
Trying 192.168.1.100 ...
% Destination unreachable; gateway or host down

To verify:
R1#show ip inspect sessions
Established Sessions
Session 69CD4118 (192.168.1.100:8)=>(11.0.0.100:0) icmp SIS_OPEN

R1#show ip inspect name PERMIT


Inspection name PERMIT
tcp alert is on audit-trail is off timeout 3600
udp alert is on audit-trail is off timeout 30
icmp alert is on audit-trail is off timeout 10

R1#show ip inspect interfaces


Interface Configuration
Interface FastEthernet1/0
Inbound inspection rule is not set
Outgoing inspection rule is PERMIT
tcp alert is on audit-trail is off timeout 3600
udp alert is on audit-trail is off timeout 30
icmp alert is on audit-trail is off timeout 10
Inbound access list is 101
Outgoing access list is 100
7- ZBF(Zone Based Policy Firewall): (Stateful ACL)

Objectives:
Configure the FW router to inspect all TCP, UDP and ICMP sourced from the INSIDE
network to the OUTSIDE.
Configure the FW router to inspect all TCP, UDP and ICMP sourced from the OUTSIDE
network to the DMZ.

Configuration:
CLIENT(config-if)#ip address 192.168.1.100 255.255.255.0
CLIENT(config-if)#no shutdown
CLIENT(config-if)#no ip routing
CLIENT(config)#ip default-gateway 192.168.1.1

FW(config-if)#ip address 192.168.1.1 255.255.255.0


FW(config-if)#no shutdown
FW(config-if)#int f1/0
FW(config-if)#ip address 11.0.0.1 255.255.255.0
FW(config-if)#no shutdown
FW(config-if)#int f1/1
FW(config-if)#ip address 12.0.0.1 255.255.255.0
FW(config-if)#no shutdown
WAN_SERVER(config)#int f1/0
WAN_SERVER(config-if)#ip address 11.0.0.100 255.255.255.0
WAN_SERVER(config-if)#no shutdown
WAN_SERVER(config-if)#no ip routing
WAN_SERVER(config)#ip default-gateway 11.0.0.1
WAN_SERVER(config)#ip http server
WAN_SERVER(config)#ip http secure-server
WAN_SERVER(config)#line vty 0 4
WAN_SERVER(config-line)#no login

DMZ_SERVER(config)#int f1/1
DMZ_SERVER(config-if)#ip address 12.0.0.100 255.255.255.0
DMZ_SERVER(config-if)#no shutdown
DMZ_SERVER(config-if)#no ip routing
DMZ_SERVER(config)#ip default-gateway 12.0.0.1
DMZ_SERVER(config)#ip http server
DMZ_SERVER(config)#ip http secure-server
DMZ_SERVER(config)#line vty 0 4
DMZ_SERVER(config-line)#no login

1- Define the zones:

FW(config)#zone security INSIDE


FW(config-sec-zone)#exit
FW(config)#zone security OUTSIDE
FW(config-sec-zone)#exit
FW(config)#zone security DMZ
FW(config-sec-zone)#exit

2- Classify the traffic:


FW(config)#class-map type inspect TCP
FW(config-cmap)#match protocol tcp
FW(config-cmap)#exit
FW(config)#class-map type inspect UDP
FW(config-cmap)#match protocol udp
FW(config-cmap)#exit
FW(config)#class-map type inspect ICMP
FW(config-cmap)#match protocol icmp

3- Define the inspection policy:


FW(config)#policy-map type inspect IN_TO_OUT
FW(config-pmap)#class TCP
FW(config-pmap-c)#inspect
FW(config-pmap-c)#exit
FW(config-pmap)#class UDP
FW(config-pmap-c)#inspect
FW(config-pmap-c)#exit
FW(config-pmap)#class ICMP
FW(config-pmap-c)#inspect

4- Associate the zone and apply the policy:


FW(config)#zone-pair security IN_TO_OUT_PAIR source INSIDE destination OUTSIDE
FW(config-sec-zone-pair)#service-policy type inspect IN_TO_OUT

5- Apply the zone to the interface:


FW(config)#int f0/0
FW(config-if)#zone-member security INSIDE
FW(config-if)#int f1/0
FW(config-if)#zone-member security OUTSIDE
FW(config-if)#int f1/1
FW(config-if)#zone-member security DMZ

 To create another zone pair between the OUTSIDE and the DMZ:
FW(config)#zone-pair security OUT_TO_DMZ_PAIR source OUTDISE destination DMZ
FW(config-sec-zone-pair)#service-policy type inspect IN_TO_OUT

Test:
CLIENT#ping 11.0.0.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 11.0.0.100, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 24/40/52 ms

CLIENT#11.0.0.100
Trying 11.0.0.100 ... Open

CLIENT#11.0.0.100 80
Trying 11.0.0.100, 80 ... Open

CLIENT#11.0.0.100 443
Trying 11.0.0.100, 443 ... Open
CLIENT#ping 12.0.0.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 12.0.0.100, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

DMZ_SERVER#ping 12.0.0.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 12.0.0.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/8 ms

DMZ_SERVER#12.0.0.100
Trying 12.0.0.100 ... Open

DMZ_SERVER#ping 11.0.0.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 11.0.0.100, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

To verify:
CLIENT#ping 11.0.0.100 repeat 10000
FW#show policy-map type inspect zone-pair sessions
<Output omitted>
Number of Established Sessions = 1
Established Sessions
Session 69CD56A0 (192.168.1.100:8)=>(11.0.0.100:0) icmp SIS_OPEN
Created 00:00:04, Last heard 00:00:00
ECHO request
Bytes sent (initiator:responder) [8424:8352]
<Output omitted>

Note:
- All traffic to and from the router itself is enabled by default, as there is a default zone which
is the self-zone.
- ACL is processed first.

Best wishes
Abeer 

You might also like