dokuwiki

User Tools

Site Tools

Trace: loesung_blatt5_aufgabe2_primzahl_for.py loesung_blatt2_aufgabe3_vokale_kommentiert.py loesung_blatt5_aufgabe1_gemeinsame_zeichen2.py configure_dhcp_snooping configure_clientless_ssl_vpn_asa face-recog_py dmvpn_auto_hubs.py loesung_blatt6_aufgabe2_summe_b_kommentiert.py zone-based_policy_firewall
dardan:ccna_security:labs:zone-based_policy_firewall

Create a Zone-Based Policy Firewall 

1.
 Creating the security zones
     R3(config)# zone security INSIDE 
     R3(config)# zone security CONFROOM 
     R3(config)# zone security INTERNET
2.
 Creating Security Policies 
     R3(config)# class-map type inspect match-any INSIDE_PROTOCOLS --- class-map name
     R3(config-cmap)# match protocol tcp
     R3(config-cmap)# match protocol udp
     R3(config-cmap)# match protocol icmp
     
     R3(config)# class-map type inspect match-any CONFROOM_PROTOCOLS --- class-map name  
     R3(config-cmap)# match protocol http 
     R3(config-cmap)# match protocol https 
     R3(config-cmap)# match protocol dns
     
     R3(config)# policy-map type inspect INSIDE_TO_INTERNET --- policy-map name
     R3(config-pmap)# class type inspect INSIDE_PROTOCOLS 
     R3(config-pmap-c)# inspect 
     R3(config)# policy-map type inspect CONFROOM_TO_INTERNET --- policy-map name 
     R3(config-pmap)# class type inspect CONFROOM_PROTOCOLS 
     R3(config-pmap-c)# inspect
3.
 Create the Zone Pairs
     R3(config)# zone-pair security INSIDE_TO_INTERNET source INSIDE destination INTERNET 
     R3(config)# zone-pair security CONFROOM_TO_INTERNET source CONFROOM destination INTERNET
4.
 Applying Security Policies 
      R3(config)# zone-pair security INSIDE_TO_INTERNET 
	R3(config-sec-zone-pair)# service-policy type inspect INSIDE_TO_INTERNET 
	R3(config)# zone-pair security CONFROOM_TO_INTERNET 
	R3(config-sec-zone-pair)# service-policy type inspect CONFROOM_TO_INTERNET
5.
 Assign Interfaces to the Proper Security Zones 
      R3(config)# interface g0/0 
	R3(config-if)# zone-member security CONFROOM
    
	R3(config)# interface g0/1 
	R3(config-if)# zone-member security INSIDE 
   	
	R3(config)# interface s0/0/1 
	R3(config-if)# zone-member security INTERNET
	
   Multiple Interfaces under the Same Zone
      R3(config)# policy-map type inspect inside 
	R3(config-pmap)# class class-default 
	R3(config-pmap-c)# pass
      
      R3(config)# zone-pair security INSIDE source INSIDE destination INSIDE 
	R3(config-sec-zone-pair)# service-policy type inspect inside 
  Verify
      R3# show zone-pair security
	R3# show policy-map type inspect zone-pair
	R3# show zone security
#show zone security

zone CONFROOM
  Member Interfaces:
    Ethernet0/0
  
zone INSIDE
  Member Interfaces:
    Ethernet0/1

zone INTERNET
  Member Interfaces:
    Ethernet0/2




#show zone-pair security

Zone-pair name INSIDE_TO_INTERNET
  Source-Zone INSIDE  Destination-Zone INTERNET
  service-policy INSIDE_TO_INTERNET

Zone-pair name CONFROOM_TO_INTERNET
  Source-Zone CONFROOM  Destination-Zone INTERNET
  service-policy CONFROOM_TO_INTERNET	



--------------------------------------------------------
#show policy-map type inspect zone-pair
policy exists on zp INSIDE_TO_INTERNET

  Zone-pair: INSIDE_TO_INTERNET

    Service-policy inspect : INSIDE_TO_INTERNET

      Class-map: INSIDE_PROTOCOLS (match-any)
        Match: protocol tcp
        Match: protocol udp
        Match: protocol icmp  

policy exists on zp CONFROOM_TO_INTERNET

  Zone-pair: CONFROOM_TO_INTERNET

    Service-policy inspect : CONFROOM_TO_INTERNET

      Class-map: CONFROOM_PROTOCOLS (match-any)
        Match: protocol http
        Match: protocol https
        Match: protocol dns
--------------------------------------------------------
dardan/ccna_security/labs/zone-based_policy_firewall.txt · Last modified: 2019/02/17 13:56 by dardan
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki