Главная > Cisco > Шаблон настройки Zone-Based Policy Firewalls (ZBF)

Шаблон настройки Zone-Based Policy Firewalls (ZBF)

26 марта 2015

Шаблон для настройки ZBF в маршрутизаторах Cisco.

Описываем нужные нам протоколы и подсети с помошью ACL

!Общие протоколы
ip access-list extended IP
permit ip any any
ip access-list extended HTTPS
permit tcp any any eq 443
ip access-list extended SSH
permit tcp any any eq 22
ip access-list extended TRACEROUTE
permit icmp any any port-unreachable
permit icmp any any ttl-exceeded

!Протоколы для IPsec тоннелей
ip access-list extended AH
permit ahp any any
ip access-list extended ESP
permit esp any any
ip access-list extended GRE
permit gre any any

! своя подсеть
ip access-list extended Company-AS
permit ip XXX.XXX.XXX.0 0.0.0.255 any

!
access-list 100 remark INVALID-SRC
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
!
access-list 102 remark IPSec Tunnels
! access-list 102 permit ip host remote IP host router external IP

Описываем нужные нам классы

class-map type inspect match-all INVALID-SRC
match access-group 100
!
! Описываем классы для удаленного подключения по SSH
class-map type inspect match-any SSH
match access-group name SSH
!
! Описываем классы для PING и TRACEROUTE
class-map type inspect match-any ICMP
match protocol icmp
class-map type inspect match-any TRACEROUTE
match access-group name TRACEROUTE

! Описываем классы для удаленного подключения по HTTPS (для CCP)
class-map type inspect match-any HTTPS
match access-group name HTTPS
class-map type inspect match-any RemoteControl
match access-group name Company-AS
class-map type inspect match-all RemoteControl-HTTPS
match class-map HTTPS
match class-map RemoteControl
!
!Описываем класс для подключений по PPTP
class-map type inspect match-any PPTP
match protocol pptp
!
!Описываем классы для VPN туннелей между офисами
class-map type inspect match-any AH
match access-group name AH
class-map type inspect match-any GRE
match access-group name GRE
class-map type inspect match-any ESP
match access-group name ESP
class-map type inspect match-any DMVPN_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map AH
match class-map GRE
match class-map ESP
class-map type inspect match-all DMVPN&ACL
match access-group 102
match class-map DMVPN_TRAFFIC
!
!Описываем трафик который нужно инспектировать
class-map type inspect match-any INSPECT-TRAFFIC
match protocol tcp
match protocol udp
match protocol icmp

Создаем политики доступа.

policy-map type inspect PERMIT-IP-POLICY
class type inspect IP
pass
class class-default
drop log
policy-map type inspect INSPECT-TO-OUT-POLICY
class type inspect INVALID-SRC
drop log
class type inspect INSPECT-TRAFFIC
inspect
class type inspect GRE
pass
class class-default
drop log
policy-map type inspect PERMIT-GRE-POLICY
class type inspect GRE
pass
class class-default
drop log
policy-map type inspect OUT-IN-POLICY
class type inspect GRE
pass
class class-default
drop log
policy-map type inspect OUT-SELF-POLICY
class type inspect DMVPN&ACL
pass
class type inspect TRACEROUTE
pass
class type inspect SSH
inspect
class type inspect RemoteControl-HTTPS
inspect
class type inspect ICMP
inspect
class type inspect GRE
pass
class type inspect PPTP
pass
class class-default
drop

Создаем зоны безопасности

zone security DMVPN-ZONE
zone security IN-ZONE
zone security OUT-ZONE
zone security PPTP-ZONE
zone security GUEST-ZONE

Создаем пары зон безопасности и применяем к ним ранее созданные политики

zone-pair security OUT-DMVPN-ZP source OUT-ZONE destination DMVPN-ZONE
service-policy type inspect PERMIT-GRE-POLICY
zone-pair security DMVPN-OUT-ZP source DMVPN-ZONE destination OUT-ZONE
service-policy type inspect PERMIT-GRE-POLICY
zone-pair security DMVPN-IN-ZP source DMVPN-ZONE destination IN-ZONE
service-policy type inspect PERMIT-IP-POLICY
zone-pair security IN-DMVPN-ZP source IN-ZONE destination DMVPN-ZONE
service-policy type inspect PERMIT-IP-POLICY
zone-pair security OUT-SELF-ZP source OUT-ZONE destination self
service-policy type inspect OUT-SELF-POLICY
zone-pair security OUT-IN-ZP source OUT-ZONE destination IN-ZONE
service-policy type inspect OUT-IN-POLICY
zone-pair security DMVPN-PPTP-ZP source DMVPN-ZONE destination PPTP-ZONE
service-policy type inspect PERMIT-IP-POLICY
zone-pair security PPTP-DMVPN-ZP source PPTP-ZONE destination DMVPN-ZONE
service-policy type inspect PERMIT-IP-POLICY
zone-pair security PPTP-IN-ZP source PPTP-ZONE destination IN-ZONE
service-policy type inspect PERMIT-IP-POLICY
zone-pair security IN-PPTP-ZP source IN-ZONE destination PPTP-ZONE
service-policy type inspect PERMIT-IP-POLICY
zone-pair security IN-OUT-ZP source IN-ZONE destination OUT-ZONE
service-policy type inspect INSPECT-TO-OUT-POLICY
zone-pair security GUEST-OUT-ZP source GUEST-ZONE destination OUT-ZONE
service-policy type inspect INSPECT-TO-OUT-POLICY
zone-pair security PPTP-OUT-ZP source PPTP-ZONE destination OUT-ZONE
service-policy type inspect INSPECT-TO-OUT-POLICY

Добавляем интерфейсы в ранее созданные зоны
Например:

interface Tunnel0
zone-member security DMVPN-ZONE
!
interface Virtual-Template1
zone-member security PPTP-ZONE
!
interface Vlan2
zone-member security GUEST-ZONE
!
interface GigabitEthernet0/0
zone-member security IN-ZONE
!
interface GigabitEthernet0/1
zone-member security OUT-ZONE

Categories: Cisco Tags: ,
Комментирование отключено.