By default, ASA does stateful filtering but In router, we need to configure it to work as stateful .
The method to configure stateful in Router is Zone-based firewall.
Rules :
Interfaces on the same zone are by default allowed to forward packets between them. We can restrict traffic between interfaces on the same zone we if want.
Any traffic that is going between interfaces on different zones is implicitly denied by default.
There is also self-zone which we refer to the router itself. All traffic to and from the self-zone is allowed by default ie ssh, telnet
With the help of zone pair and self-being part of zone-pair, we can lock out traffic to and from the router.
zone-pair are unidirectional.
L3-L4 type inspection, zone-based firewall
Case 1 :
Let's create all traffic from IN zone to OUT zone .
1. Create security zones
R1(config)#zone security IN
R1(config)#zone security OUT
R1(config)#zone security DMZ
2. Assign interfaces to zones
R1(config)#int g1/0
zone-member security OUT
R1(config)#int g2/0
zone-member security IN
R1(config)#int g3/0
no shut
ip address 172.16.5.1 255.255.255.0
zone-member security DMZ
Till now traffic is not allowed between zones until we create class map, policy map , service policy and zone pair
let's verify zones created
show zone security
This will reflect all configured zones
3. To identify all traffic, let's create access-list
ip access-list extended IN-OUT-ACL
permit ip any any
4. create inspect class map that points to access-list
class-map type inspect match-all IN-OUT-CLASS
match access-group name IN-OUT-ACL
Verify inspect class map config
show class-map type inspect
5. Now create policy map that matches traffic created on class map
policy-map type inspect IN-OUT-POLICY
class type inspect IN-OUT-CLASS
inspect
if traffic match this will inspect
Verify config :
show policy-map type inspect
6. Now create zone pair in to out
zone-pair security IN-OUT-ZP source IN dest OUT: zone-pair without policy map applied to it is useless
service-policy type inspect IN-OUT-POLICY
verify :
show zone-pair security
Now let's test this:
Initiate traffic from PC-1 to OUT zone
1. show policy-map type inspect zone-pair
2. show policy-map type inspect zone-pair sessions
Case 2:
Let's allow HTTP traffic from OUT to DMZ
most of the services is based on port mapping
show ip port-map | inc http
1. Instead of creating access-list, we can directly create class-map to point port 80
class-map type inspect match-any WEB-CLASS
match protocol http
show class-map type inspect
2. create policy-map
policy-map type inspect WEB-POLICY
class type inspect WEB-CLASS
inspect
show policy-map type inspect
3. Now create zone pair OUT to DMZ
zone-pair security OUT-DMZ-ZP source OUT dest DMZ
service-policy type inspect WEB-POLICY
Now return traffic from DMZ to OUT is dynamically allowed and inspect.
Verify :
show zone-pair security
show policy-map type inspect zone-pair sessions
Add the application layer inspection
Http type inspect Class map
Http type inspect Policy map
these type of inspect are very specific.
like filter on port violation , regexp “”
1. First create parameter type
parameter-map type regexp COM
pattern .+\.[Cc][Oo][Mm]
2. Create class map
class-map type inspect http match-any BAD-HTTP-CLASS
match request uri regex COM
match req-resp protocol-violation
show class-map type inspect http
3. Now create policy-map
policy-map type inspect http BAD-HTTP-POLICY
class type inspect http BAD-HTTP-CLASS
log
reset: this is going to send tcp reset in case of match
exit
show policy-map type inspect http
4. Now apply service-policy inside class map
! Tag it on
policy-map type inspect WEB-POLICY
class type inspect WEB-CLASS
inspect
service-policy http BAD-HTTP-POLICY
exit
exit
No comments:
Post a Comment