Cisco CCIE Security 350-701- IOS – Zone Based Firewall Part 2

6. ZBF – Classify Traffic using Class-Maps

Now, once we assign the interfaces to the secretary zones, like in the previous video, we have configured this interface as a land secretary zone and then this is like internet. Now we need to define what traffic you want to allow from land to Internet. So that is what classification. So classification is like we need to match a specific traffic which needs to be allowed or deny between the security zones. Of course, by default traffic is denied. So you may want to allow some traffic to flow. So we use some kind of classmaps. I’ll show you the configuration later on. But this classmaps will help you to match the traffic from layer four or layer seven. Like you can match a specific TCP, UDP and specific ports, or you can also match at the application level where you can just simply say match protocol SQL or match protocol any other protocol at the application level. Also we can match so to match this specific traffic we need to use classmaps.

So in general, if you just take an example, let’s say if I just take a simple example of, let’s say I want to allow the users sitting in my land to be able to match a specific traffic like Http FTP or let’s say one more one more example, internet traffic. And I want to allow the traffic from land to Internet. So in that case, the first step is we need to match this protocol traffic. To match this we use classmaps. So the concentration will be something like this. So we need to specifically say classmap and we have to use something called type inspect type inspect differentiate this class map used in the zone based firewall from other class maps. Because the class maps are used in many other scenarios like quality of service or if you are doing some kind of control plane policing or protection, other features, we will be using some classmaps, but in zone based firework also will be using class maps.

The difference is we need to specify this as an inspect type. So this is specifically used for inspection of traffic. So I want to match FTP http and let’s say current. So we can use any option like class two let’s say, and I can simply say match protocol FTP. So if I use question mark, you can see there are different application protocols present.You can match any of these protocols. Like in my case I want to match FTP at the same time I want to match Http and then talent. So we can simply match the protocol. But one thing we need to remember to verify this, we can use show on classmap by default whenever you create a class map. And if you are defining multiple match statements in that case this has to be match any because the basic difference between the match all so match all is like end where we are saying that this class map will only match the traffic if all three protocols are coming, which is practically not possible.

These are different types of traffic. So that’s the reason whenever we are using multiple match statements we have to change this to match any and if I don’t define anything default, it takes match all. So we can simply change, we don’t need to reconfigure, we say simply match any and then if I say class map two, if you verify once again this time it changes to class two. So we can either match the protocol or if you take another example, like let’s say you want to match the traffic which is going from the land, maybe going from one nine to 1681 dot network and if it’s testing to any destination and if it is Http, then only you want to allow maybe other traffic you want to deny.

So in case if you want to match a specific traffic based on a specific source so in that case we can match some fields the concentration wise there’s no match difference. I’m going to create another class map just for testing purpose. So let’s say we say classmap type, inspect and class three so we can match access group. So let’s say 120. So we need to specify the access list which is going to match all the traffic based on TCP coming from source one into 1681 dot network and going to any destination if it is equal to www. So this is how we can match a specific traffic. This is like again classification classifying the traffic which only matches the specific selected source going to any destination and that too only matches Http traffic. So whatever the policies you want to apply, whether you want to allow or deny, the basic step is we need to classify the traffic in different class maps and then we use these class maps inside the policy map.

7. ZBF- Class-map Configuration

Okay, so now the next thing will see the quick configuration example on traffic classification. Like in this example, I want the traffic which is moving from LAN to the Internet. So I just want to say that the traffic which is coming from ten one and the traffic which is going to 31 one should be allowed a tenant traffic between these two hosts from land to internet. So that’s a very basic example. Of course we can add multiple things like in the production scenarios, we generally don’t do individual host, you just simply say match protocol TCP and UDP. You may want to inspect all the traffic but in my case I’m just using a simple example of inspecting the traffic between 1010 one and 31 one host and that to only tenant traffic.

Now to match the specific traffic based on source and destinations, we need to write an ACL. So I’m going to write an ACL and this ACL is going to match the traffic between ten one one and 31 one equal to TenneT. And of course I suggest you to use some nameday seals because if you’re using nameday seals we can also do some kind of editing, again depending upon the iOS versions. Even in some new iOS versions we can do editing based on the number ACLs. But again you have to use the new syntax of SQL and other things. So let me go with a simple example here. So in my case, I do have this configuration already done on the interfaces. Like if I go to my interface S one by zero, it’s pre configured with zones as we did in the previous lab. And if I try to verify a telnet, let me try to telnet or do anything ping.

By default the traffic is not allowed between any of these interfaces from land to internet. So my requirement is first step I’m going to write down an ACL which is going to match my traffic. I’ll use name ACL instead of this land to internet ACL. And then I’m going to say that permits traffic coming from ten or one. Or you can specify the subnet. In my case, I’m just using the single IP because I’m not using the complete subnet here. And then equal to. So if I say show IP access list, this access list matches ten to 30. And then I need to create a class map on the class map and it has to be type inspect and we say land to internet class, let’s say. And then we need to say match access group. And the ACL name is land to internet ACL. Now there are multiple options.

We can either match a specific ACL, like I said, we can match the access group here if you want to match the ACL or we can simply say match protocol protocol option if you are not using ACL, if you just want to match a telenet protocol, we can simply say match protocol telnet. But the difference is it’s going to match any source, any destination. If the protocol is equal to telnet, then you can use match protocol option. But if you want to match a specific source or destination or maybe a combination of both, in that case, we’ll be using match ACL, match access group statement. So this is how we classify. So if you verify the configurations here, shown classmap, I think I do have a default classmaps, which I have created. Maybe I’ll just remove them. So I think this is not the one that I’m using. So it says shown classmap, type inspect. Let me remove this one. Because while I was documenting the workbook, maybe I’ve added this. So this is upon what we just created. So this.

8. ZBF – POlicy Map – Zone Pairs

Okay, so the next thing is once we classify the traffic, we need to make sure that we need to tell the zone based firewall what action you want to take. So this is nothing but firewall policy loose rules where we are going to tell the router what action it has to take. Now there are three different possible actions we generally use. Most commonly used is inspect. The basic difference pass is nothing but when, when the traffic is blowing, it will just allow the traffic to pass through. But whereas it do not have a capability to inspect the return traffic, which means if the written traffic is coming then the router do not have the capability to identify or differentiate the return traffic. So it just allow but whereas drop. So maybe some specific traffic you want to drop. So we can select an action of drop, but most likely if you want to do some kind of stateful packet inspection, more like an ASA firewall which is going to create and track the session state more like an ASA firewall.

We’ll be using an inspect options. Now, in the inspect options when the traffic is allowed, when you use an option of inspect, it will ensure that the traffic which matches the class map, like in our example, we try to match the traffic coming from ten dot network going to 30 dot network. If it is telenet traffic, once it matches this traffic, it’s going to allow the traffic to pass through from the land interface to the internet. And then if the return traffic is coming because when you’re initiating internet connection, you must be getting a written traffic, it’s allowed automatically by default. So in the firewall policy rules we need to tell what action you want to take. The default action we take is inspect. Now these actions we need to define with the help of something called policy maps. In the previous sessions we use classmaps.

Class maps is going to tell what traffic you want to match. So we need to classify the traffic by using class maps. So in the policy maps we are going to use these policy maps to tell what action you want to take. So if you want to define an inspect option, you need to create a policy map. So policy map is going to control the flow of the traffic between interfaces. Like I said, whether you want to do some kind of inspection or to pass the traffic or to drop. So we can use multiple class maps also inside that and these are the default actions and any traffic which is not matching like in my case, if you get back to the configuration here, if you say show run class map so we use this class map and any traffic which is not matching this will be automatically considered inside the class default. Default is nothing but the default class map which matches any other traffic which is not classified and the default action is going to be dropped.

So when I do the configuration of policy map, I’ll show you that you will see the default class will be the default action will be dropped for the default class. So let’s get back to the configuration wise. In the configuration wise, we need to create a policy map. It should be type Inspect and any name you can use. And then we need to refer to the class map or whatever we have created which matches this particular traffic. And then you had to tell the action what you want to take inspect. So let’s go to router two. And then I’ll create a policy map. It has to be type Inspect. I’ll say land to Internet policy. And then I’m going to refer my class, I think I’m using this land to internet class. And then the action you want to take, Inspect. So you can use question mark to see what are the other possible options.

So Inspect, drop or pass options. So we can use some kind of police policies to restrict the bandwidth more used in quality of service scenarios. But in zone based firewall, the most common option we use is Inspect. And once I do this, if you say show run policy map to verify the configurations what I did, you can see it’s going to inspect. And again, it’s always a best practice when you do this, you always need to match the default class and you can simply say drop, even though anyway it’s automatically dropped in the back end. But when you say drop and it’s a best practice to also log so that if any traffic is moving through this zone best firewall router, and if it is getting dropped, which matches the default class and it’s getting dropped, we can see some log messages displayed based on the logging feature enabled.

So in my case, this is something recommended, even though it’s not a mandatory part of the conflict. But I do recommend these configurations. So that’s how we need to define the policy rules inside the zone based firewall by using policy maps. Now, the last thing we need to do is we need to do the pairing. That’s what we call as zone pairing. The last step, we need to activate this firewall policy to the zones interfaces and the configuration wise, it’s going to be something like this. We call it a zone pairing. Now, zone pairing is nothing, but we need to create a zone pair with some name and then we have to tell the direction of the traffic from where it is coming. It’s coming from my land interface. That’s my source and it’s going on my interface, which is my internet interface, that’s my destination.

So we decrease a zone pair, which means I’m saying that the policy whatever I created. So the traffic flow will be between from land to internet, not from internet to land. And it has to apply this policy. And that policy says whatever the traffic matching this policy will be inspected. Of course this policy refers to a classmap and whatever the traffic matches, this class map will be inspected by default. So I’ll quickly show you the configuration here. Like on the router tool, all the command starts with zone. So just remember zone, zone pairing any name. So always use some name like this. Land to internet pair and source interface. It can be land internet. These are the two security zones which I created. So the direction is from land and going towards internet. And I want to inspect my policy.

The policy map which I created is a policy map, so it says service policy and then type inspect. The name of the policy is land to Internet policy. Done. The final verification wise. If I go to Router one, and as per mine policy, it’s going from land to internet, this policy is going to match the traffic from ten to 30 equal to ten. Net should be inspected. Which means if I try to initiate a tenant connection from router one to router three, the tenant should work. You can see it’s working because 230 from ten one one. But if I try to initiate a connection without source, which means if there’s no source, then the default session will start from this source going to 31 one. So you can see delayed connection is not allowed. And if you go to the outer two and verify the log messages it shows you the packet is dropped.

Dropping the TCP connection from source one one going to 31 one on port number 23, that’s a talent port number because it’s going to match the default class due to the drop action. So if you remember I discuss anything not matching the above policy matches the default class. So if you want we can add some more statements into this. Like maybe you want to allow ICMP traffic between any source, any destination, just want to allow because you do some kind of testing verifications from land to internet ICMP traffic should be allowed. And already there is a policy applied from land to internet. So we don’t need to remove the paling or modify the policy. The only thing we need to do is we need to add the ICMP traffic inside the classmap. So which means I need to specify classmap, type inspect and I have to say match any because I’m going to match two types of traffic and then we say match protocol.

So if you verify showrun classmap, it’s going to match either talent traffic from ten to 30 or matches protocol from any source to any destination. Because here I’m not specifying the source or destinations, which means it matches any source to any destination. If I try to ping to 31 one, I should be able to ping from any source. So it should work between any source and a destination. So typically, you don’t really do this very small statements because in the real scenarios, you may want to simply match protocol TCP and then match protocol. You’d. That’s it. Because the ASF firewalls by default inspect all the TCP and the UDP traffic. So you can simply write match TCP UDP, or you can match specific protocols, whatever you are using. But ICMP and telnet are best way to verify this labs. And that’s the only reason I’m using in my labs. But practically.