В ZBF интерфейсы помещаются в zones.
Зона - это логическая единица, где располагаются устройства с одинаковыми trust levels.
Зона создаётся администратором.
Существует default zone - self zone: в ней находится сам роутер.
По умолчанию трафик между разными зонами запрещён. Трафик между интерфейсами в одной зоне разрешён.
Для того, чтобы разрешить трафик между двумя зонами нужно создать policy для данной zone pair.
Разрешения на прохождения трафика реализуются через policies. После того, как трафик inspected, reply traffic автоматом пропускается, поскольку ZBF является stateful filtering.
Итак ZBF имеет следующие свойства:
■ Stateful inspection.
■ Application inspection.
■ Packet filtering.
■ URL filtering.
■ Transparent firewall (implementation method).
■ Support for virtual routing and forwarding (VRF).
■ Access control lists (ACL) are not required as a filtering method to implement the policy.
ip access-list extended acl_http_only_users remark HTTP only users remark CCP_ACL Category=16 remark 19.09.2011 Samovarov Vladimir VMWARE test permit ip host 192.168.210.10 any remark 18.09.2011 Vasiliy Pupkin permit ip host 192.168.210.51 any ip access-list extended acl_nat_rules remark NATed network remark CCP_ACL Category=3 permit ip 192.168.210.0 0.0.0.255 any ip access-list extended acl_server1_ip remark CCP_ACL Category=1 remark Traffic to server permit ip any host 192.168.210.10 ip access-list extended acl_vpn_protocols remark CCP_ACL Category=1 permit esp any any permit udp any any eq isakmp permit udp any any eq non500-isakmp permit ahp any any ip access-list extended acl_whole_access_users remark WHOLE ACCESS USERS remark CCP_ACL Category=16 remark 10.09.2011 Ivan Kozlov permit ip host 192.168.210.62 any remark 15.09.2011 Vitaliy Borzov permit ip host 192.168.210.68 any ! class-map type inspect match-all cm_vpn_protocols match access-group name acl_vpn_protocols ! class-map type inspect match-any cm_server1_protocols description Externally-visible protocols match protocol user-terminal ! class-map type inspect match-all cm_server1_services description Externally-visible protocols headed to server match access-group name acl_server1_ip match class-map cm_server1_protocols ! class-map type inspect match-any cm_http-dns-ftp match protocol http match protocol dns match protocol ftp match protocol https ! class-map type inspect match-all cm_only_web match class-map cm_http-dns-ftp match access-group name acl_http_only_users ! class-map type inspect match-all cm_all_access match access-group name acl_whole_access_users ! ! policy-map type inspect pm_inside-outside class type inspect cm_only_web inspect class type inspect cm_all_access inspect class type inspect cm_vpn_protocols pass class class-default drop ! policy-map type inspect pm_outside-inside description Internet to LAN (server) class type inspect cm_server1_services inspect class type inspect cm_vpn_protocols pass class class-default drop log ! zone security outside zone security inside ! zone-pair security inside-outside source inside destination outside service-policy type inspect pm_inside-outside zone-pair security outside-inside source outside destination inside service-policy type inspect pm_outside-inside ! ip nat inside source list acl_nat_rules interface FastEthernet0/0/0 overload ip nat inside source static tcp 192.168.210.10 3389 interface FastEthernet0/0/0 3389 extendable ! interface GigabitEthernet0/0 description ###LAN### ip address 192.168.210.1 255.255.255.0 ip flow ingress ip nat inside ip virtual-reassembly zone-member security inside duplex auto speed auto ! interface FastEthernet0/0/0 description ###OUTSIDE### ip address 195.168.165.221 255.255.255.248 ip flow ingress ip nat outside ip virtual-reassembly zone-member security outside duplex auto speed auto
show class-map type inspect
show policy-map type inspect zone-pair ccp-zp-in-out sessions
Добавить комментарий