Scribd Logo
Unggah

Selamat datang di Scribd!

  • FW by Zones

    Diunggah oleh

    George Noriega
    9 tayangan4 halaman
    Cisco

    Hak Cipta

    © Attribution Non-Commercial (BY-NC)

    Format Tersedia

    PDF, TXT atau baca online dari Scribd

    Apakah menurut Anda dokumen ini bermanfaat?

    Apakah konten ini tidak pantas?

    Laporkan Dokumen Ini
    Cisco

    Hak Cipta:

    Attribution Non-Commercial (BY-NC)
    Unduh sebagai PDF, TXT atau baca online dari Scribd
    Tandai sebagai konten tidak pantas
    9 tayangan4 halaman

    FW by Zones

    Diunggah oleh

    George Noriega
    Cisco

    Hak Cipta:

    Attribution Non-Commercial (BY-NC)
    Unduh sebagai PDF, TXT atau baca online dari Scribd
    Tandai sebagai konten tidak pantas
    dari 4

    ConfiguringaZonaBasedPolicyFWwithCLI

    Step1.CreatetheZones Theadministratorcreatesthezonesforthefirewallwiththezonesecuritycommand.Anoptional descriptionisrecommended. Router(config)#zonesecurityzonename Router(configseczone)#descriptionlineofdescription Thinkaboutwhatshouldconstitutethezones.Thegeneralguidelineistogrouptogether interfacesthataresimilarwhenviewedfromasecurityperspective.Inotherwords,interfaces thathavesimilarsecurityneedsshouldbeplacedintoazone.

    Step2.DefineTrafficClasses ZPFtrafficclassesenablethenetworksecurityprofessionaltodefinetrafficflowsinasgranulara fashionasdesired. ThisisthesyntaxforcreatingZPFtrafficclasses:

    Router(config)#classmaptypeinspect[matchany|matchall]classmapname ForLayer3andLayer4,toplevelclassmaps,thematchanyoptionisthedefaultbehavior: Router(config)#classmaptypeinspectprotocolname[matchany|matchall]classmapname ForLayer7applicationspecificclassmaps,checkdocumentationfoundonwww.cisco.comfor moreconstructiondetails.

    ConfiguringaZonaBasedPolicyFWwithCLI
    Thesyntaxforreferencingaccesslistsfromwithintheclassmapis: Router(configcmap)#matchaccessgroup{accessgroup|nameaccessgroupname} Protocolsarematchedfromwithintheclassmapwiththesyntax: Router(configcmap)#matchprotocolprotocolname Nestedclassmapscanbeconfiguredaswellusingthesyntax: Router(configcmap)#matchclassmapclassmapname TheabilitytocreateahierarchyofclassesandpoliciesbynestingisoneofthereasonsthatZPFis suchapowerfulapproachtocreatingCiscoIOSfirewalls.

    Step3.SpecifyFirewallPolicies SimilartoothermodularCLIconstructswithCiscoIOSsoftware,theadministratorhastospecify whattodowiththetrafficmatchingthedesiredtrafficclass.Theoptionsarepass,inspect,drop, andpolice. ThisisthesyntaxforcreatingZPFpolicymaps. Router(config)#policymaptypeinspectpolicymapname Trafficclassesonwhichanactionmustbeperformedarespecifiedwithinthepolicymap.

    ConfiguringaZonaBasedPolicyFWwithCLI
    Router(configpmap)#classtypeinspectclassname Thedefaultclass(matchingallremainingtraffic)isspecifiedusingthiscommand. Router(configpmap)#classclassdefault Finally,theactiontotakeonthetrafficisspecified. Router(configpmapc)#pass|inspect|drop[log]|police

    Step4.ApplyFirewallPolicies Afterthefirewallpolicyhasbeenconfigured,theadministratorappliesittotrafficbetweenapair ofzonesusingthezonepairsecuritycommand.Toapplyapolicy,azonepairmustfirstbe created.Specifythesourcezone,thedestinationzone,andthepolicyforhandlingthetraffic betweenthem. Router(config)#zonepairsecurityzonepairname[sourcesourcezonename|self]destination [self|destinationzonename] Usetheservicepolicytypeinspectpolicymapnamecommandtoattachapolicymapandits associatedactionstoazonepair.Enterthecommandafterenteringthezonepairsecurity command. Deeppacketinspection(attachingaLayer7policymaptoatoplevelpolicymap)canalsobe configured.ThisisthesyntaxusedwithCiscoIOSRelease12.4(20)T. 3

    ConfiguringaZonaBasedPolicyFWwithCLI
    Router(configpmapc)#servicepolicy{h323|http|im|imap|p2p|pop3|sip|smtp|sunrpc |urlfilter}policymap ThepolicymapisthenameoftheLayer7policymapbeingappliedtothetoplevelLayer3or Layer4policymap. Step5.AssignRouterInterfaces Finally,theadministratormustassigninterfacestotheappropriatesecurityzonesusingthezone memberinterfacecommand. Router(configif)#zonemembersecurityzonename Thezonemembersecuritycommandputsaninterfaceintoasecurityzone.Whenaninterfaceis inasecurityzone,alltraffictoandfromthatinterface(excepttrafficgoingtotherouteror initiatedbytherouter)isdroppedbydefault.Topermittrafficthroughaninterfacethatisazone member,thezonemustbepartofazonepairtowhichapolicyisapplied.Ifthepolicypermits traffic(viainspectorpassactions),trafficcanflowthroughtheinterface.

    Anda mungkin juga menyukai