IOS zone-pair 防火墙的配置解析

关于zone-pair 防火墙是把ios路由器的接口分为若干个区域，不同区域之间的流量是不能通讯的，这点类似与ASA的接口类型！这里我们要注意一下几点

1.确定相同的安全接口划分到同一zone。

2.运用class-map 抓住不同zone之间的流量，可以提供3-7层的流量检测

 

ZBF(config-pmap-c)#?
Policy-map class configuration commands:
  drop            Drop the packet
  exit            Exit from class action configuration mode
  inspect         Context-based Access Control Engine
  no              Negate or set default values of a command
  pass            Pass the packet
  police          Police                       对流量执行限速
  service-policy  Deep Packet Inspection Engine  深度包检测
  urlfilter       URL Filtering Engine    URL过滤

3.对于那个方向没有流量就不用配置了，因为默认的就是不同zone之间不允许通讯

4.policy-map  service-map的运用

我们就结合下面的例子说下

 

要求：

Hosts in Internet zone can reach DNS, SMTP, and SSH services on one server in the DMZ. The other server
will offer SMTP, HTTP, and HTTPS services. The firewall policy will restrict access to the specific services
available on each host.
 The DMZ hosts cannot connect to hosts in any other zone.
 Hosts in the client zone can connect to hosts in the server zone on all TCP, UDP, and ICMP services.
 Hosts in the server zone cannot connect to hosts in the client zone, except a UNIX-based application server
can open X Windows client sessions to X Windows servers on desktop PCs in the client zone on ports 6900 to
6910.
 All hosts in the private zone (combination of clients and servers) can access hosts in the DMZ on SSH, FTP,
POP, IMAP, ESMTP, and HTTP services, and in the Internet zone on HTTP, HTTPS, and DNS services and
ICMP. Furthermore, application inspection will be applied on HTTP connections from the private zone to the
Internet zone in order to assure that supported instant messaging and P2P applications are not carried on port
80. (See Figure 3.)

配置

class-map type inspect match-any pr-to-DMZ-class
 match protocol ssh
 match protocol http
 match protocol pop3
 match protocol imap
class-map type inspect match-any pr-to-bublic
 match protocol http
 match protocol https
 match protocol dns
 match protocol icmp
class-map type inspect match-any dns-http-class
 match protocol dns
 match protocol http
class-map type inspect match-any smtp-class
 match protocol smtp
class-map type inspect match-all smtp-acl-class
 match access-group 111
 match class-map smtp-class
class-map type inspect match-any x-class
 match protocol uucp
class-map type inspect match-all client-to-server-class
 match protocol tcp
 match protocol udp
 match protocol icmp
class-map type inspect match-all dns-http-acl-class
 match access-group 110
 match class-map dns-http-class
!
!
policy-map type inspect server-to-client-policy
 class type inspect x-class
 class class-default
policy-map type inspect clinet-to-server-policy
 class type inspect client-to-server-class
  inspect
 class class-default
policy-map type inspect pr-to-public-policy
 class type inspect pr-to-bublic
  inspect
 class class-default
policy-map type inspect pr-to-DMZ-policy
 class type inspect pr-to-DMZ-class
  inspect
 class class-default
policy-map type inspect internet-dmz-policy
 class type inspect dns-http-acl-class
  inspect
 class type inspect smtp-acl-class
  inspect
 class class-default
!
zone security DMZ
zone security pr
zone security public
zone security server
zone security client
zone-pair security pr-to-public source pr destination public
 service-policy type inspect pr-to-public-policy
zone-pair security pr-to-DMZ source pr destination DMZ
 service-policy type inspect pr-to-DMZ-policy
zone-pair security public-to-DMZ source public destination DMZ
 service-policy type inspect internet-dmz-policy
zone-pair security servers-clients source server destination client
 service-policy type inspect server-to-client-policy
zone-pair security client-to-server source client destination server
 service-policy type inspect clinet-to-server-policy

interface FastEthernet0/0
 ip address 172.16.1.1 255.255.255.0
 zone-member security public
 duplex auto
 speed auto
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
interface FastEthernet1/0
!
interface FastEthernet1/1
!
interface FastEthernet1/2
!
interface FastEthernet1/3
!
interface FastEthernet1/4
!
interface FastEthernet1/5
!
interface FastEthernet1/6
!
interface FastEthernet1/7
!
interface FastEthernet1/8
!
interface FastEthernet1/9
!
interface FastEthernet1/10
!
interface FastEthernet1/11
!
interface FastEthernet1/12
!
interface FastEthernet1/13
 no switchport
 ip address 172.16.2.1 255.255.255.0
 zone-member security DMZ
!
interface FastEthernet1/14
 switchport access vlan 2
!
interface FastEthernet1/15
!
interface Vlan1
 ip address 192.168.1.1 255.255.255.0
 zone-member security server
!
interface Vlan2
 ip address 192.168.2.1 255.255.255.0
 zone-member security client
!
router rip
 version 2
 network 172.16.0.0
 network 192.168.1.0
 network 192.168.2.0
 no auto-summary
!
ip route 0.0.0.0 0.0.0.0 172.16.1.2
!         
!
ip http server
no ip http secure-server
!
access-list 110 permit ip any host 172.16.2.2
access-list 111 permit ip any host 172.16.2.3

总结：这个配置挺麻烦的，其实核心不过是几个策略的应用，学过QOS的应该不陌生这不是和MQC有异曲同工之处吗

还有一点一个接口可以属于多个zone 在这个配置中int vlan 1既属于zone- security pr 又属于zone-security server  只不过这两个是相包含的关系，不知道是不是因为这样，大家谁做实验欢迎补充下

还有个细节文章没有说就是parmeter-map的应用，这个是具体制定协议参数的举个例子

 

 audit-trail off

 alert on

 max-incomplete low 800

 max-incomplete high 1000

 one-minute low unlimited

 one-minute high unlimited

 udp idle-time 30

 icmp idle-time 10

 dns-timeout 5

 tcp idle-time 3600

 tcp finwait-time 5

 tcp synwait-time 15

 tcp max-incomplete host unlimited block-time 0

 sessions maximum 2147483647

 

policy-map type inspect inside-to-outside.policy

 class type inspect inside-to-outside.class

  inspect inside-to-outside.pa   挂在policy-map下

 class class-default

本文转自q狼的诱惑 51CTO博客，原文链接：http://blog.51cto.com/liangrui/636039，如需转载请自行联系原作者