Decode of a Zone Based Firewall created by SDM
Here is my decode of the config applied to Cisco 3745 router using the SDM wizard for a Zone Based Firewall
Info on about ZBF can be found at the following links:
Overview on the config for ZBF
More Indepth look from Cisco (12.4T)
Video about ZBF from ipexpert.com
We have two security zones defined, “in-zone” & “out-zone”
code 1 ! zone security in-zone zone security out-zone ! ! interface FastEthernet0/1 description $FW_INSIDE$ ip address 192.168.3.1 255.255.255.0 zone-member security in-zone speed 100 full-duplex ! interface Serial0/1 description $FW_OUTSIDE$ ip address 10.2.2.1 255.255.255.252 zone-member security out-zone clock rate 2000000 !
We have a Zone Pair called “sdm-zp-in-out” which looks at traffic sourced from “in-zone” destined to “out-zone”. The zone pair has a service policy which is inspecting a policy-map called “sdm-inspect”
! zone-pair security sdm-zp-in-out source in-zone destination out-zone service-policy type inspect sdm-inspect !
The Policy Map is shown below, it contains four named class-maps and a default one, you can see the action that will be taken if traffic is matched against the class maps. Further down the page I will paste each of the class-maps.
! policy-map type inspect sdm-inspect class type inspect sdm-invalid-src drop log class type inspect sdm-insp-traffic inspect class type inspect sdm-protocol-http inspect class type inspect SDM-Voice-permit inspect class class-default pass !
The first class-map is called “sdm-invalid-src”, this will match traffic in Access-list 100. This is not a permit or deny ACL its a match or no match ACL. So if a packet arrive with a source address of 10.2.2.1 it will match ACL 100 and then the above service policy will drop the packet. This particular class-map is preventing spoofing from some invalid sources as seen from the inside interface fa0/1.
! class-map type inspect match-all sdm-invalid-src match access-group 100 ! access-list 100 remark SDM_ACL Category=128 access-list 100 permit ip host 255.255.255.255 any access-list 100 permit ip 127.0.0.0 0.255.255.255 any access-list 100 permit ip 10.2.2.0 0.0.0.3 any !
The second class-map is called “sdm-insp-traffic”, this will match traffic from another class-map called “sdm-cls-insp-traffic”. The class-map called “sdm-cls-insp-traffic”
! class-map type inspect match-all sdm-insp-traffic match class-map sdm-cls-insp-traffic ! class-map type inspect match-any sdm-cls-insp-traffic match protocol cuseeme match protocol dns match protocol ftp match protocol h323 match protocol https match protocol icmp match protocol imap match protocol pop3 match protocol netshow match protocol shell match protocol realmedia match protocol rtsp match protocol smtp extended match protocol sql-net match protocol streamworks match protocol tftp match protocol vdolive match protocol tcp match protocol udp !
The third class-map matches http and is called “sdm-potocol-http”
! class-map type inspect match-all sdm-protocol-http match protocol http !
The fourth class-map matches three protocols and is called “SDM-Voice-permit”
! class-map type inspect match-any SDM-Voice-permit match protocol h323 match protocol skinny match protocol sip !
The final class-map is called class-default and it matches any and permits it.
! class-map Class Map match-any class-default (id 0) Match any !
The match-all and match-any Keywords
The match-all and match-any keywords need to be specified only if more than one match criterion is configured in the traffic class.
The match-all keyword is used when all of the match criteria in the traffic class must be met in order for a packet to be placed in the specified traffic class.
The match-any keyword is used when only one of the match criterion in the traffic class must be met in order for a packet to be placed in the specified traffic class.
If neither the match-all nor match-any keyword is specified, the traffic class will behave in a manner consistent with match-all keyword.