Skip to content

    Configure IOS Zone-based Firewall (ZBF)

    1. Create zones
      2. zone security INSIDE
zone security OUTSIDE
    2. Map zones to interfaces
      3. interface Serial1/0
  zone-member security OUTSIDE
!
interface GigabitEthernet0/0
  zone-member security INSIDE
!
    3. Create class-maps to classify inter-zone traffic
      4. class-map type inspect match-any SERVERS
  match protocol http
  match protocol smtp
!
    4. Create policy-maps to filter inter-zone traffic
      5. policy-map type inspect INBOUND_POLICY
  class type inspect SERVERS
    pass
!
policy-map type inspect OUTBOUND_POLICY
  class-default
    inspect
!
    5. Configure zone-pairs to apply policies to traffic
      6. zone-pair security IN2OUT source INSIDE destination OUTSIDE
  service-policy type inspect OUTBOUND_POLICY
!
zone-pair security OUT2IN source OUTSIDE destination INSIDE
  service-policy type inspect INBOUND_POLICY
!
    6. Verify
      7. show policy-map type inspect zone-pair

    Posted in CCIE R&S, CCIE Security.

    Tagged with .

    1 comment

    By Brian February 7, 2010

    Configure IOS Intrusion Prevention (IPS)

    1. Create and define a directory for IPS configuration files
      2. mkdir flash:/ips
    2. Import the Cisco RSA public key (available from the cisco.com download area)
      3. crypto key pubkey-chain rsa
  named-key realm-cisco.pub signature
    key-string
    ....
    quit
    3. (optional) create an ACL to define what traffic gets inspected
      4. ip access-list extended IPS-INSPECT
  permit ip any host 1.2.3.4
  permit ip host 1.2.3.4 any
!
ios ips name IPS1 list IPS-INSPECT
    4. Retire and un-retire signature sets
      5. ip ips signature-category
  category-all
    retired true
  category ios_ips_basic
    retired false
    exit
  exit
    5. Apply the IPS configuration to an interface
      6. int gi0/0
  ip ips IPS1 in
  ip ips IPS1 out
    6. Upload signature definitions
      7. copy ftp://cisco:cisco@10.1.1.1/IOS-S310-CLI.pkg idconf
    7. (optional) enable syslog notifications for IPS events
      8. ip ips notify log
    8. (optional) enable SDEE notifications for IPS events
      9. access-list 80 permit 2.2.2.2
ip http access-class 80
ip http server enable
ip ips notify sdee
    9. (optional) Tweak individual signatures
      10. ip ips signature-definition
  signature 6130 10
    engine
      event-action produce-alert
      event-action deny-packet-inline
      exit
    exit
  exit
    10. Verification
      11. show ip ips signature count

    Based on Keith Barker’s blog post at InternetworkExpert and this Cisco.com technote.

    Posted in CCIE R&S, CCIE Security.

    Tagged with , , , , .

    No comments

    By Brian January 16, 2010