Официален блог на WebEKM EKM очаквайте сайта онлайн скоро.

Download Free Templates http://bigtheme.net/ free full Wordpress, Joomla, Mgento - premium themes.

Zone Based Firewall – turning IOS router into ASA firewall

zbf topology1smallZone Based Firewall in IOS, combines 2 concepts: Modular Policy Framework and well-known Zones from ASA firewalls. ZBF solution is more secure than ACLs, easier to implement and to troubleshoot. Rely on statefull filtering what is also well-known from ASA firewalls. Despite this, is not fresh solution, but still works out very well.


The ZBF feature allows us to apply statefull inspection in IOS based on stateful filtering, what in shorts means traffic that left a router will  be allowed to get back. Router keeps a statefull database with ip addresses, tcp ports, and thanks to this knows what tcp header of incoming packet should be and sequence number as well. If the user from inside initiate traffic to the outside server, returning traffic will pass the router easily without being subjected to any checking.  Without statefull inspection it wouldn’t be possible.and every single packet would be checked similar as we had applied ACLs

There is a couple of steps that have to be done in order to implement Zone Based Firewall:

1. creating zones
2. assigning interfaces to zones
3. creating class map
4. creating policy map
5. creating zone pairs
6. applying MPF to the zone (counterpart of service policy in MPF)

Traffic flow may be subjected to inspection, passed, droped or loged.

Zone Based Firewall LAB

We have 3 zones, www server OUT, FTP server in DMZ zone and a user in IN zone.
We want to statefully allow for trafic from IN to OUT (udp,tcp,icmp)  and from OUT to DMZ (http)

zone security IN
zone security OUT
zone security DMZ

interface fa1/0
zone-member security OUT

interface fa2/0
zone-member security IN

interface fa3/0
zone-member security DMZ

ip access-list extended IN-OUT-ACL
permit ip any any

class-map type inspect match-all IN-OUT-CLASS
match access-group name IN-OUT-ACL

policy-map type inspect IN-OUT-POLICY
class type inspect IN-OUT-CLASS
inspect icmp
inspect tcp
inspect udp

zone-pair security IN-OUT-ZP source IN destination OUT
service-policy type inspect IN-OUT-POLICY

class-map type inspect match-any WEB-CLASS
match protocol http

policy-map type inspect WEB-POLICY
class type inspect WEB-CLASS

zone-pair security OUT-DMZ-ZP source OUT destination DMZ
service-policy type inspect WEB-POLICY

, ,

Onlain bookmaker bet365.com - the best bokie