A quick howto on ZBPF.  Its not difficult, but can get really confusing when the configs start to grow.  I always try to name the entries with the easiest detail possible.  Like if it’s an http class map specifically, i name it HTTP_CLASS_MAP so it’s easy to grep.

Sticking to the QOS MPF methodology, you always go in this order.

1. class-map
2. policy-map
3. service-policy

There are a few other items to remember.  For instance, with class-map, you have to specify match-all or match-any because it defaults to match all.  The “inspect” keyword here in ZBPF and CBAC is essential and a major difference.  You have to create the zones and any access lists first.  And then you apply the zones to their respective interfaces.

1.
zone security INSIDE
zone security OUTSIDE

2. Create the class map.
class-map type inspect match-any NAME
add what you want to match.  Protocols, access list etc.

3. Create the policy map.
policy-map type inspect NAME
Add the class and what you want to do with the traffic weather it’s drop, pass, etc.  A useful tool for troubleshooting is to add “drop log” to class class-default and once you apply it you can see what’s dropping and build an acl or add certain protocols to the policy-map as necessary.

3. Create the zone pair
zone-pair security NAME source INSIDE destination OUTSIDE.  we named these earlier.
Then add your service policy.
service-policy type inspect NAME

4. Then you assign the zones to their respective interfaces.
interface FastEthernet0/0
 zone-member security DMZ

interface FastEthernet0/1
 zone-member security INSIDE

Parameter maps can be use as a DDoS prevention mechanism among other things.  There are three types.
Inspect parameter map
URL Filter parameter map
Protocol-specific parameter map
You configure similar to the way you would an inspect class-map and then create a policy-map specific to it.  Then add nest it in the policy that is already in effect for the direction the traffic is heading.
For example,
parameter-map type inspect PARAMETER_MAP_NAME
  alert on
  audit-trail on

  one-minute low 4
  one-minute high 2  policy-map type inspect POLICY_FOR_PARAMETERS
 class type inspect PARAMETER_MAP_NAME
policy-map type inspect INSIDE_TO_OUTSIDE_POLICY

Inspect parameter-map example:
parameter-map type inspect NAME
  alert {on | off}
  audit-trail {on | off

  one-minute low 4
  one-minute high 2  
 
You can also secure traffic destined to the router acting as a firewall with the “self” keyword in the zone pair.  Here’s the full config with inside, outside, and dmz segments that shows this. As well as allowing traceroute inside to outside.

On the FW:
sh run | s access-list|class-map|parameter-map|policy-map|zone
!
zone security INSIDE
zone security OUTSIDE
zone security DMZ
!
ip access-list extended DMZ_TO_SELF_ACL
 permit ospf any any
 permit tcp any any eq bgp
ip access-list extended INSIDE_TO_OUTSIDE_EXCEPTIONS_ACL
 permit udp any any range 33000 35000
ip access-list extended INSIDE_TO_SELF_ACL
 permit eigrp any any
ip access-list extended OUTSIDE_TO_INSIDE_EXCEPTIONS_ACL
 permit icmp any any time-exceeded
 permit icmp any any port-unreachable
ip access-list extended OUTSIDE_TO_SELF_ACL
 permit ospf any any
ip access-list extended TO_DMZ_ACL
 permit tcp any host 192.10.1.254 eq 80
 permit tcp any host 192.10.1.254 eq 443
!

parameter-map type regex DENIED_URLS
 pattern *.badguy.com 
!
class-map type inspect match-all TO_DMZ_CLASS
 match access-group name TO_DMZ_ACL
 match protocol telnet
class-map type inspect match-any INSIDE_TO_SELF_CLASS
 match protocol telnet
 match protocol icmp
 match access-group name INSIDE_TO_SELF_ACL
 match protocol ssh
class-map type inspect http match-all HTTP_APPLICATION_CLASS
 match  req-resp header regex DENIED_URLS
class-map type inspect match-any INSIDE_TO_OUTSIDE_EXCEPTIONS_CLASS
 match access-group name INSIDE_TO_OUTSIDE_EXCEPTIONS_ACL
class-map type inspect match-any OUTSIDE_TO_INSIDE_EXCEPTIONS_CLASS
 match access-group name OUTSIDE_TO_INSIDE_EXCEPTIONS_ACL
class-map type inspect match-any INSIDE_TO_OUTSIDE_CLASS
 match protocol telnet
 match protocol icmp
class-map type inspect match-any OUTSIDE_TO_SELF_CLASS
 match access-group name OUTSIDE_TO_SELF_ACL
class-map type inspect match-any DMZ_TO_SELF_CLASS
 match access-group name DMZ_TO_SELF_ACL
!
policy-map type inspect DMZ_TO_SELF_POLICY
 class type inspect DMZ_TO_SELF_CLASS
  pass
 class class-default
  drop log
policy-map type inspect INSIDE_TO_OUTSIDE_POLICY
 class type inspect INSIDE_TO_OUTSIDE_CLASS
  inspect
 class type inspect INSIDE_TO_OUTSIDE_EXCEPTIONS_CLASS
  pass
 class class-default
  drop log
policy-map type inspect http HTTP_APPLICATION_POLICY
 class type inspect http HTTP_APPLICATION_CLASS
  log
  reset
policy-map type inspect OUTSIDE_TO_SELF_POLICY
 class type inspect OUTSIDE_TO_SELF_CLASS
  pass
 class class-default
  drop log
policy-map type inspect OUTSIDE_TO_INSIDE_POLICY
 service-policy http HTTP_APPLICATION_POLICY
 class type inspect OUTSIDE_TO_INSIDE_EXCEPTIONS_CLASS
  pass
 class class-default
  drop log
policy-map type inspect INSIDE_TO_SELF_POLICY
 class type inspect INSIDE_TO_SELF_CLASS
  pass
 class class-default
  drop log
policy-map type inspect TO_DMZ_POLICY
 class type inspect TO_DMZ_CLASS
  inspect
 class class-default
  drop log
!
zone-pair security INSIDE_TO_OUTSIDE source INSIDE destination OUTSIDE
 service-policy type inspect INSIDE_TO_OUTSIDE_POLICY
zone-pair security INSIDE_TO_DMZ source INSIDE destination DMZ
 service-policy type inspect TO_DMZ_POLICY
zone-pair security OUTSIDE_TO_DMZ source OUTSIDE destination DMZ
 service-policy type inspect TO_DMZ_POLICY
zone-pair security INSIDE_TO_SELF source INSIDE destination self
 service-policy type inspect INSIDE_TO_SELF_POLICY
zone-pair security OUTSIDE_TO_SELF source OUTSIDE destination self
 service-policy type inspect OUTSIDE_TO_SELF_POLICY
zone-pair security DMZ_TO_SELF source DMZ destination self
 service-policy type inspect DMZ_TO_SELF_POLICY
zone-pair security OUTSIDE_TO_INSIDE source OUTSIDE destination INSIDE
 service-policy type inspect OUTSIDE_TO_INSIDE_POLICY
!
interface FastEthernet0/0
 zone-member security DMZ
!
interface FastEthernet0/1
 zone-member security INSIDE
!
interface Serial1/0.23 point-to-point
 zone-member security OUTSIDE

Categories: Uncategorized

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *