Easy Configuration and Implementation of zone-based firewall on Cisco IOS Router

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello guys welcome to a new video and in this video we are going to configure AC ZB f + ZB f stands for zone based firewall we are going to be using a Cisco router to configure has a zone based firewall in a zone based firewall if you don't know what that means and what that is this is on the CCNA security topic and I also publish a video my youtube channel on what zbf is and all that good stuff so go ahead and watch it if you do not know so let's go and start with this with this configuration like as you can see right here I have a Windows Device that I'm going to start up right now so what I want to do is configure this Windows device to have access to this WordPress web page that I have over here and it's going to be on 192.168.1.2 so what I'm going to do is I'm going to allow the traffic from the Windows Device to come back into the WordPress website actually it's going yeah that's how it's going to work so this one is going to be the outside the zone and this one is going to be the inside inside zone so let's go ahead and label that as well so we have a better view so this one's going to the inside duplicate this one is going to be the outside zone so let's go ahead and configure that I have not configured anything no interfaces or anything every configures I have to go ahead and configure that first from the router so I double-click on the router and let's go ahead and do that guys so config T we can just call it zbf let's do a host name of zbf router your in all caps looks better and then from here we got to go to interface gigabit zero I believe is 0-1 which is the outside so let's go to configure an IP address 192.168.1.1 so I've shown it for now shut down and then let's go ahead into the inside zone which is Giga Bowser and I'm in let's configure the IP address of one I to thousands H that to that 1/24 there we go now shut down that's great we can just go to an exit and then after that let's go ahead and configure my wordpress site over here and if I double click on it it is not doing up it did did open over here so let's go down close this right here and from here we need to configure an ifconfig to configure a interface because it's a window Linux device and they said you configure a IP address on the interface and it's going to be 1.2 net mask 255 255 255 0 and then I set the default gateways rather add default gateway to a 92 that wants to stage that 101 rather add default oh it's not router is route at there you go now we should be able to ping the default gateways and as you can see we are configured at defogger wait so that's getting we are able to pink that so let's go into the windows device and configure that IP address over here of one I too once 8.2 that too if you right-click on your interface and we go to change adapter options we're going to in in Ethernet 2 or 0 2 and from here you can see that he has an old IP address at a configure there and I don't want that to that one we're not going to set anything right here so we can just or if we want to configure DNS doesn't matter you can just go ahead and do eight eight eight I don't know what's going on let's quitting go back to eight eight eight eight and eight a tie that's fine okay that's fine okay Windows 8 8 8 that 4.4 I think that's another DNS server for Google that's fine cool beans let's go into the CMD Z CMD let's file to pain or default gateway you can see we're able to pin the default gateways are we able to ping 1 9 2008 30.2 we are able to paint that as well because they are tightly connected directly connected to the default gateway so we are able to ping that so that is great let's see if we're also able to go ahead and into this WordPress website let's see if we're able to launch it from the windows device so 1 R 2 that was just H that 1.2 and as you can see right here I'm able to get into the website that WordPress website and there it is so that's cool so now what I want to do is I want to configure zbf which stands for the zone base firewall on my Cisco device so let's go into the Cisco device and from over here the first thing that I want to do is create a class map and it's going to be a type inspected so we're going to inspect this maybe wanted to match any and we're going to call this my new class and oops just my new class and then from over here you want to match a couple protocols the first protocols that I want to match it's going to be it's going to be a protocol of as you can see there is a lot if you do a question mark that you can allow and the only one I want to allow is ICMP for right now so let's leave that like that exit and after you do that I integrate a policy map so if you do policy policy is a policy map of my policy that is policy map so policy map doesn't recognize the command come that's because we got to do from the config T and we do policy map and the policy map I'm just going to have a type inspect as well and from here down we need to give it a name as you can see to clean it with the HTTP I'm at PCP Type three sip SMT SMTP so on our PC and you're a filter but what we want to do is we want to create or own and this one is going to be called my new policy and for here now you want to call that class map that we create it and it's going to be clad let's see the first things class type and the class type that we want to do for this one is going to be an inspect and we want to inspect that class map that we create it so we go up we go up into the class map and is this one you can go ahead and copy this and paste that right here okay and then after you do that you just want to give it an inspect then we go exit and we exit out of here so after you do that what we want to do is we want to create the security zones and they can be named whatever you want to be named to be to name them but I want to name at the inside and the to one or the outside let's just go ahead and name it inside and outside so zone security inside and then exit and then we do a zone security to the outside network and then you can go ahead and exit out of here and then after you do that what you want to do is you want to create the zone pair specifying the zones to the designs and the direction from where to where right so you want to work if you want to tow it from where towards with pilot security zone and the way that you do that is by doing a zone pair and have to do the zone pay you want to do in two out and then in two outs you want to do a source if I'm do a my doing a run-up cities on pair okay you got to do this on pair security and it's going to you going to tell me whatever you want to in two out that's what I want to name it and then the source is going to be inside and the destination is going to be outside which we have created the two zone pairs right or the two security zone and then after you do that what you want to do is you want to tell this service policy to inspect the policy map so we do that is known service policy type and inspect and you want to inspect the one that we copied earlier and it's my new class and it's saying right now that it does not exist up that's because I have I don't I need to the one I need to apply here needs to be the this one here my new policy is the policy I need to attach for the internet do not need to attach the class maps they want any to apply it's a policy and go ahead and paste it and there it is now you do not get that error anymore so now what you want to do you want to exit and from here what you want to do is go ahead into the interface and you want to apply those into those own zones that we have created so interface gigabytes or 0 which is going to be D it's going to be the inside so the inside is going to be a zone member security inside and if you wanted to add a description you can go ahead and do that you can do a description and then you type the description and you set it belongs to the inside and then if you go into gigabyte zero one and you do a zone member outside for the gigabyte zero one and if you want to describe it you can say that belongs to outside a network there we go and you can go to just end it and you can just go ahead and say that and what we have done is that what's going to happen is that you are going to we are going to filter so what's going to happen is a router is going to become a firewall is going to be a stateful firewalls not going to a stateless because we're not using access list that's what stateless is it just an access list so it's going to become a state full access so whenever we try to reach the outside network it's going to allow the replies back to it automatically so if we do a ping from the windows device as well and close this right here if you go ahead and ping 192 that one's changed that I think is that one that to you see that we are able to get pings and we also are able to get replies but if we try to go into the website now we won't be able to get into that website you can see now that it is being denied and that's because when we created that map we are only allowed to match the protocol ICMP so now we need to allow the HTTP to be allowed into that so what we need to do is we need to go into the class map type inspect match my new class and then we need to match it and allow it so it's going to do a config T and from here you do a paste class map type inspect match any my new class and from here you want to match the protocol of HTTP there we go and that's going to now allow HTTP through the firewall and you can see now that after we apply the HTTP we are able to get into the website before we were not able to so if you do a no no match protocol HTTP and you let's go ahead and go to the windows device let's exit out of here let's see oops now that one that three is that one that's two as you can see let's go ahead and let's go ahead again one h1 sit down that one that too you're going to see that it doesn't let me into it but if we do a match protocol HTTP is going to allow that traffic in so let's go ahead and press ENTER again and there you go and now it's allowing that traffic in and as you can see are they now need to create access routes or anything like that to allow traffic in and to allow traffic ow because we are configured we have configured the CBF which is which is a stateful a stateful firewall and so what we did is we configure this rudder to become a firewall so this is what a lot of small businesses are doing and so they're not getting a firewall if they don't really need it and then what they do is they just get a router with a lot of power and then they just configure the CBF which which stands for the zone based firewall and now the router is acting as a router and also as a firewall so they said for this video guys and thank you guys for watching my videos and if you guys want to keep watching more videos and stay tuned to all my videos and all my tips you can go ahead and follow me at $69 tips on Twitter and if you don't have a tool account go ahead and create a Twitter account and then follow me on Twitter so thank you guys for watching and I see you on the next one bye bye

Info

Channel: CCNADailyTIPS

Views: 1,619

Rating: undefined out of 5

Keywords: Cisco Packet Tracer Lab, CCNA Security Lab, ZPF, zone-based policy firewall, router, GNS3 LAB, GNS3, Cisco ios, cisco router, stateful filtering, stateless firewall, stateful firewall, cisco, security, ccna, zone, based, firewall

Id: jcyR13-mPks

Channel Id: undefined

Length: 15min 41sec (941 seconds)

Published: Sun Jul 14 2019