Tuesday, March 27, 2012

Cisco Zone-Based Firewall

Here's a Zone-Based Firewall configuration proof-of-concept I put together for one of my clients. They needed to segment their PCI environment from their non-PCI environment with existing Cisco 2821 routers. This configuration requires the router to have an IOS with the firewall feature set included.

!BEGIN CONFIG

access-list 100 permit icmp any any
access-list 100 permit tcp host 10.0.4.132 host 10.0.2.132 eq www
access-list 100 permit udp host 10.0.4.132 host 10.0.2.132 eq tftp
access-list 100 permit tcp host 10.0.4.132 host 10.0.5.132 eq 139
access-list 100 permit tcp host 10.0.4.132 host 10.0.5.132 eq 445
access-list 100 permit tcp host 10.0.4.132 host 10.0.5.132 eq ftp

access-list 101 permit icmp any any
access-list 101 permit tcp host 10.0.5.132 host 10.0.4.132 eq 139
access-list 101 permit tcp host 10.0.5.132 host 10.0.4.132 eq 445
access-list 101 permit tcp host 10.0.2.132 host 10.0.4.132 eq 139
access-list 101 permit tcp host 10.0.2.132 host 10.0.4.132 eq 445


zone security pci_zone
description pci_network

zone security non_pci_zone
description non_pci_network

int fa0/1
zone-member security pci_zone

int fa0/0
zone-member security non_pci_zone

int s0/0/0
zone-member security non_pci_zone

class-map type inspect match-any store-protocols-class
match protocol ftp
match protocol dns
match protocol http
match protocol tcp
match protocol udp
match protocol icmp

class-map type inspect match-all store-protocols-acl-outbound-class
match class-map store-protocols-class
match access-group 100

class-map type inspect match-all store-protocols-acl-inbound-class
match class-map store-protocols-class
match access-group 101

policy-map type inspect store-outbound-policy
class type inspect store-protocols-acl-outbound-class
inspect

policy-map type inspect store-inbound-policy
class type inspect store-protocols-acl-inbound-class
inspect

zone-pair security pci-non_pci source pci_zone destination non_pci_zone
service-policy type inspect store-outbound-policy

zone-pair security non_pci-pci source non_pci_zone destination pci_zone
service-policy type inspect store-inbound-policy

!END CONFIG

Hope this helps someone out when trying to segment their PCI environments.
Posted by at No comments:
Subscribe to: Posts (Atom)