# Filtrando con CBAC y ZFW

Introducción

CBAC
ZFW

CBAC (Context-Based Access Control)
Router#show run | i ^interface|^ description|^ ip
interface FastEthernet0/0
 description outside
 ip address 192.168.1.1 255.255.255.0
interface FastEthernet0/1
 description inside
 ip address 192.168.0.1 255.255.255.0
Router#show hosts | i IP                   
external_host             None  (perm, OK)  0   IP    192.168.1.2
internal_host             None  (perm, OK)  0   IP    192.168.0.2
internal_host#ping external_host
!!!!!
Router(config)#access-list 100 deny ip any any
Router(config)#int fa0/0
Router(config-if)#ip access-group 100 in
internal_host#ping external_host
....
Router(config)#ip inspect name allow_icmp icmp
Router(config)#int fa0/0
Router(config-if)#ip inspect allow_icmp out
internal_host#ping external_host
!!!!!
ZFW (Zone-Based Policy Firewall)
Router#show run | i ^interface|^ description|^ ip
interface FastEthernet0/0
 description outside
 ip address 192.168.1.1 255.255.255.0
interface FastEthernet0/1
 description inside
 ip address 192.168.0.1 255.255.255.0
Router#show hosts | i IP                    
external_host             None  (perm, OK)  0   IP    192.168.1.2
internal_host             None  (perm, OK)  0   IP    192.168.0.2
internal_host#ping external_host
!!!!!
Router(config)#zone security outside_zone
Router(config)#zone security inside_zone
Router(config)#int fa0/0
Router(config-if)#zone-member security outside_zone
Router(config-if)#int fa0/1
Router(config-if)#zone-member security inside_zone
internal_host#ping external_host
....
Router(config)#class-map type inspect match-any icmp_map
Router(config-cmap)#match protocol icmp
Router(config)#policy-map type inspect icmp_policy
Router(config-pmap)#class type inspect icmp_map
Router(config-pmap-c)#inspect
Router(config)#zone-pair security inside2outside source inside_zone destination outside_zone
Router(config-sec-zone-pair)#service-policy type inspect icmp_policy
internal_host#ping external_host
!!!!!

No comments: