Filter
Top Products
21-56
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 21 Managing Zone-based Firewall Rules
Troubleshooting Zone-based Rules and Configurations
!
The following list explains how the rules in Security Manager are converted to device-configuration
commands, to aid your understanding of the relationship between the two. The list numbering
corresponds to the rule numbers from the rules table in Security Manager (see the previous illustration):
1. This rule drops all traffic from the 10.100.10.0/24 network. The Permit, Source, Destination, and
Service fields are used to create the first access control entry (ACE) in the ACL named
CSM_ZBF_CMAP_ACL_1 defined in (K). This ACL is referenced from the class map
CSM_ZBF_CLASS_MAP_1 defined in (C), which then defines the first drop rule in the policy map
CSM_ZBF_POLICY_MAP_1, defined in (I).
The policy map (I) is used to define the zone service policy in (J). Because this policy map is how
all of the rules are assigned to the zone pair, (J) is not mentioned again.
2. This rule drops all traffic from the 10.100.11.0/24 network. This rule is combined with rule 1 by
adding an ACE to the ACL defined in (K). The rest of the configuration is identical to rule 1. Thus,
rules 1 and 2 essentially become a single rule in the device configuration.
3. This rule drops all FTP/FTPS traffic from the 10.100.10.12/24 network. The Permit, Source,
Destination, and Service fields are used to create the ACL named CSM_ZBF_CMAP_ACL_2
defined in (L). The Protocol table generates the class map CSM_ZBF_CMAP_PLMAP_1 defined
in (D), which specifies the FTP and FTPS protocols. The ACL and FTP/FTPS class map are then
used in a new class map, CSM_ZBF_CLASS_MAP_2 defined in (E), which completes the
characterization of the traffic based on the combination of source and protocol. Finally, (E) is
referenced in the policy map (I) as the second rule.
4. This rule drops peer-to-peer traffic from any source that uses any of these protocols: Bittorrent,
eDonkey, FastTrack, ICQ, or Kazaa2. This rule prevents any of your internal servers from being used
as a file-sharing source for these services. Because the rule applies to all sources and destinations
for the default IP service, no ACL is required. Instead, the configuration starts with the class map
CSM_ZBF_CLASS_MAP_3 defined in (F). This class map is referenced by the third drop rule in
the policy map (I).
5. This rule inspects FTP/FTPS traffic from any source to any destination, which means these services
are allowed. Note that rule 3, because it comes above rule 5, already drops FTP/FTPS traffic from
the 10.100.12.0/24 network, so the combination of these rules means that FTP/FTPS traffic is
inspected for all sources except 10.100.12.0/24. Because the Protocol table specifies the same
protocols as it does for rule 3, no new class map is needed. Instead, the policy map (I) simply refers
to the class map (D) as the fourth class type, but this time with the Inspect action.
6. This rule inspects HTTP traffic and applies a deep-inspection policy map named HTTPpmap. The
HTTPpmap policy map (B) defines the action to take when traffic matches the criteria defined in the
class map HTTPcmap (A). These maps specify that any HTTP connection that violates the HTTP
protocol, or that misuses ports, should be reset (dropped) and a syslog entry generated. (Protocol
violation and port misuse can characterize Denial of Service attacks.) The combination of (A) and
(B) define the deep-inspection rules for this policy.
An additional class map, CSM_ZBF_CLASS_MAP_4, is needed to specify the HTTP protocol (G).
Then, the fifth class type rule in the policy map (I) refers to class map (G) for inspection, and the
service-policy command refers to the policy map (B) for deep inspection.
7. This rule provides generic inspection on TCP/UDP traffic, allowing and inspecting the remaining
TCP/UDP traffic from the internal network to the Internet and back. The class map
CSM_ZBF_CLASS_MAP_5 defined in (H) is generated from the Protocols table. This class map
then becomes the next-to-last rule in the policy map (I).