FIGURE 6-7 Initial network design

Outside Inside Internet 10.0.0.2 Public Server 10.0.0.20 10.0.0.0/24 dns.isp.com 172.16.0.1 smtp.isp.com 172.16.0.2 www.web.com 172.18.25.10 172.16.10.32/28 10.0.0.1 192.168.201.6 FIGURE 6-8 Firewall design using local area mobility

Outside Inside Perimeter Internet Public Server 10.0.0.20 Client 10.0.0.2 10.0.0.1/24 10.0.1.1/24 Host route to public server 10.0.0.20/32

Firewalls The local area mobility feature is configured with the ip mobile arp command. Apart from that command, the IP routing configuration of the firewall is similar to the one from Chapter 4 (Listing 6-6).

LISTING 6-6 Configuration of Inside Interfaces on the Firewall Router

hostname fw ! interface Loopback1 ip address 172.16.10.33 255.255.255.240 ! interface FastEthernet0/0 description Inside network

ip address 10.0.0.1 255.255.255.0 ip nat inside

!

interface FastEthernet0/0.5

description Public Web server (Perimeter network) encapsulation dot1Q 100

ip address 10.0.1.1 255.255.255.0 ip nat inside

ip mobile arp access-group PublicServerAddresses !

interface Serial0/0/0 no ip address

encapsulation frame-relay !

interface Serial0/0/0.100 point-to-point description Link to the Internet

ip address 192.168.201.6 255.255.255.252

NOTE

You could also use a static route pointing to the perimeter interface (ip route 10.0.0.20

255.255.255.255 FastEthernet0/0.5)

rather than local area mobility. Local area mobility might not work on all router platforms.

Firewalls LISTING 6-6 Configuration of Inside Interfaces on the Firewall Router continued ip nat outside frame-relay interface-dlci 100 ! ip route 0.0.0.0 0.0.0.0 Serial0/0/0.100 !

ip nat pool Internet 172.16.10.38 172.16.10.46 prefix-length 28 ip nat inside source static 10.0.0.20 172.16.10.34

ip nat source list InternalHosts pool Internet

ip nat inside source list InternalHosts pool Internet !

! list all IP addresses of the public servers in the following access-list !

ip access-list standard PublicServerAddresses permit host 10.0.0.20

!

ip access-list standard InternalHosts permit 10.0.0.0 0.0.0.255

After you’ve configured the local area mobility, you can check the proper insertion of the host routes with the show ip

route mobile command and debug its operation with debug arp and debug ip mobile local-area (Listing 6-7).

LISTING 6-7 Debugging and Monitoring Local Area Mobility

fw#ddeebbuugg aarrpp

ARP packet debugging is on fw#ddeebbuugg iipp mmoobbiillee llooccaall--aarreeaa

IP local-area mobility debugging is on fw#

Firewalls LISTING 6-7 Debugging and Monitoring Local Area Mobility continued 04:02:45: Local MobileIP: FastEthernet0/0.5 add 10.0.0.20 accepted

04:02:45: IP ARP: rcvd req src 10.0.0.20 0017.5926.3f50, dst 10.0.0.1 FastEthernet0/0.5 04:02:45: Local MobileIP: FastEthernet0/0.5 add 10.0.0.20 accepted

04:02:45: Local MobileIP: route 10.0.0.20 added

04:02:45: IP ARP: sent rep src 10.0.0.1 0017.5926.5c58,

dst 10.0.0.20 0017.5926.3f50 FastEthernet0/0.5 fw#sshhooww iipp rroouuttee mmoobbiillee

10.0.0.0 255.0.0.0 is variably subnetted, 3 subnets, 2 masks M 10.0.0.20 255.255.255.255

[3/1] via 10.0.0.20, 00:36:24, FastEthernet0/0.5

After you’ve successfully configured and tested local area mobility, you have a working firewall with three routed inter- faces. You can complete the configuration using zones, traffic classes, and policies similar to those in Chapter 4.

Summary

In this chapter, you’ve seen how you can configure the Cisco IOS transparent firewall using the zone-based configuration commands. When designing the zone-based transparent firewall, keep in mind these guidelines:

■ Only a single zone pair is checked for every packet traversing the router.

■ If a packet is bridged through the router, the router checks the zone pair policy configured between the physical

interface zones.

■ If a packet is routed, the router checks the zone pair policy between the zones of the BVI interface and the outbound

IP interface.

Firewalls ■ Configuring a zone pair between a bridged and a routed zone makes no sense (because it will never be used).

Ivan Pepelnjak Copyright© 2007 Cisco Published by: Cisco Press 800 East 96th Street Indianapolis, IN 46240 USA

All rights reserved. No part of this digital short cut may be reproduced or transmit- ted in any form or by any means, electronic or mechanical, including photocopy- ing, recording, or by any information storage and retrieval system, without written permission from the publisher, except for the inclusion of brief quotations in a review.

Printed in the United States of America 1 2 3 4 5 6 7 8 9 0 First Printing October 2006

ISBN: 1-58705-310-1

Warning and Disclaimer

This digital short cut is designed to provide information about network security. Every effort has been made to make this digital short cut as complete and as accu- rate as possible, but no warranty or fitness is implied.

The information is provided on an “as is” basis. The author, Cisco Press, and Cisco shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this digital short cut. The opinions expressed in this digital short cut belong to the author and are not necessarily those of Cisco.

Trademark Acknowledgments

All terms mentioned in this digital short cut that are known to be trademarks or service marks have been appropriately capitalized. Cisco Press or Cisco cannot attest to the accuracy of this information. Use of a term in this digital short cut should not be regarded as affecting the validity of any trademark or service mark.

At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each book is crafted with care and precision, undergoing rigorous development that involves the unique expertise of members from the professional technical community. Readers’ feedback is a natural continuation of this process. If you have any comments regarding how we could improve the quality of this digital short cut or otherwise alter it to better suit your needs, you can contact us through e-mail at

[email protected]. Please make sure to include the digital short cut title and ISBN in your message. We greatly appreciate your assistance.

Corporate and Government Sales

Cisco Press offers excellent discounts on this digital short cut when ordered in quantity for bulk purchases or special sales. For more information please contact: U.S. Corporate and Government Sales 1-800-382-3419 [email protected]