To configure a Zone Based firewall with a basic outside and inside interface configuration, follow this tutorial.
First of all, define the zones
zone security OUTSIDE
description Outside zone used for internet traffic
zone security INSIDE
description Inside zone used for internal traffic
Next define the inspection class map. The class map for inspection defines a method for classification of traffic.
The class map is configured using the command class-map type inspect
and is used with an ACL
ip access-list extended ACL-ICMP
permit icmp any any
ip access-list extended ACL-GRE
permit gre any any
class-map type inspect match-any CLASS-OUTSIDE-TO-INSIDE-INSPECT
match access-group name ACL-GRE
class-map type inspect match-any CLASS-OUTSIDE-TO-INSIDE-PASS
match access-group name ACL-ICMP
The inspection policy map is required to be configured next. It applies the class map actions that were created earlier.
policy-map type POLICY-OUTSIDE-TO-INSIDE
class type inspect CLASS-OUTSIDE-TO-INSIDE-INSPECT
inspect
class type inspect CLASS-OUTSIDE-TO-INSIDE-PASS
pass
class class-default
drop
The inspect
keyword offers state-based traffic control. The router will maintain connection/session information and permits return traffic from the destination zone without the need to specify it in a second policy
The pass
keyword makes the router forward packets from the source zone to the destination zone. Packets are forwarded in only one direction. A policy must be applied for traffic to be forwarded in the opposite direction.
The drop
keyword silently drops packets that match the class map. The log
keyword will add syslog information that will include the source and destination information
The inspect policy map will have an implicit default that uses a default drop action. The is the same implicit ‘deny all’ that can be found in an access control list.
The policy map can be checked with the command show policy-map type inspect
Next the policy map needs to be attached to a traffic flow source to a destination using the command zone-pair security
zone-pair security OUTSIDE-TO-INSIDE source OUTSIDE destination INSIDE
Finally, the zone needs to be attached to an interface
interface GigabitEthernet0/0
zone-member security OUTSIDE
interface GigabitEthernet0/1
zone-member security INSIDE