To configure a Zone Based firewall with a basic outside and inside interface configuration, follow this tutorial.
First of all, define the zones
zone security OUTSIDE
description Outside zone used for internet traffic
zone security INSIDE
description Inside zone used for internal traffic
Next define the inspection class map. The class map for inspection defines a method for classification of traffic.
The class map is configured using the command
class-map type inspect and is used with an ACL
ip access-list extended ACL-ICMP
permit icmp any any
ip access-list extended ACL-GRE
permit gre any any
class-map type inspect match-any CLASS-OUTSIDE-TO-INSIDE-INSPECT
match access-group name ACL-GRE
class-map type inspect match-any CLASS-OUTSIDE-TO-INSIDE-PASS
match access-group name ACL-ICMP
The inspection policy map is required to be configured next. It applies the class map actions that were created earlier.
policy-map type POLICY-OUTSIDE-TO-INSIDE
class type inspect CLASS-OUTSIDE-TO-INSIDE-INSPECT
class type inspect CLASS-OUTSIDE-TO-INSIDE-PASS
inspect keyword offers state-based traffic control. The router will maintain connection/session information and permits return traffic from the destination zone without the need to specify it in a second policy
pass keyword makes the router forward packets from the source zone to the destination zone. Packets are forwarded in only one direction. A policy must be applied for traffic to be forwarded in the opposite direction.
drop keyword silently drops packets that match the class map. The
log keyword will add syslog information that will include the source and destination information
The inspect policy map will have an implicit default that uses a default drop action. The is the same implicit ‘deny all’ that can be found in an access control list.
The policy map can be checked with the command
show policy-map type inspect
Next the policy map needs to be attached to a traffic flow source to a destination using the command
zone-pair security OUTSIDE-TO-INSIDE source OUTSIDE destination INSIDE
Finally, the zone needs to be attached to an interface
zone-member security OUTSIDE
zone-member security INSIDE