To configure a Zone Based firewall with a basic outside and inside interface configuration, follow this tutorial.
First of all, define the zones
zone security OUTSIDE description Outside zone used for internet traffic zone security INSIDE description Inside zone used for internal traffic
Next define the inspection class map. The class map for inspection defines a method for classification of traffic.
The class map is configured using the command
class-map type inspect and is used with an ACL
ip access-list extended ACL-ICMP permit icmp any any ip access-list extended ACL-GRE permit gre any any class-map type inspect match-any CLASS-OUTSIDE-TO-INSIDE-INSPECT match access-group name ACL-GRE class-map type inspect match-any CLASS-OUTSIDE-TO-INSIDE-PASS match access-group name ACL-ICMP
The inspection policy map is required to be configured next. It applies the class map actions that were created earlier.
policy-map type POLICY-OUTSIDE-TO-INSIDE class type inspect CLASS-OUTSIDE-TO-INSIDE-INSPECT inspect class type inspect CLASS-OUTSIDE-TO-INSIDE-PASS pass class class-default drop
inspect keyword offers state-based traffic control. The router will maintain connection/session information and permits return traffic from the destination zone without the need to specify it in a second policy
pass keyword makes the router forward packets from the source zone to the destination zone. Packets are forwarded in only one direction. A policy must be applied for traffic to be forwarded in the opposite direction.
drop keyword silently drops packets that match the class map. The
log keyword will add syslog information that will include the source and destination information
The inspect policy map will have an implicit default that uses a default drop action. The is the same implicit ‘deny all’ that can be found in an access control list.
The policy map can be checked with the command
show policy-map type inspect
Next the policy map needs to be attached to a traffic flow source to a destination using the command
zone-pair security OUTSIDE-TO-INSIDE source OUTSIDE destination INSIDE
Finally, the zone needs to be attached to an interface
interface GigabitEthernet0/0 zone-member security OUTSIDE interface GigabitEthernet0/1 zone-member security INSIDE