Categories
CCNP Enterprise Core (350-401) Cisco Security

Zone Based Firewall Configuation

To configure a Zone Based firewall with a basic outside and inside interface configuration, follow this tutorial.

First of all, define the zones

zone security OUTSIDE
 description Outside zone used for internet traffic
zone security INSIDE
 description Inside zone used for internal traffic

Next define the inspection class map. The class map for inspection defines a method for classification of traffic.

The class map is configured using the command class-map type inspect and is used with an ACL

ip access-list extended ACL-ICMP
 permit icmp any any
ip access-list extended ACL-GRE
 permit gre any any
class-map type inspect match-any CLASS-OUTSIDE-TO-INSIDE-INSPECT
 match access-group name ACL-GRE
class-map type inspect match-any CLASS-OUTSIDE-TO-INSIDE-PASS
 match access-group name ACL-ICMP

The inspection policy map is required to be configured next. It applies the class map actions that were created earlier.

policy-map type POLICY-OUTSIDE-TO-INSIDE
 class type inspect CLASS-OUTSIDE-TO-INSIDE-INSPECT
  inspect
 class type inspect CLASS-OUTSIDE-TO-INSIDE-PASS
  pass
 class class-default
  drop

The inspect keyword offers state-based traffic control. The router will maintain connection/session information and permits return traffic from the destination zone without the need to specify it in a second policy

The pass keyword makes the router forward packets from the source zone to the destination zone. Packets are forwarded in only one direction. A policy must be applied for traffic to be forwarded in the opposite direction.

The drop keyword silently drops packets that match the class map. The log keyword will add syslog information that will include the source and destination information

The inspect policy map will have an implicit default that uses a default drop action. The is the same implicit ‘deny all’ that can be found in an access control list.

The policy map can be checked with the command show policy-map type inspect

Next the policy map needs to be attached to a traffic flow source to a destination using the command zone-pair security

zone-pair security OUTSIDE-TO-INSIDE source OUTSIDE destination INSIDE

Finally, the zone needs to be attached to an interface

interface GigabitEthernet0/0
 zone-member security OUTSIDE
interface GigabitEthernet0/1
 zone-member security INSIDE

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.