Zone-Based Firewall August 6, 2010
Posted by ZoeL in Cisco, Security.Tags: ZFW, Zone-Based Firewall
add a comment
Cisco Router has capability to act as Zoned Firewall. The concept itself is not very far with the real PIX or ASA box. These are 3 important things to remember if we want to setup ZBFW on Cisco Routers.
- Zones
Just like ASA or PIX, we must define which interface would be the Outside (untrusted) zone, or Inside (trusted) Zone. Or u can setup other zone. lets say : DMZ. - Inspect type for Class-maps and Policy-Maps.
There is one special type for Class-Map and Policy-Map for ZBFW. And this type is called INSPECT. This type must be used each time we create Class or Policy-Map. Otherwise, we wont be able to setup zone-pair. - Zone-Pair
This command binds Zones/Areas with policy-map and define the flow of packet between areas. For example : from outside to inside, inside to outside or from DMZ to outside, etc etc.
And here is a simple scenario,
Create 2 Zones on R1, outside and inside. Internet User must not able to telnet and ping inside Router (R2). R2 is not allowed to telnet into internet area. Let any other packet flows.
