Zone-Based Firewall August 6, 2010Posted by ZoeL in Cisco, Security.
Tags: ZFW, Zone-Based Firewall
Cisco Router has capability to act as Zoned Firewall. The concept itself is not very far with the real PIX or ASA box. These are 3 important things to remember if we want to setup ZBFW on Cisco Routers.
Just like ASA or PIX, we must define which interface would be the Outside (untrusted) zone, or Inside (trusted) Zone. Or u can setup other zone. lets say : DMZ.
- Inspect type for Class-maps and Policy-Maps.
There is one special type for Class-Map and Policy-Map for ZBFW. And this type is called INSPECT. This type must be used each time we create Class or Policy-Map. Otherwise, we wont be able to setup zone-pair.
This command binds Zones/Areas with policy-map and define the flow of packet between areas. For example : from outside to inside, inside to outside or from DMZ to outside, etc etc.
And here is a simple scenario,
Create 2 Zones on R1, outside and inside. Internet User must not able to telnet and ping inside Router (R2). R2 is not allowed to telnet into internet area. Let any other packet flows.
- Create Zones, inside and outside
zone security inside
description Internal LAN
zone security outside
description to Internet
- Create Inspect type of Class-maps, and define protocol telnet and icmp respectively.
class-map type inspect telnet
match protocol telnet
class-map type inspect ping
match protocol icmp
- Create Inspect type of policy-map, create 2 policy-map for outside to inside path and Inside to Outside path. Add default class on each policy map so any other packet may pass.
policy-map type inspect outside_to_inside_pmap
class type inspect telnet
class type inspect ping
policy-map type inspect inside_to_outside_pmap
class type inspect telnet
- Create zone-pair, associate the policy-map and define source and destination.
! — Inbound from Internet —
zone-pair security outside_to_inside_pmap source outside destination inside
service-policy type inspect outside_to_inside_pmap
!— Outbound to Internet —
zone-pair security inside_to_outside_pmap source inside destination outside
service-policy type inspect inside_to_outside_pmap
- Apply the Zones to Router Interfaces
! — apply outside zone to interface facing internet —
zone-member security outside
! — apply inside zone to interface facing R2 —
zone-member security inside
R1#show zone security
Description: System defined zone
Description: Internal LAN
Description: to Internet
Verify Zone Pair
RSRack1R5#sh zone-pair security
Zone-pair name outside_to_inside
Source-Zone outside Destination-Zone inside
Zone-pair name inside_to_outside_pmap
Source-Zone inside Destination-Zone outside