Cisco Zone Based Firewall setup

Another learning block in the 642-637 exam and more being dragged into the 21st century kicking and screaming! No more CBAC, its all zone based now, and with added MQC configuration style. Heres a few rules to start us off:

  1. Interfaces can be in 1 zone only.
  2. Many interfaces can be in a single zone.
  3. Non-zoned interfaces act as normal router interfaces
  4. Once an interface is in a zone, no traffic is allowed by default (rules must be added)
  5. Zone to zone policies are unidirectional.

Ok, so lets do a quick test, I’ll use my trusty 1841 with the security feature set to demonstrate a two zone firewall set up for internet access from the inside, trusted zone to the outside, internet zone.

Step 1 – Set up the zones:

zone security INSIDE
zone security OUTSIDE

Step 2 – Add the interfaces into the zones:

interface FastEthernet0/0
 zone-member security INSIDE

interface Dialer0
 zone-member security OUTSIDE

Step 3 – Identify the outbound traffic

class-map type inspect match-any MY_PROTOCOLS
 match protocol http
 match protocol dns
 match protocol https

Step 4 – Make the Policy Map

policy-map type inspect MY_MAP
 class type inspect MY_PROTOCOLS
  inspect 

Step 5 – Create the Zone Pair and assign the Policy Map

zone-pair security IN_2_OUT source INSIDE destination OUTSIDE
 service-policy type inspect MY_MAP

Right, pretty simple? Now we need to run a few confirmation commands to make sure its working

Router#sh zone security 
zone self
  Description: System defined zone


zone INSIDE
  Member Interfaces:
    FastEthernet0/0


zone OUTSIDE
  Member Interfaces:
    Dialer0

And

Router#show policy-map type inspect zone-pair IN_2_OUT
 Zone-pair: IN_2_OUT

  Service-policy inspect : MY_MAP

    Class-map: MY_PROTOCOLS (match-any)
      Match: protocol http
        158 packets, 6648 bytes
        30 second rate 0 bps
      Match: protocol dns
        290 packets, 13340 bytes
        30 second rate 0 bps
      Match: protocol https
        198 packets, 8584 bytes
        30 second rate 0 bps
      Inspect
        Packet inspection statistics [process switch:fast switch]
        tcp packets: [40:31944]
        udp packets: [579:0]
        dns packets: [579:0]

        Session creations since subsystem startup or last reset 637
        Current session counts (estab/half-open/terminating) [6:0:0]
        Maxever session counts (estab/half-open/terminating) [72:23:8]
        Last session created 00:00:40
        Last statistic reset never
        Last session creation rate 4
        Last half-open session total 0

    Class-map: class-default (match-any)
      Match: any 
      Drop (default action)
        673 packets, 27493 bytes
This entry was posted in Cisco and tagged , . Bookmark the permalink.

Leave a Reply