Female Voice: “Don’t tell me which zone’s for stopping and which zone’s for loading!”
Male Voice: “Listen, Betty, don’t start your white zone sh*t again. There is just no stopping in the white zone.” – Airplane 1980
A new addition in the CCSP and CCIE tracks is the Cisco IOS Zone-Based Firewall. This blog will introduce you to this new feature. And not to give too much away, but as you will see, it is a new feature based on some more classic-type technologies!
For this blog post, I actually consulted my own book – the CCNA Security Quick Reference published by Cisco Press. That was not a plug, in fact I was paid a flat rate for that one ☺. I also consulted the Cisco DOC-CD.
The IOS Zone-Based Firewall first showed up in 12.4(6)T and the goal was to provide an intuitive and straightforward policy design approach for multiple interface routers. There was also a desire to offer a greater level of granularity for the application of such policies. The Zone-Based approach utilizes CBAC technology and gives you everything you had there, plus more.
In order to configure the Zone-Based Firewall, you define your zones, define your class maps, define your policy maps, and then define your zone pairs and apply your policy maps to them. Possible actions for traffic moving between zones is INSPECT, DROP, or PASS. Zone Drop or Pass? This is starting to sound more and more like a football blog!
Inspect causes the traffic to be monitored with the IOS stateful packet inspection (think CBAC), while drop and pass are obvious. Pass allows the traffic to move between zones with no inspection whatsoever.
Let’s take a look at a quick and simple example.
Let’s presume we have Fa0/0 and Fa0/1 that connect to private networks in our company. We also have S0/0 that connects to the public Internet. Based on this, we create a simple zone-based firewall as follows:
Step 1: Define and populate our zones:
configure terminal ! zone security ZONE_PRIVATE zone security ZONE_INTERNET ! interface range fa0/0 - 1 zone-member security ZONE_PRIVATE ! interface s0/0 zone-member security ZONE_INTERNET
Step 2: Define the class maps that identify traffic that is permitted between zones:
configure terminal ! class-map type inspect match-any CM_INTERNET_TRAFFIC match protocol http match protocol https match protocol ftp
Step 3: Configure a policy map which specifies the action for the class map:
configure terminal ! policy-map type inspect PM_PRIVATE_TO_INTERNET class type inspect CM_INTERNET_TRAFFIC inspect
Step 4: Configure the zone pair and apply your policy:
configure terminal zone-pair security ZONEP_PRIV_INT source ZONE_PRIVATE destination ZONE_INTERNET service-policy type inspect PM_PRIVATE_TO_INTERNET
Notice how this simple configuration allows for the stateful inspection of our Internet protocols from the private areas to the Internet. It also blocks traffic from the Internet heading to the private area unless it is in response to the inspected traffic.
I sure hope you enjoyed this quick introduction to a 3.X CCIE Security feature!
About Anthony Sequeira, #15626:
Anthony Sequeira brings decades of teaching, technical writing, and consulting experience to INE. Anthony began his career as an author and lecturer within the IT community, featuring best-selling titles for Microsoft and Cisco Press. Best known as one of the training voices for the revolutionary e-learning company called KnowledgeNet, Anthony now teaches online and in-classroom exclusively for INE. When not helping his students master Cisco networking, Anthony can be found at the poker tables, or flying the Florida skies in a Cessna.
You can leave a response, or trackback from your own site.
12 Responses to “Cisco IOS Zone-Based Firewall Overview”
Leave a Reply
Loading ...
[...] Cisco IOS Zone-Based Firewall Overview [...]
You´ve forgotten to explain the “parameter map”. In my humble opinion the part of this chapter in IINS (i prepare myself for the CCNA Security Exam with the Certification Guide) reads like a last minute subject. Ther is noc complete configuration or a clear objective.
here is a guide:
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml
Thanks Robert!
Our materials, and surely the lab itself, will be sure to cover that important aspect!
Hi Anthony, How long before the workbooks are updated to reflect the rest of the recent additions.
Regards
Steve
Steve:
Hey thanks for reading. We are working on the update now – as we get closer to release – we will be sure to update eveyone through the blog and newsletter.
Our goal will be to release in months before the actual exam change.
mm. strange
Hi, Antony .
I am preparing for ccsp, i am trying with zone based firewall, my IOS is not supporting any of the command like zone,parameter-map and policy-map type is not there. can you please suggest me in which ios it works as i have seen in cisco documents they claim it works from 12.4(6)
i have 12.4(25b) the lattest one security advanced , and does this supports in all routers or only in selected ISR routers.
Rgds,
Praveen
In order to find the EXACT IOS images that support a particular feature fully, be sure to use the Feature Navigator at the Cisco site:
http://www.cisco.com/go/fn
I’m having a heck of a time finding the term “zone firewall” “IPS” in the security section of the doc cd? Can’t seem to find MPLS layer 3 VPN, VRF and VRF lite, OeR? I’m really confused about where I sould be finding this stuff. I’ve pulled the doc CD apart. Any ideas?
[...] 6.02 Implement Zone Based Firewall [...]
Hi to everybody…
for “zone based firewall” I use: c7200-advipservicesk9-mz.124-24.T2.bin
Saludos,
for ZBFW and EIGRPv6 I use
C3725-ADVENTERPRISEK9-M Version 12.4(15)T13
It requires 256MB of RAM and works well on GNS3