Cisco Basic Zone Based Firewall

By | May 17, 2012

In this post we will cover the basic set up of Zone Based firewalls on the Cisco routing platform. We will use the following network for our example.

Router R2 will be our Zone Based firewall (ZBF) and R3 will be the outside of our network and C1 is our client computer (which is another Cisco router in this example). The first thing we need to do is know how a zone based firewall will work. ZBF work by creating different Zone or areas. These Zones are used to define different parts of the network. For example R3 is not in our network so we have assigned this to a Zone we called “Outside”. C1 is our network and therefore we have assigned this as zone “inside”.

Once we have defined these Zones we can creat what ever policy we want for it. For example R3 is outside our network so its un-trusted and therefore we don’t want traffic coming in without it being checked.

The ZBF on Cisco devices work on the MQC (Modular Quality of Service Cli). This is made up of 3 parts the first is the Class map. This is where we match traffic. The next is the policy map. This is where we do what we want to the traffic and the last is the service policy which applies our policy map.

In this example we will match all TCP, UDP and ICMP traffic.

 class-map type inspect match-any TRAFFIC
  description TRAFFIC_MATCH
  match protocol icmp
  match protocol tcp
  match protocol udp

We have now created a Class Map called “Traffic” and it matches any ICMP, TCP or UDP traffic. We now need to create a Policy Map.

 policy-map type inspect TRAFFIC_CLASS
  class type inspect TRAFFIC
  class class-default

We now match the traffic on the class map and get it to inspect this traffic. We now need to create our Zones.

 zone security INSIDE
 zone security OUTSIDE

We now need to assign these Zone to the correct interfaces.

 interface Serial0/0
  ip address
  zone-member security INSIDE
 interface Serial0/1
  ip address
  zone-member security OUTSIDE

We have now defined our zones on the correct interfaces. Its now time to create a Zone pair and apply our Policy Map

 zone-pair security TRAF source INSIDE destination OUTSIDE
  service-policy type inspect TRAFFIC_CLASS

We create a bi-directional link from the Zone inside to the Zone outside. This will allow traffic from inside to go out and get a reply back but won’t allow traffic from the Zone outside to come in.

Lets test the ZBF by first sending a ping from C1 to R3.

We can see the ping is going out fine now lets try a ping from R3 to C1.

We can see that our ping has failed. If we used the following command from global config mode we can log packet drops.

ip inspect log drop-pkt

We have created a working Zone Based Firewall.