In this post we will cover the basic set up of Zone Based firewalls on the Cisco routing platform. We will use the following network for our example.
Router R2 will be our Zone Based firewall (ZBF) and R3 will be the outside of our network and C1 is our client computer (which is another Cisco router in this example). The first thing we need to do is know how a zone based firewall will work. ZBF work by creating different Zone or areas. These Zones are used to define different parts of the network. For example R3 is not in our network so we have assigned this to a Zone we called “Outside”. C1 is our network and therefore we have assigned this as zone “inside”.
Once we have defined these Zones we can creat what ever policy we want for it. For example R3 is outside our network so its un-trusted and therefore we don’t want traffic coming in without it being checked.
The ZBF on Cisco devices work on the MQC (Modular Quality of Service Cli). This is made up of 3 parts the first is the Class map. This is where we match traffic. The next is the policy map. This is where we do what we want to the traffic and the last is the service policy which applies our policy map.
In this example we will match all TCP, UDP and ICMP traffic.
! class-map type inspect match-any TRAFFIC description TRAFFIC_MATCH match protocol icmp match protocol tcp match protocol udp !
We have now created a Class Map called “Traffic” and it matches any ICMP, TCP or UDP traffic. We now need to create a Policy Map.
! policy-map type inspect TRAFFIC_CLASS class type inspect TRAFFIC inspect class class-default !
We now match the traffic on the class map and get it to inspect this traffic. We now need to create our Zones.
! zone security INSIDE zone security OUTSIDE !
We now need to assign these Zone to the correct interfaces.
! interface Serial0/0 ip address 172.16.10.1 255.255.255.252 zone-member security INSIDE ! interface Serial0/1 ip address 192.168.1.1 255.255.255.252 zone-member security OUTSIDE !
We have now defined our zones on the correct interfaces. Its now time to create a Zone pair and apply our Policy Map
! zone-pair security TRAF source INSIDE destination OUTSIDE service-policy type inspect TRAFFIC_CLASS !
We create a bi-directional link from the Zone inside to the Zone outside. This will allow traffic from inside to go out and get a reply back but won’t allow traffic from the Zone outside to come in.
Lets test the ZBF by first sending a ping from C1 to R3.
We can see the ping is going out fine now lets try a ping from R3 to C1.
We can see that our ping has failed. If we used the following command from global config mode we can log packet drops.
ip inspect log drop-pkt
We have created a working Zone Based Firewall.