Introduction to Cisco IOS Zone Based Firewall

In this article we will consider the topic of Cisco IOS Zone Based Firewall. Cisco IOS Zone Based Firewall allows us to define Security Zones and to give each zone its own policy.

Thanks for such a huge support to our projects

Security Zone – interface or group of interfaces, on which particular policy is applied.  By default in the same Security Zone all traffic is permitted, but between security zones all traffic is blocked, except the traffic generated by the router. For permitting traffic between security zones, creating zone-pairs and policies for each zone are required.

Zone-pair – allows us to determine uni-directional firewall policy between zones. To put it simply, a zone-pair determines the direction of interesting traffic. The direction is determined between source and destination zones.

Zone policy – determines what kind of traffic should be denied or permitted between zones. For example: we want to permit HTTP traffic and deny SMTP traffic. Zone policy has three actions: “pass”, “drop” and “inspect”. Pass and drop actions have immediate effect on traffic, but Inspect action tells the router to use pre-defined class map for traffic filtration.

Fig 1.1- Cisco IOS Zone Based Firewall

Let’s consider an example in details. In the following scenario, we will create two zones, inside and outside, and allow only PING (ICMP) for Inside Zone to pass to Outside Zone (not vice-versa).

Before starting configuration of Zone Based Firewall, make sure that everything works and all hosts are connected to each other. We will need to identify interfaces that will belong in the same security zone and group them together.

R1(config)#zone security INSIDE
R1(config)#zone security OUTSIDE
R1(config)#interface fa0/0
R1(config-if)#zone-member security INSIDE
R1(config)#interface fa0/1
R1(config-if)#zone-member security INSIDE
R1(config)#interface fa1/0
R1(config-if)#zone-member security OUTSIDE
R1(config)#class-map type inspect match-any CLASS_INSIDE_2_OUTSIDE
R1(config-cmap)#match protocol icmp

In class-map configuration parameters basically we use two parameters: match-any and match-all. In case of “match-any”, traffic can be matched to any match criteria, but in case of match-all the traffic must match all criteria, which are determined in Class-map. In our case we check only ICMP and we can use any of it.

We’ve already determined what traffic we want to control and now we determine what to do with this traffic.

R1(config)#policy-map type inspect POLICY_INSIDE_2_OUTSIDE
R1(config-pmap)#class type inspect CLASS_INSIDE_2_OUTSIDE
note: at the end of the policy map there is an implicit “deny all” by default, which looks  like this :
class class-default

Router(config)#zone-pair security PAIR_INSIDE_2_OUTSIDE source INSIDE destination OUTSIDE
Router(config-sec-zone-pair)#service-policy type inspect POLICY_INSIDE_2_OUTSIDE

Let’s do some checking. According to our scenario, hosts in Inside zone must ping hosts located in outside zone, but hosts in outside zone will not be able to ping hosts located in inside zone. Let’s see the result.