Roger Perkin

Network Automation Architect

Zone Based Firewall Configuration Example

A new feature to the V4 blueprint for the CCIE R&S exam is Zone Based Firewall.
According to the blueprint you need to Implement Zone Based Firewall.

First stop would be the Documentation.

Direct Link:
http://www.cisco.com/en/US/customer/docs/ios-xml/ios/sec_data_zbf/configuration/12-4t/sec-data-zbf-12-4t-book.html

Navigation path is:
12.4T > Config Guides > Security, Services, and VPN > Securing the Data Plane Configuration Guide Library, Cisco IOS Release 12.4T > Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS Release 12.4T

For this post I am going to be using this simple topology first with two zones Inside and Outside, in a following post we will expand on this to include a DMZ zone.

 

cisco zone based firewall tutorial

Default rules of Zone Based Firewall

  • Inter-zone communication is denied, traffic will be denied between different zones unless we specify a firewall policy.
  • Intra-zone is permitted. This is traffic among interfaces in the same zone. You can control this in 15 code but not in the 12.4 used in this example.
  • All Self-Zone traffic is permitted. The self zone is traffic destined to the router i.e ospf neighbor, ssh, the zone based firewall will block traffic going through the router unless it is permitted.

Step 1: Configure Zones

In this example I am only using two zones, Inside and Outside. We simply need to define these on the router.
Router 2 will be used as the zone based firewall.

R2(config)#zone security INSIDE
R2(config-sec-zone)#zone security OUTSIDE

Step 2: Assign the interfaces to the zones

R2(config)#int f0/0
R2(config-if)#zone-member security INSIDE
R2(config-if)#int f0/1
R2(config-if)#zone-member security OUTSIDE
R2(config-if)#end
R2#sh run int f0/0
!
interface FastEthernet0/0
ip address 10.1.12.2 255.255.255.0
zone-member security INSIDE
ip ospf 1 area 0
duplex auto
speed auto
end

R2#sh run int f0/1
!
interface FastEthernet0/1
ip address 10.1.23.2 255.255.255.0
zone-member security OUTSIDE
ip ospf 1 area 0
duplex auto
speed auto
end

At this point in the configuration you will not be able to ping from R1 to R3 but you will be able to ping to R2. I have also configured ospf between the routers and you can see that the ospf neighbors have stayed up from R1 to R2 and from R3 to R2

Ping from R1 to R3 – will fail due to interfaces being assigned to security zones with no policies.

R1#ping 3.3.3.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R1#

Ping from R1 to R2 will succeed and OSPF neighbor is still up – traffic going to Self Zone.

R1#ping 10.1.12.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.12.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/89/136 ms
R1#sh ip ospf neigh

Neighbor ID     Pri   State           Dead Time   Address         Interface
10.1.12.2         1   FULL/DR         00:00:38    10.1.12.2       FastEthernet0/0
R1#

Now that you can see we have created a firewall between R1 and R3 we need to allow some traffic through, the first step is to create Zone Pairs.
A Zone Pair is used to connect two zones together. So if you want traffic to flow from Inside to Outside you need to create a zone pair for that and if you want traffic to flow from Outside to Inside you need to create a zone pair for that also. For this example I will be creating two zone pairs.

  • OUTSIDE to INSIDE
  • INSIDE to OUTSIDE

R2(config)#$zone-pair security OUTSIDE-to-INSIDE source OUTSIDE destination INSIDE
R2(config-sec-zone-pair)#zone-pair security INSIDE-to-OUTSIDE source INSIDE destination OUTSIDE

At this point a simple show run will let you see  your handy work

sh run

(output removed for clarity)

zone security INSIDE
zone security OUTSIDE
zone-pair security INSIDE-to-OUTSIDE source INSIDE destination OUTSIDE
zone-pair security OUTSIDE-to-INSIDE source OUTSIDE destination INSIDE

 

You can also use show zone-pair security – this also shows that the service policy has not been configured yet.

R2#sh zone-pair security
Zone-pair name INSIDE-to-OUTSIDE
Source-Zone INSIDE  Destination-Zone OUTSIDE
service-policy not configured
Zone-pair name OUTSIDE-to-INSIDE
Source-Zone OUTSIDE  Destination-Zone INSIDE
service-policy not configured
Category: Tag: ,
ansible course for network engineers
Get Access to my Ansible Course NOW

Reader Interactions

Comments

  1. No doubt you have found it yourself by now, but for reference for others, you can find Zone Based FW configuration data at 12.4T -> Config Guides -> Security Configuration Guide: Securing the Data Plane -> Zone Based Policy Firewall

  2. Since this last post it has changed slightly!

    Now in 12.4T > Config Guides > Security, Services, and VPN > Securing the Data Plane Configuration Guide Library, Cisco IOS Release 12.4T > Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS Release 12.4T

    Why do they keep changing it?