• Skip to main content
  • Skip to header right navigation
  • Skip to site footer

Roger Perkin

Learn Network Automation

  • Network Automation
    • Ansible Network Automation
      • Ansible Hosts File
      • What is Ansible?
    • Python Network Automation
      • Python for Network Engineers
    • Python Tutorial for Beginners
    • Terraform
    • pyATS
    • Docker
    • GIT
  • Cisco
    • ISE
    • SD WAN Training
    • Password Recovery
    • Software-Upgrade-Guides
    • BGP
    • Data Center
    • WIRELESS
  • CCIE
  • Blog
  • About
    • My Red Special Guitar
  • COURSES

Zone Based Firewall Configuration Example

Home » Network Security

A new feature to the V4 blueprint for the CCIE R&S exam is Zone Based Firewall.
According to the blueprint you need to Implement Zone Based Firewall.

First stop would be the Documentation.

Direct Link:
http://www.cisco.com/en/US/customer/docs/ios-xml/ios/sec_data_zbf/configuration/12-4t/sec-data-zbf-12-4t-book.html

Navigation path is:
12.4T > Config Guides > Security, Services, and VPN > Securing the Data Plane Configuration Guide Library, Cisco IOS Release 12.4T > Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS Release 12.4T

For this post I am going to be using this simple topology first with two zones Inside and Outside, in a following post we will expand on this to include a DMZ zone.

 

cisco zone based firewall tutorial

Default rules of Zone Based Firewall

  • Inter-zone communication is denied, traffic will be denied between different zones unless we specify a firewall policy.
  • Intra-zone is permitted. This is traffic among interfaces in the same zone. You can control this in 15 code but not in the 12.4 used in this example.
  • All Self-Zone traffic is permitted. The self zone is traffic destined to the router i.e ospf neighbor, ssh, the zone based firewall will block traffic going through the router unless it is permitted.

Step 1: Configure Zones

In this example I am only using two zones, Inside and Outside. We simply need to define these on the router.
Router 2 will be used as the zone based firewall.

R2(config)#zone security INSIDE
R2(config-sec-zone)#zone security OUTSIDE

Step 2: Assign the interfaces to the zones

R2(config)#int f0/0
R2(config-if)#zone-member security INSIDE
R2(config-if)#int f0/1
R2(config-if)#zone-member security OUTSIDE
R2(config-if)#end
R2#sh run int f0/0
!
interface FastEthernet0/0
ip address 10.1.12.2 255.255.255.0
zone-member security INSIDE
ip ospf 1 area 0
duplex auto
speed auto
end

R2#sh run int f0/1
!
interface FastEthernet0/1
ip address 10.1.23.2 255.255.255.0
zone-member security OUTSIDE
ip ospf 1 area 0
duplex auto
speed auto
end

At this point in the configuration you will not be able to ping from R1 to R3 but you will be able to ping to R2. I have also configured ospf between the routers and you can see that the ospf neighbors have stayed up from R1 to R2 and from R3 to R2

Ping from R1 to R3 – will fail due to interfaces being assigned to security zones with no policies.

R1#ping 3.3.3.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R1#

Ping from R1 to R2 will succeed and OSPF neighbor is still up – traffic going to Self Zone.

R1#ping 10.1.12.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.12.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/89/136 ms
R1#sh ip ospf neigh

Neighbor ID     Pri   State           Dead Time   Address         Interface
10.1.12.2         1   FULL/DR         00:00:38    10.1.12.2       FastEthernet0/0
R1#

Now that you can see we have created a firewall between R1 and R3 we need to allow some traffic through, the first step is to create Zone Pairs.
A Zone Pair is used to connect two zones together. So if you want traffic to flow from Inside to Outside you need to create a zone pair for that and if you want traffic to flow from Outside to Inside you need to create a zone pair for that also. For this example I will be creating two zone pairs.

  • OUTSIDE to INSIDE
  • INSIDE to OUTSIDE

R2(config)#$zone-pair security OUTSIDE-to-INSIDE source OUTSIDE destination INSIDE
R2(config-sec-zone-pair)#zone-pair security INSIDE-to-OUTSIDE source INSIDE destination OUTSIDE

At this point a simple show run will let you see  your handy work

sh run

(output removed for clarity)

zone security INSIDE
zone security OUTSIDE
zone-pair security INSIDE-to-OUTSIDE source INSIDE destination OUTSIDE
zone-pair security OUTSIDE-to-INSIDE source OUTSIDE destination INSIDE

 

You can also use show zone-pair security – this also shows that the service policy has not been configured yet.

R2#sh zone-pair security
Zone-pair name INSIDE-to-OUTSIDE
Source-Zone INSIDE  Destination-Zone OUTSIDE
service-policy not configured
Zone-pair name OUTSIDE-to-INSIDE
Source-Zone OUTSIDE  Destination-Zone INSIDE
service-policy not configured
Category: Network SecurityTag: cisco ios zone based firewall, zone based firewall
Previous Post: « EIGRP for IPv6
Next Post: PPPOE Cisco Doc CD location »

Reader Interactions

Comments

  1. Lindsay Hill

    June 28, 2011 at 1:48 am

    No doubt you have found it yourself by now, but for reference for others, you can find Zone Based FW configuration data at 12.4T -> Config Guides -> Security Configuration Guide: Securing the Data Plane -> Zone Based Policy Firewall

  2. Roger Perkin

    October 15, 2013 at 5:10 pm

    Since this last post it has changed slightly!

    Now in 12.4T > Config Guides > Security, Services, and VPN > Securing the Data Plane Configuration Guide Library, Cisco IOS Release 12.4T > Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS Release 12.4T

    Why do they keep changing it?

Sidebar

Hi I'm Roger Perkin,
Based in the UK working as a Technical Architect focussed on Network Automation CCIE #50038
About Roger | Twitter | Linkedin

Recent Posts

  • Hashicorp Vault Tutorial
  • Ansible Tower vs Ansible Automation Platform
  • Cisco Certified DevNet Expert Getting Started Guide
  • Python for Network Engineers Course
  • Gitlab vs Github the Differences Explained

Topics

Network Automation
Ansible
Python for Network Automation
CCIE
Cisco ISE
F5 Certification
BGP
OSPF

Git for Network Engineers

Ansible vs Nornir

Start learning today with my Network Automation Courses

Master Ansible, Python, Git, Nornir, Jenkins and more..


Buy me a coffeeBuy me a coffee

ansible training course

Have you seen my YouTube Channel?

YouTube Subscribe

Let’s get started

Take a look at my premium courses on Ansible, Nornir & Git or buy them all with the Network Automation Bundle!

Network Automation Courses

Navigation

Home

Blog

About

Contact

Network Tools

Python VENV Tutorial

Contact

Get in touch with me here

[email protected]

  • Facebook
  • Instagram
  • Twitter
  • LinkedIn
  • YouTube
Buy me a coffeeBuy me a coffee

YouTube

Don’t forget to take a look at my YouTube Channel

youtube button

Tech

Best Vertical Mouse for RSI

Copyright © 2022 · Roger Perkin · All Rights Reserved · Powered by Mai Theme