• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

Network Automation Engineer: Roger Perkin CCIE 50038

CCIE, Wireless, F5, Ansible, AWS, Cloud and data centre to Network Automation - my journey as a network engineer

  • Courses
  • Consulting
  • Contact
  • NETWORK AUTOMATION >Ansible, Python, DevOps etc
    • Ansible for Network Automation
    • Python for Network Automation
  • My CCIE Journey >How I passed the Lab
    • CCIE Blog
    • CCIE Study Plan
  • F5 CertificationF5 Cerfification Cost and Tutorials
    • Cloud
    • VMWare
    • GNS3
    • JUNIPER
  • CiscoPassword Recovery, Software Upgrades
    • Software-Upgrade-Guides
    • Password Recovery
    • WIRELESS
    • Security
      • ISE
    • Cisco Commerce
    • BGP
    • OSPF
    • 4500x
    • NEXUS
    • Windows 10
    • Wireless Console Cable
  • Devnet CertificaitonsDevnet Associate, Specialist & Professional
  • BLOG
    • Contact
    • About Roger
Home >> Security >> Zone Based Firewall Configuration Example

Zone Based Firewall Configuration Example

A new feature to the V4 blueprint for the CCIE R&S exam is Zone Based Firewall.
According to the blueprint you need to Implement Zone Based Firewall.

First stop would be the Documentation.

Direct Link:
http://www.cisco.com/en/US/customer/docs/ios-xml/ios/sec_data_zbf/configuration/12-4t/sec-data-zbf-12-4t-book.html

Navigation path is:
12.4T > Config Guides > Security, Services, and VPN > Securing the Data Plane Configuration Guide Library, Cisco IOS Release 12.4T > Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS Release 12.4T

For this post I am going to be using this simple topology first with two zones Inside and Outside, in a following post we will expand on this to include a DMZ zone.

 

cisco zone based firewall tutorial

Default rules of Zone Based Firewall

  • Inter-zone communication is denied, traffic will be denied between different zones unless we specify a firewall policy.
  • Intra-zone is permitted. This is traffic among interfaces in the same zone. You can control this in 15 code but not in the 12.4 used in this example.
  • All Self-Zone traffic is permitted. The self zone is traffic destined to the router i.e ospf neighbor, ssh, the zone based firewall will block traffic going through the router unless it is permitted.

Step 1: Configure Zones

In this example I am only using two zones, Inside and Outside. We simply need to define these on the router.
Router 2 will be used as the zone based firewall.

R2(config)#zone security INSIDE
R2(config-sec-zone)#zone security OUTSIDE

Step 2: Assign the interfaces to the zones

R2(config)#int f0/0
R2(config-if)#zone-member security INSIDE
R2(config-if)#int f0/1
R2(config-if)#zone-member security OUTSIDE
R2(config-if)#end
R2#sh run int f0/0
!
interface FastEthernet0/0
ip address 10.1.12.2 255.255.255.0
zone-member security INSIDE
ip ospf 1 area 0
duplex auto
speed auto
end

R2#sh run int f0/1
!
interface FastEthernet0/1
ip address 10.1.23.2 255.255.255.0
zone-member security OUTSIDE
ip ospf 1 area 0
duplex auto
speed auto
end

At this point in the configuration you will not be able to ping from R1 to R3 but you will be able to ping to R2. I have also configured ospf between the routers and you can see that the ospf neighbors have stayed up from R1 to R2 and from R3 to R2

Ping from R1 to R3 – will fail due to interfaces being assigned to security zones with no policies.

R1#ping 3.3.3.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R1#

Ping from R1 to R2 will succeed and OSPF neighbor is still up – traffic going to Self Zone.

R1#ping 10.1.12.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.12.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/89/136 ms
R1#sh ip ospf neigh

Neighbor ID     Pri   State           Dead Time   Address         Interface
10.1.12.2         1   FULL/DR         00:00:38    10.1.12.2       FastEthernet0/0
R1#

Now that you can see we have created a firewall between R1 and R3 we need to allow some traffic through, the first step is to create Zone Pairs.
A Zone Pair is used to connect two zones together. So if you want traffic to flow from Inside to Outside you need to create a zone pair for that and if you want traffic to flow from Outside to Inside you need to create a zone pair for that also. For this example I will be creating two zone pairs.

  • OUTSIDE to INSIDE
  • INSIDE to OUTSIDE

R2(config)#$zone-pair security OUTSIDE-to-INSIDE source OUTSIDE destination INSIDE
R2(config-sec-zone-pair)#zone-pair security INSIDE-to-OUTSIDE source INSIDE destination OUTSIDE

At this point a simple show run will let you see  your handy work

sh run

(output removed for clarity)

zone security INSIDE
zone security OUTSIDE
zone-pair security INSIDE-to-OUTSIDE source INSIDE destination OUTSIDE
zone-pair security OUTSIDE-to-INSIDE source OUTSIDE destination INSIDE

 

You can also use show zone-pair security – this also shows that the service policy has not been configured yet.

R2#sh zone-pair security
Zone-pair name INSIDE-to-OUTSIDE
Source-Zone INSIDE  Destination-Zone OUTSIDE
service-policy not configured
Zone-pair name OUTSIDE-to-INSIDE
Source-Zone OUTSIDE  Destination-Zone INSIDE
service-policy not configured

Want to learn more about Network Automation?

Network Automation skills are becoming a must for network engineers of the future. Get started and learn the skills you need for the future with my course on Ansible for Network Engineers Today!

Show me more about the network automation course
hp instant ink

Roger Perkin - CCIE #50038 is a Network Automation Engineer & CCIE Consultant based in the UK, currently working for Softcat Plc as a Senior Network & Security Consultant.
Rogers' CCIE Journey | About Roger | Contact | Twitter | Linkedin

Previous Post: « EIGRP for IPv6
Next Post: PPPOE Cisco Doc CD location »

Reader Interactions

Comments

  1. Lindsay Hill says

    June 28, 2011 at 1:48 am

    No doubt you have found it yourself by now, but for reference for others, you can find Zone Based FW configuration data at 12.4T -> Config Guides -> Security Configuration Guide: Securing the Data Plane -> Zone Based Policy Firewall

    Reply
  2. Roger Perkin says

    October 15, 2013 at 5:10 pm

    Since this last post it has changed slightly!

    Now in 12.4T > Config Guides > Security, Services, and VPN > Securing the Data Plane Configuration Guide Library, Cisco IOS Release 12.4T > Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS Release 12.4T

    Why do they keep changing it?

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

About Roger

roger perkin

Roger Perkin, CCIE #50038 is a Senior Network & Security Consultant working for a Cisco Gold Partner in the UK.
He is also an evangelist for Network Automation.

Let’s connect

  • GitHub
  • LinkedIn
  • Twitter
  • YouTube
ccie blueprint popup
Ansible Tutorials for Network Engineers
 

Most Popular Pages

  • Ansible for Network Automation
  • MPLS Configuration Tutorial
  • Cisco 3850 IOS Upgrade
  • Build CCIE Lab with CSR1000V
  • What is Cisco ISE?
  • Route Distinguisher vs Route-Target
  • Folding Laptop Stand Review
  • 19 Best Study Tips
  • Best Vertical Mouse
  • Is CCIE still worth it in 2019?
  • OSPF LSA Types
  • How to clean your computer screen and keyboard
network eyes banner
the ccie blueprint network automation course

Looking for Ansible Network Automation Training?


Learn how to install Ansible, write your first playbook and start automating your network today.


Check out my Ansible Network Automation Training
  • How to Become a Network Engineer
  • Ansible for Network Engineers
  • Check CCIE Status
  • MPLS Configuration Step by Step

The Author

roger perkin ccie network automation engineer
Roger Perkin, (CCIE #50038) is a Senior Network & Security Consultant.
Currently working for Softcat plc.
Roger is an evangelist for Network Automation
and is continuing to develop skills in Ansible and the Devops culture.
Contact

Most Visited Pages

Software Upgrade Guides
Wireless Console Cable
Network Automation Tools 
Bose Connect Windows 10
Private VLANs explained
Cisco ISE Overview

Ansible

Where are Ansible Modules stored
Ansible IOS Command Example
Ansile Backup Cisco Config
How to Install Ansible Tower
Ansible Network Automation Training
Resources

Python

Best way to learn Python

Home Office

Best Vertical Mouse
My Standing Desk
Folding Laptop Stand - Roost
How to clean computer screen and keyboard

Personal Development

How to Focus
Disclaimer | Privacy Policy | Copyright rogerperkin.co.uk 2018 | Sitemap