The Cisco IOS Zone Based Firewall is one of the most advanced form of Stateful firewall used in the Cisco IOS devices. The zone based firewall (ZBFW) is the successor of Classic IOS firewall or CBAC (Context-Based Access Control). Cisco first implemented the router-based stateful firewall in CBAC where it used ip inspect command to inspect the traffic in layer 4 and layer 7.
Even though ASA devices are considered as the dedicated firewall devices, Cisco integrated the firewall functionality in the router which in fact will make the firewall a cost effective device. The zone based firewall came up with many more features that is not available in CBAC. The ZBFW mainly deals with the security zones, where we can assign the router interfaces to various security zones and control the traffic between the zones. Also the traffic will be dynamically inspected as it passes through the zones. In addition to all the features which is available in classic IOS firewall, Zone based firewall will support Application inspection and control for HTTP, POP3, Sun RPC, IM Applications and P2P File sharing.
Controls Inbound and Outbound access on an interface
Controls Bidirectional access between zones.
Uses inspect statements and stateful ACLs
Uses Class-Based Policy language
Support Application Inspection and Control
Support from IOS Release 11.2
Support from IOS Release 12.4 (6) T
This document will guide you to configure a basic Zone Based Policy Firewall in an IOS router. Here I am going to divide the entire configuration into logical sets and finally will combine them to the get the full configuration.
ZBFW Configuration Procedure
The below are the configuration tasks that you need to follow:
1. From Inside to Outside –http,icmp and pop3 is allowed
2. From Outside to Inside –icmp is allowed
3. From Inside to DMZ –http and icmp is allowed
4. From Outside to DMZ –http is allowed
Default Rules of Zone Based Firewall
Interzone communication is Denied, traffic will be denied among the interfaces that are in the different zones unless we specify a firewall policy.
Intrazone communication is Allowed, traffic will flow implicitly among the interfaces that are in the same zone.
All traffic to Self zone is Allowed
Self Zone is created automatically by the router while we create the other zones in a Zone Based Firewall.
Task 1 : Configure Zones
In this example (refer Figure 1) we have three zones. Inside ,Outside, DMZ.
To configure zones in a router, connect the router via putty or console, switch to the global configuration mode and type the command as below:
Router(config)#zone security INSIDE
Router(config)#zone security OUTSIDE
Router(config)#zone security DMZ
Task 2 : Assign Router Interfaces to Zones
We have to assign the router interface to a particular zone. Here I am going to assign Gigabyte Ethernet 0/0 to INSIDE zone , Ge0/1 to OUTSIDE zone and Ge0/2 to DMZ zone.
To achieve this we have to go to the particular interface and attach that interface to the zone.Type the command as below:
Router(config)#interface gigabitEthernet 0/0
Router(config-if)#zone-member security INSIDE
Router(config)#interface gigabitEthernet 0/1
Router(config-if)#zone-member security OUTSIDE
Router(config)#interface gigabitEthernet 0/2
Router(config-if)#zone-member security DMZ
Now if you try to ping a zone from another zone the traffic will be denied because of the default firewall policy.
Task 3 : Create Zone Pairs
Zone pairs are created to connect the zones. If you want to make two zones to communicate you have to create Zone pairs. DO NOT create zone pairs for non-communicating zones. In our scenario the traffic flows between :
INSIDE to OUTSIDE
OUTSIDE to INSIDE
OUTSIDE to DMZ
INSIDE to DMZ
So we need to create four zone pairs. To create zone pairs the command is as follows.
Interzone Access policy is the key part of a Zone based firewall where we classify the traffic and apply the firewall policies. Class map and Policy map configurations are carried out during this task.
Class Maps : This will classify the traffic
Policy Maps : This will decide the ‘fate’ of the traffic
Class Map Configuration
Class map sort the traffic based on the following criteria 1.) Access-group 2.) Protocol 3.) A subordinate class map. In our scenario I am sorting the traffic based on access group. So first we need to create an ACL and associate it with the class map.