This tutorial will guide you through the configuration of a zone-based policy firewall (ZBFW), which is a new way to configure a firewall on Cisco IOS. The advantage of using ZBFW is that the interfaces are applied to zones and the traffic inspected is that which moves between two zones. The policies applied to this kind of traffic are very flexible, providing the possibility of applying different actions to different hosts on the same interfaces.

You can find detailed information about ZBFW here: Zone-Based Policy Firewall Design and Application Guide.

For this simulation, I created two files:

  • configuring_zbpf_init.pkt contains the initial topology and configuration of the routers. The hosts (the PC and the SERVER) have full connectivity and no traffic is filtered.
  • configuring_zbpf_final.pkt is the final configuration; you should use this to compare what you configured and confirm that you did everything correctly.

Regarding the topology, on the subnets where a PC/SERVER is connected, the router’s interface has an IP address whose last octet is .1 and last octet of the PC’s IP address is .100. The default gateway of the PC is the router’s IP address.

For instance, on the subnet with PC_2, PC_2 has the IP address of 10.10.20.100/24 and R3’s interface IP address is 10.10.20.1/24.

Each router has a loopback address in the form of 1.1.1.X/32, where X is the router number. For instance, the loopback address of R3 is 1.1.1.3/32.

Also, each subnet between the routers is written on the topology and every router uses the last octet as its router number. For instance, on the subnet 10.10.12.0/24, R2 has 10.10.12.2/24 and R1 has 10.10.12.1/24.

All three routers are running OSPF in area 0 so that the end host and the server will have connectivity between them.

The goal of the simulator is to configure R3 so that it will allow traffic sent by PC_2 towards SERVER only if the traffic is initiated by PC_2.

We will consider the subnet 10.10.20.0/24 (the link between R3 and PC_2) as the internal network/secure network.

Task 1 requirements

  1. Create an internal/inside zone.
  2. Create an external/outside zone.
  3. Create an access list to permit any kind of traffic sourced from subnet 10.10.20.0/24 to any destination.
  4. Create a class map that will inspect all the traffic matched by the ACL defined at step C.
  5. Create a policy map of type inspect that will decide what action will be applied to the class map defined at step D.
  6. Specify the class map defined at step D and apply an inspect action.
  7. Create a zone pair that will use the zone created at step A as source and as the zone created at step B as a destination.
  8. Attach the policy map defined in step E to this zone pair.
  9. Configure interface FastEthernet0/0 in the zone defined in step B.
  10. Configure interface FastEthernet0/1 in the zone defined in step A.

Task 1 verification

  1. Connect to PC_2 and, from the Desktop tab, choose “Command Prompt.” From there, issue a ping to 10.10.10.100. The ping should succeed.
  2. Connect to SERVER and, from the Desktop tab, choose “Command Prompt.” From there, issue a ping to 10.10.20.100. The ping should fail.
  3. While you ping SERVER from PC_2, use this command on R3 to see the established sessions. You should see something similar to this output:
R3#show policy-map type inspect zone-pair sessions
 Zone-pair: INSIDE_ZONE-OUTSIDE_ZONE
 Service-policy inspect : INSIDE-2-OUTSIDE-POL-MAP
 Class-map: INSIDE_NET_CM (match-all)
 Match: access-group 101
 Inspect
 Established Sessions
 Session 222324080 (10.10.20.100:22)=>(10.10.10.100:0) icmp SIS_OPEN
 Created 00:00:09, Last heard 00:00:09
 ECHO request
 Bytes sent (initiator:responder) [0:0]
 Class-map: class-default (match-any)
 Match: any
 Drop (default action)
 0 packets, 0 bytes
 R3#

Task 1 hints

  1. Use the command “zone security INSIDE_ZONE” to create an inside zone.
  2. Use the command “zone security OUTSIDE_ZONE” to create an outside zone.
  3. Use the command “access-list 101 permit ip 10.10.20.0 0.0.0.255 any” to match all the traffic from 10.10.20.0/24 subnet to any destination.
  4. Use these commands to create a class map that will reference the ACL previously defined:

    class-map type inspect match-all INSIDE_NET_CM
    match access-group 101

  5. Use these commands to create a policy map that will reference the class map previously defined and will apply the inspect action:

    policy-map type inspect INSIDE-2-OUTSIDE-POL-MAP
    class type inspect INSIDE_NET_CM
    inspect

  6. Use the command “zone-pair security INSIDE-2-OUTSIDE-ZONE source INSIDE_ZONE destination OUTSIDE_ZONE” to create a zone pair and specify which zone will be the source and which zone will be the destination.
  7. Use the command “service-policy type inspect INSIDE-2-OUTSIDE-POL-MAP” to attach the policy map to the zone pair.
  8. Use the command “zone-member security OUTSIDE_ZONE” on F0/0 to mark the interface as part of the outside zone.
  9. Use the command “zone-member security INSIDE_ZONE” on F0/1 to mark the interface as part of the inside zone.

As you can see, the zone-based firewall configuration is a complex one. You have to know the exact steps and they need to be configured in the right order. But if you analyze them, they seem very logical.