Part 15: Implementing Cisco IOS Zone-Based Firewalls

M'hirsi Hamza
Oct 28, 2020 · 4 min read

Part 15: Implementing Cisco IOS Zone-Based Firewalls

In this article we will describe how to implement Cisco IOS Zone-Based Firewalls in different steps:

1. Zone-Based Firewall Operates
2. Configuring and Verifying Cisco IOS Zone-Based Firewalls
— Configure ZBF
— Implementing NAT
Summary

1. Zone-Based Firewall Operates

In this type of FW, the administrator specifies the name of each interface and set for each one a policy. We can set many zones inside/outside (one or more interface, an interface can belong to only one zone), traffic in the same zone is allowed. To allow traffic between two zones we need to create a policy. ZBF has many features:

- Stateful inspection
— Application inspection
— Packet filtering
— URL filtering
— Transparent firewall
— Support for virtual routing and forwarding (a secondary routing table used to keep some route)
— Access control lists

To understand more the concept we will explain the Cisco Common Classification Policy Language (C3PL), where we have three components:

— Class maps: This method is used to identify traffic that should be inspected, traffic can be matched based on layer 3 to layer 7. We can configure our class map to match all conditions or any condition of the list.
— Policy maps: These are the activities that will be applied to the traffic, we will call in this method the class maps that we already set. Policy maps use four actions; inspect (stateful inspection on traffic), permit (permit traffic without inspection), drop (drop traffic that matches the policy), and log (log information about the traffic that will match the policy). The policy map is processed from top to bottom.
— Service policies: This is applied to a zone pair; a zone pair represents the direction of the flow between two zones. “The policy-map applied to the zone pair (using the service-policy command) applies to traffic initiated in one zone going to the other zone in one direction. If reply traffic is desired, the inspect action in the policy-map should be applied, which will allow stateful inspection” [Source Cisco Book]

To have more information please check this LINK.

As we know those components we need now to configure the ZBF:

- Create the Class map:

R(config)#class-map type inspect match-any CLASS-NAME  
R(config-cmap)#match protocol ftp
R(config-cmap)#exit

- Create the policy-map:

R(config)#policy-map type inspect POLICY-NAME
R(config-pmap)#class type inspect CLASS-NAME
R(config-pmap-c)#inspect
R(config-pmap-c)#exit
R(config-pmap)#exit

- We need to name the security zones:

R(config)#zone security inside
R(config-sec-zone)#exit
R(config)#zone security outside
R(config-sec-zone)#exit

- Create a zone pair (zone, direction) and apply the Policy map:

R(config)#zone-pair security in-to-out source inside destination outside
R(config-sec-zone)#service-policy type inspect POLICY-NAME
R(config-sec-zone)#exit

- Apply the last configuration to interfaces:

R(config)#int Gi0/0
R(config-if)#description outside zone
R(config-if)#zone-member security outside
R(config-if)#int Gi0/1
R(config-if)#description inside zone
R(config-if)#zone-member security inside
R(config-if)#exit

- The Self Zone

Each traffic destined to the router is considered going to the self-zone, by default all traffic going to/from the self zone is allowed, if we want to change that we need to apply a policy (after we apply a policy we must ensure that we allow management traffic).

2. Configuring and Verifying Cisco IOS Zone-Based Firewalls

In this part we will configure ZBF on Cisco IOS using CCP and CLI, first, we will check the CCP configuration (it’s easier to configure FW using CCP):

You can check CLI configuration in this video:

We can verify the configuration using the CLI with the following show commands:

R#show class-map type inspect (show call-map) 
R#show policy-map type inspect zone-pair in-out sessions (show policy map applied on zone pair in-out)

In the following video we will see how to implement NAT on Cisco Router using CCP:

As we saw how to configure NAT using CCP let’s have a look at the CLI part:

- Set the ACL that matches the source IP address that we will translate:

R(config)#access-list 10 permit 1.1.1.1 0.0.0.255

- Set inside and outside interfaces where we will apply NAT:

R(config)#int Gi0/0
R(config-if)#ip nat outside
R(config-if)#int fa0/1
R(config-if)#ip nat inside

- Apply NAT (traffic that matches the ACL on the inside interface will be translated to the Public address configured on the outside interface):

R(config)#ip nat inside source list 10 interface Gi0/0 overload

- Verify the existing configuration:

R(config)#show ip nat translations

Summary

In this part, we discovered together with the implementation of Cisco IOS Zone-Based FW using CCP and CLI and how to configure NAT using wizards.

All that you can find in this article is based on the CCNA Security book so we can ensure that everyone that assist with this training can have an idea about CCNA 210–260 Exam, I wish you all the luck ^^

Reference
CCNA Security Book 210–260

Training course on cisco cyber security certificates

Cisco certificates in Cyber Security training course introduces…

Training course on cisco cyber security certificates

This cisco Cyber Security training course introduces readers and Medium members to the fundamentals of network security. During this course, we will learn how to secure network using different Cisco technology.

M'hirsi Hamza

Written by

Cyber Security Architect

Training course on cisco cyber security certificates

This cisco Cyber Security training course introduces readers and Medium members to the fundamentals of network security. During this course, we will learn how to secure network using different Cisco technology.