Cisco has released a Zone Base Firewall in the new Routers. If you have purchase a security license for your router, you can enable the firewall function.
The Zone Base Firewall works differently to the traditional ASA. You can define different interface to different zones. Then setup zone-pairs to define what traffic is allowed between those pairs.
I knew nothing about Cisco zone base firewall until recently I have to help a client to migrate an old PIX into zone base firewall on a new 3900 series router. There were 6 physical interfaces and 12 sub-interfaces (using dot1q trunking) on the routers. As the client required to have a highly secured environment, as a result I have to assign a zone for different interfaces.
If you have worked on Cisco VoIP, you will be familiar with the class based QoS. The way to setup zone base firewall is very similar to setup Class Based Policy for QoS.
The steps I did this PIX to ZBF migration are: (simplified to a 3 interfaces/zones)
1. Define the Zones
First of all, define different zone for different interfaces. For examples, Inside, Outside and DMZ.
Zone security Inside
Zone security Outside
Zone security DMZ
2. Define the Zone-Pair
I than define what zone need to be paired. Please bear in mind that if you don’t define a zone pair, the traffic will not able to flow via those zones.
Zone-pair Inside-to-Outside source Inside destination Outside
Zone-pair Inside-to-DMZ source Inside destination DMZ
Zone-pair DMZ-to-Outisde source DMZ destination Outside
Zone-pair DMZ-to-Inside source DMZ destination Inside
Zone-pair Outside-to-DMZ source Outside destination DMZ
Do not type those in the router as yet. Because this need to go with a service policy. The way I setup the zone base firewall is a bit different to the Cisco document, or I should say the order to enter the command is the other way around. Keep on reading and you will know what I am trying to say.
3. Define the policy for zone-pair
Policy-map type inspect Inside-to-Outside-Policy
class class-default
drop log
Policy-map type inspect Inside-to-DMZ-Policy
class class-default
drop log
Policy-map type inspect Outside-to-DMZ-Policy
class class-default
drop log
Policy-map type inspect DMZ-to-Inside-Policy
class class-default
drop log
Policy-map type inspect DMZ-to-Outside-Policy
class class-default
drop log
4. Define the class that you would like to allow via the Zone base firewall.
i. Allow everything
Class-map type inspect match-any ALL-CLASS
match protocol tcp
match protocol udp
match protocol icmp
ii. Allow only ICMP
Class-map type inspect match-any ICMP-CLASS
match protocol icmp
iii. Allow only http/https
Class-map type inspect match-any WEB-CLASS
Match protocol http
match protocol https
iv. Allow only http to a specific host
class-map type inspect match-all HTTP-2-WEBSERVER-CLASS
match protocol http
match access-group name webacl
Ip access-list extended webacl
Permit ip any host 192.168.10.123
5. Complete the Policy
Policy-map type inspect Inside-to-Outside-Policy
Class type inspect WEB-CLASS
inspect
class class-default
drop log
Policy-map type inspect Inside-to-DMZ-Policy
Class type inspect ALL-CLASS
inspect
class class-default
drop log
Policy-map type inspect Outside-to-DMZ-Policy
class type inspect HTTP-2-WEBSERVER-CLASS
inspect
class class-default
drop log
Policy-map type inspect DMZ-to-Inside-Policy
class type inspect ALL-CLASS
inspect
class class-default
drop log
Policy-map type inspect DMZ-to-Outside-Policy
class type inspect WEB-CLASS
inspect
class class-default
drop log
6. Put the configuration to the router
This will be started with
Step 1. Define zone
Step 2. Define Class
Step 3. Define Policy
Step 4. Define zone-pair and apply Policy to the zone-pair
Step 5. Assige the Interface to a zone
One response to “Zone Base Firewall is not hard at all”