Tag Archives: Cisco Zone Base Firewall

Cisco Zone Base Firewall and HSRP

I was working on a project which involved with 2 routers which also act as a firewall. The reason for that is because someone want to replace a standalone Cisco PIX firewall with 2 x routers to improve the availability as well as security.

I really not sure who come up with this idea. It gave me enough headache during the implementation process. The challenges are :
– The zone base firewalls on the routers cannot work in a cluster mode like a Cisco ASA
– The multiple WAN interfaces with EIGRP/OSPF routing process will break the data throw direction
– A stateful failover cannot be setup.


To achieve this setup, I have use EEM script to detect HSRP syslog message for a failure and the EEM script to remove the routing process on the route which the link is failed and enable the routing process on the router that become active.

I have spent a lot of time to work out this “solution”. Provided I have to use the pre-selected hardware to reach the high availability requirement. I believe what I have done is good enough to meet the client’s expectation while they don’t need to buy new hardware. To be honest, they should really get a firewall instead of 2 3900 series routers to work as a firewall.

Zone Base Firewall is not hard at all

Cisco has released a Zone Base Firewall in the new Routers. If you have purchase a security license for your router, you can enable the firewall function.
The Zone Base Firewall works differently to the traditional ASA. You can define different interface to different zones. Then setup zone-pairs to define what traffic is allowed between those pairs.
I knew nothing about Cisco zone base firewall until recently I have to help a client to migrate an old PIX into zone base firewall on a new 3900 series router. There were 6 physical interfaces and 12 sub-interfaces (using dot1q trunking) on the routers. As the client required to have a highly secured environment, as a result I have to assign a zone for different interfaces.
If you have worked on Cisco VoIP, you will be familiar with the class based QoS. The way to setup zone base firewall is very similar to setup Class Based Policy for QoS.

Continue reading