https://community.cisco.com/t5/network-security/zbf-clarification/m-p/2705638#M193505 <P>HI all,</P><P>&nbsp;</P><P>I am just seeking a bit of clarification with regards to Zonebased Firewalls (Cisco 1921)</P><P>I have a ZBF with a number of internal Zones, non of these will need to talk between each other, I have an uplink to an upstream provider router that provides WAN services back to our data centre for remote sites. Am I correct in thinking that I need to configure the interface between the ZBF and the provider router into its own zone?</P><P>&nbsp;</P><P>Clients will be accessing services back in our data centre but they will need to traverse this WAN&nbsp;zone.</P><P>&nbsp;</P><P>I hope this makes sense, I think I am on the right track, any help would be much appreciated.</P><P>&nbsp;</P><P>Thanks</P><P>&nbsp;</P><P>Edge Site&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; HQ</P><P><STRONG>Internal Zones|----(ZBF)---(PROVIDER ROUTER</STRONG><EM><STRONG>)-------</STRONG>WAN</EM>--------(<STRONG>PROVIDER ROUTER)-------(LAN WITH FILE SERVER</STRONG>)</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 12 Mar 2019 06:18:53 GMT craig.cartlidge1 2019-03-12T06:18:53Z https://community.cisco.com/t5/network-security/zbf-clarification/m-p/2705638#M193505 <P>HI all,</P><P>&nbsp;</P><P>I am just seeking a bit of clarification with regards to Zonebased Firewalls (Cisco 1921)</P><P>I have a ZBF with a number of internal Zones, non of these will need to talk between each other, I have an uplink to an upstream provider router that provides WAN services back to our data centre for remote sites. Am I correct in thinking that I need to configure the interface between the ZBF and the provider router into its own zone?</P><P>&nbsp;</P><P>Clients will be accessing services back in our data centre but they will need to traverse this WAN&nbsp;zone.</P><P>&nbsp;</P><P>I hope this makes sense, I think I am on the right track, any help would be much appreciated.</P><P>&nbsp;</P><P>Thanks</P><P>&nbsp;</P><P>Edge Site&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; HQ</P><P><STRONG>Internal Zones|----(ZBF)---(PROVIDER ROUTER</STRONG><EM><STRONG>)-------</STRONG>WAN</EM>--------(<STRONG>PROVIDER ROUTER)-------(LAN WITH FILE SERVER</STRONG>)</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 12 Mar 2019 06:18:53 GMT https://community.cisco.com/t5/network-security/zbf-clarification/m-p/2705638#M193505 craig.cartlidge1 2019-03-12T06:18:53Z https://community.cisco.com/t5/network-security/zbf-clarification/m-p/2705639#M193506 <P>Hi Craig.</P><P>when you configure ZBF there are few rules:</P><P>security zone = interface/ interfaces.</P><P>Data between two created security zones is droped by default&nbsp;</P><P>So you should add interfaces in zones, create zone-pairs (which have direction) and assign a policy to this zone-pair, in policy you shiuld select (using class-maps) traffic that you want to traverse your device and inspect it.</P><P>Config example for your scenario:</P><P>zone security IN<BR />zone security OUT</P><P>interface Gi1 (inside interface)<BR />&nbsp; &nbsp;zone-member security IN<BR />int Gi2<BR />&nbsp; &nbsp;zone-member security OUT</P><P>class-map type inspect match-any/all IN-to-OUT_CM (this traffic we want to permit)<BR />&nbsp; use whatever match criteria you want (addresses, protocols, ports, DSCP, etc)<BR />!<BR />policy-map type inspect IN-to-OUT_PM<BR />&nbsp;class type inspect IN-to-OUT_CM<BR />&nbsp; inspect</P><P>(inspect means&nbsp;that an answers for your sessions will be allowed to come back)<BR />&nbsp;&nbsp;<BR />zone-pair security IN-OUT source IN destination OUT<BR />&nbsp;service-policy type inspect IN-to-OUT_PM</P><P>&nbsp;</P><P>You can use many classes in a single policy-map, main point is you must use identical type (inspect, according ZBF)</P><P>if you have several internal zones you should write many zecurity-pairs, and if you &nbsp;lazy enought- use same policy in every zone-pair, or use individual policy for each zone-pair.</P><P>&nbsp;</P><P>--</P><P>Best Regards,</P><P>Alex</P><P>&nbsp;</P> Wed, 22 Jul 2015 13:19:51 GMT https://community.cisco.com/t5/network-security/zbf-clarification/m-p/2705639#M193506 CSCO12029650 2015-07-22T13:19:51Z