topic Cisco ZBFW Configuration in Network Security

Cisco ZBFW Configuration

JohnTylerPearce — Tue, 12 Mar 2019 02:34:36 GMT

I'm trying to learn the ZBFW, mainly for CCIE studing and have a few question. These will be pretty basic, it's for the R&S not the Security, and the R&S doesn't go to much into the ZBFW.

For this example, I have R1, with gi0/0 an gi0/1. gi0/0 goes to the Internet, and gi0/1 goes to my LAN. (Very simple topology)

My main misunderstanding is the use of 'inspect, permit, and deny'

From my understanding, inspect, will inspect the traffic, and allow the return traffic, where permit permits and deny denies.... (Big shock I know)

But does permit, permit the traffic outbound, but the return traffic has to be permitted as well?

Sample Configuration(R1)

-------------------------------------

zone security OUTSIDE

zone security INSIDE

int gi0/0

description ***** To Internet Service Provider *****

ip address 150.10.10.9 255.255.255.252

zone-member security OUTSIDE

int gi0/1

description ***** To 192.168.1.0/24 LAN *****

ip address 192.168.1.1 255.255.255.0

zone-member security INSIDE

zone-pair security in-to-out source INSIDE destination OUTSIDE

class-map type inspect match any Inside2Outside-CM

match protocol http

match protocol https

match protocol smtp

match protocol pop3

policy-map type inspect Inside2Outside-PM

class type inspec Inside2Outside-CM

inspect

zone-pair security in-to-out

service-policy type inspect Inside2Outside-PM

Now, I'm assuming this would allow http,https,smtp, and pop3 to the outside interface, and also return traffic. But if I used permit instead of inspect in the policy-map, would I have to allow traffic back in?

Cisco ZBFW Configuration

Marvin Rhoads — Fri, 06 Sep 2013 01:11:09 GMT

I believe that is correct - if you inspect it outbound, return traffic is automaticaaaly allowed. If, however you do not inspect and do a straight "permit" you must have a matching rule for the return traffic.

I found this explained explicitly here.

Cisco ZBFW Configuration

Julio Carvajal — Fri, 06 Sep 2013 03:22:23 GMT

Hello John,

So studing for the IE, Where are you at the moment?

And for this post: Here is one of my explanations on my blog where I cover the basics

http://www.laguiadelnetworking.com/zone-based-firewall-deployment-scenario-1/

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Cisco ZBFW Configuration

JohnTylerPearce — Fri, 06 Sep 2013 12:06:53 GMT

Well, I was planning on taking the v4 R&S written at the end of the year, or in Janurary of 2014, but now, I'm going to take it once v5 R&S written comes out. I'm currently working on Pfr/OER/Multicast/IPv6/ZBFW, basically my weak points. So when some of the new technologies come out, I'm ready to go.

Cisco ZBFW Configuration

cadet alain — Fri, 06 Sep 2013 12:55:32 GMT

Hi John,

I suppose you meant "pass" instaed of "inspect" in the policy-map ? because permit/denies are in the ACLs and are for matching traffic not for filtering so a permit will categorize the traffic in the corresponding class and then the policies applied to the zone-pair(s) will do the firewalling.

Regards

Alain

Don't forget to rate helpful posts.

Cisco ZBFW Configuration

Julio Carvajal — Fri, 06 Sep 2013 16:05:05 GMT

Cool John,

Good luck with that,

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Cisco ZBFW Configuration

JohnTylerPearce — Sun, 08 Sep 2013 13:01:34 GMT

Thanks guys, sorry for the late response, I've been pretty busy. I'll be sure to check out that site jcarva.