cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
634
Views
6
Helpful
6
Replies

Cisco ZBFW Configuration

JohnTylerPearce
Level 7
Level 7

I'm trying to learn the ZBFW, mainly for CCIE studing and have a few question. These will be pretty basic, it's for the R&S not the Security, and the R&S doesn't go to much into the ZBFW.

For this example, I have R1, with gi0/0 an gi0/1. gi0/0 goes to the Internet, and gi0/1 goes to my LAN. (Very simple topology)


My main misunderstanding is the use of 'inspect, permit, and deny'

From my understanding, inspect, will inspect the traffic, and allow the return traffic, where permit permits and deny denies.... (Big shock I know)

But does permit, permit the traffic outbound, but the return traffic has to be permitted as well?

Sample Configuration(R1)

-------------------------------------

zone security OUTSIDE

zone security INSIDE

int gi0/0

description ***** To Internet Service Provider *****

ip address 150.10.10.9 255.255.255.252

zone-member security OUTSIDE

int gi0/1

description ***** To 192.168.1.0/24 LAN *****

ip address 192.168.1.1 255.255.255.0

zone-member security INSIDE

zone-pair security in-to-out source INSIDE destination OUTSIDE

class-map type inspect match any Inside2Outside-CM

match protocol http

match protocol https

match protocol smtp

match protocol pop3

policy-map type inspect Inside2Outside-PM

class type inspec Inside2Outside-CM

inspect

zone-pair security in-to-out

service-policy type inspect Inside2Outside-PM

Now, I'm assuming this would allow http,https,smtp, and pop3 to the outside interface, and also return traffic. But if I used permit instead of inspect in the policy-map, would I have to allow traffic back in?

1 Accepted Solution

Accepted Solutions

Marvin Rhoads
Hall of Fame
Hall of Fame

I believe that is correct - if you inspect it outbound, return traffic is automaticaaaly allowed. If, however you do not inspect and do a straight "permit" you must have a matching rule for the return traffic.

I found this explained explicitly here.

View solution in original post

6 Replies 6

Marvin Rhoads
Hall of Fame
Hall of Fame

I believe that is correct - if you inspect it outbound, return traffic is automaticaaaly allowed. If, however you do not inspect and do a straight "permit" you must have a matching rule for the return traffic.

I found this explained explicitly here.

Julio Carvajal
VIP Alumni
VIP Alumni

Hello John,

So studing for the IE, Where are you at the moment?

And for this post: Here is one of my explanations on my blog where I cover the basics

http://www.laguiadelnetworking.com/zone-based-firewall-deployment-scenario-1/

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Well, I was planning on taking the v4 R&S written at the end of the year, or in Janurary of 2014, but now, I'm going to take it once v5 R&S written comes out. I'm currently working on Pfr/OER/Multicast/IPv6/ZBFW, basically my weak points. So when some of the new technologies come out, I'm ready to go.

Cool John,

Good luck with that,

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

cadet alain
VIP Alumni
VIP Alumni

Hi John,

I suppose you meant "pass" instaed of "inspect" in the policy-map ? because permit/denies are in the ACLs and are for matching traffic not for filtering so a permit will categorize the traffic in the corresponding class and then the policies applied to the zone-pair(s) will do the firewalling.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Thanks guys, sorry for the late response, I've been pretty busy. I'll be sure to check out that site jcarva.

Review Cisco Networking for a $25 gift card