cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

140
Views
0
Helpful
1
Replies
craig.cartlidge1
Beginner

ZBF - Clarification

HI all,

 

I am just seeking a bit of clarification with regards to Zonebased Firewalls (Cisco 1921)

I have a ZBF with a number of internal Zones, non of these will need to talk between each other, I have an uplink to an upstream provider router that provides WAN services back to our data centre for remote sites. Am I correct in thinking that I need to configure the interface between the ZBF and the provider router into its own zone?

 

Clients will be accessing services back in our data centre but they will need to traverse this WAN zone.

 

I hope this makes sense, I think I am on the right track, any help would be much appreciated.

 

Thanks

 

Edge Site                                                                              HQ

Internal Zones|----(ZBF)---(PROVIDER ROUTER)-------WAN--------(PROVIDER ROUTER)-------(LAN WITH FILE SERVER)

 

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
CSCO12029650
Beginner

Hi Craig.

when you configure ZBF there are few rules:

security zone = interface/ interfaces.

Data between two created security zones is droped by default 

So you should add interfaces in zones, create zone-pairs (which have direction) and assign a policy to this zone-pair, in policy you shiuld select (using class-maps) traffic that you want to traverse your device and inspect it.

Config example for your scenario:

zone security IN
zone security OUT

interface Gi1 (inside interface)
   zone-member security IN
int Gi2
   zone-member security OUT

class-map type inspect match-any/all IN-to-OUT_CM (this traffic we want to permit)
  use whatever match criteria you want (addresses, protocols, ports, DSCP, etc)
!
policy-map type inspect IN-to-OUT_PM
 class type inspect IN-to-OUT_CM
  inspect

(inspect means that an answers for your sessions will be allowed to come back)
  
zone-pair security IN-OUT source IN destination OUT
 service-policy type inspect IN-to-OUT_PM

 

You can use many classes in a single policy-map, main point is you must use identical type (inspect, according ZBF)

if you have several internal zones you should write many zecurity-pairs, and if you  lazy enought- use same policy in every zone-pair, or use individual policy for each zone-pair.

 

--

Best Regards,

Alex

 

View solution in original post

1 REPLY 1
CSCO12029650
Beginner

Hi Craig.

when you configure ZBF there are few rules:

security zone = interface/ interfaces.

Data between two created security zones is droped by default 

So you should add interfaces in zones, create zone-pairs (which have direction) and assign a policy to this zone-pair, in policy you shiuld select (using class-maps) traffic that you want to traverse your device and inspect it.

Config example for your scenario:

zone security IN
zone security OUT

interface Gi1 (inside interface)
   zone-member security IN
int Gi2
   zone-member security OUT

class-map type inspect match-any/all IN-to-OUT_CM (this traffic we want to permit)
  use whatever match criteria you want (addresses, protocols, ports, DSCP, etc)
!
policy-map type inspect IN-to-OUT_PM
 class type inspect IN-to-OUT_CM
  inspect

(inspect means that an answers for your sessions will be allowed to come back)
  
zone-pair security IN-OUT source IN destination OUT
 service-policy type inspect IN-to-OUT_PM

 

You can use many classes in a single policy-map, main point is you must use identical type (inspect, according ZBF)

if you have several internal zones you should write many zecurity-pairs, and if you  lazy enought- use same policy in every zone-pair, or use individual policy for each zone-pair.

 

--

Best Regards,

Alex

 

Create
Recognize Your Peers
Content for Community-Ad