Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
295
Views
0
Helpful
1
Replies

ZBF - Clarification

Go to solution
craig.cartlidge1
Level 1
Level 1

‎07-22-2015 04:04 AM - edited ‎03-11-2019 11:18 PM

HI all,

 

I am just seeking a bit of clarification with regards to Zonebased Firewalls (Cisco 1921)

I have a ZBF with a number of internal Zones, non of these will need to talk between each other, I have an uplink to an upstream provider router that provides WAN services back to our data centre for remote sites. Am I correct in thinking that I need to configure the interface between the ZBF and the provider router into its own zone?

 

Clients will be accessing services back in our data centre but they will need to traverse this WAN zone.

 

I hope this makes sense, I think I am on the right track, any help would be much appreciated.

 

Thanks

 

Edge Site                                                                              HQ

Internal Zones|----(ZBF)---(PROVIDER ROUTER)-------WAN--------(PROVIDER ROUTER)-------(LAN WITH FILE SERVER)

 

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
CSCO12029650
Level 1
Level 1

‎07-22-2015 06:19 AM

Hi Craig.

when you configure ZBF there are few rules:

security zone = interface/ interfaces.

Data between two created security zones is droped by default 

So you should add interfaces in zones, create zone-pairs (which have direction) and assign a policy to this zone-pair, in policy you shiuld select (using class-maps) traffic that you want to traverse your device and inspect it.

Config example for your scenario:

zone security IN
zone security OUT

interface Gi1 (inside interface)
   zone-member security IN
int Gi2
   zone-member security OUT

class-map type inspect match-any/all IN-to-OUT_CM (this traffic we want to permit)
  use whatever match criteria you want (addresses, protocols, ports, DSCP, etc)
!
policy-map type inspect IN-to-OUT_PM
 class type inspect IN-to-OUT_CM
  inspect

(inspect means that an answers for your sessions will be allowed to come back)
  
zone-pair security IN-OUT source IN destination OUT
 service-policy type inspect IN-to-OUT_PM

 

You can use many classes in a single policy-map, main point is you must use identical type (inspect, according ZBF)

if you have several internal zones you should write many zecurity-pairs, and if you  lazy enought- use same policy in every zone-pair, or use individual policy for each zone-pair.

 

--

Best Regards,

Alex

 

View solution in original post

0 Helpful
1 Reply 1

Go to solution
CSCO12029650
Level 1
Level 1

‎07-22-2015 06:19 AM

Hi Craig.

when you configure ZBF there are few rules:

security zone = interface/ interfaces.

Data between two created security zones is droped by default 

So you should add interfaces in zones, create zone-pairs (which have direction) and assign a policy to this zone-pair, in policy you shiuld select (using class-maps) traffic that you want to traverse your device and inspect it.

Config example for your scenario:

zone security IN
zone security OUT

interface Gi1 (inside interface)
   zone-member security IN
int Gi2
   zone-member security OUT

class-map type inspect match-any/all IN-to-OUT_CM (this traffic we want to permit)
  use whatever match criteria you want (addresses, protocols, ports, DSCP, etc)
!
policy-map type inspect IN-to-OUT_PM
 class type inspect IN-to-OUT_CM
  inspect

(inspect means that an answers for your sessions will be allowed to come back)
  
zone-pair security IN-OUT source IN destination OUT
 service-policy type inspect IN-to-OUT_PM

 

You can use many classes in a single policy-map, main point is you must use identical type (inspect, according ZBF)

if you have several internal zones you should write many zecurity-pairs, and if you  lazy enought- use same policy in every zone-pair, or use individual policy for each zone-pair.

 

--

Best Regards,

Alex

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card