ā07-22-2015 04:04 AM - edited ā03-11-2019 11:18 PM
HI all,
I am just seeking a bit of clarification with regards to Zonebased Firewalls (Cisco 1921)
I have a ZBF with a number of internal Zones, non of these will need to talk between each other, I have an uplink to an upstream provider router that provides WAN services back to our data centre for remote sites. Am I correct in thinking that I need to configure the interface between the ZBF and the provider router into its own zone?
Clients will be accessing services back in our data centre but they will need to traverse this WAN zone.
I hope this makes sense, I think I am on the right track, any help would be much appreciated.
Thanks
Edge Site HQ
Internal Zones|----(ZBF)---(PROVIDER ROUTER)-------WAN--------(PROVIDER ROUTER)-------(LAN WITH FILE SERVER)
Solved! Go to Solution.
ā07-22-2015 06:19 AM
Hi Craig.
when you configure ZBF there are few rules:
security zone = interface/ interfaces.
Data between two created security zones is droped by default
So you should add interfaces in zones, create zone-pairs (which have direction) and assign a policy to this zone-pair, in policy you shiuld select (using class-maps) traffic that you want to traverse your device and inspect it.
Config example for your scenario:
zone security IN
zone security OUT
interface Gi1 (inside interface)
zone-member security IN
int Gi2
zone-member security OUT
class-map type inspect match-any/all IN-to-OUT_CM (this traffic we want to permit)
use whatever match criteria you want (addresses, protocols, ports, DSCP, etc)
!
policy-map type inspect IN-to-OUT_PM
class type inspect IN-to-OUT_CM
inspect
(inspect means that an answers for your sessions will be allowed to come back)
zone-pair security IN-OUT source IN destination OUT
service-policy type inspect IN-to-OUT_PM
You can use many classes in a single policy-map, main point is you must use identical type (inspect, according ZBF)
if you have several internal zones you should write many zecurity-pairs, and if you lazy enought- use same policy in every zone-pair, or use individual policy for each zone-pair.
--
Best Regards,
Alex
ā07-22-2015 06:19 AM
Hi Craig.
when you configure ZBF there are few rules:
security zone = interface/ interfaces.
Data between two created security zones is droped by default
So you should add interfaces in zones, create zone-pairs (which have direction) and assign a policy to this zone-pair, in policy you shiuld select (using class-maps) traffic that you want to traverse your device and inspect it.
Config example for your scenario:
zone security IN
zone security OUT
interface Gi1 (inside interface)
zone-member security IN
int Gi2
zone-member security OUT
class-map type inspect match-any/all IN-to-OUT_CM (this traffic we want to permit)
use whatever match criteria you want (addresses, protocols, ports, DSCP, etc)
!
policy-map type inspect IN-to-OUT_PM
class type inspect IN-to-OUT_CM
inspect
(inspect means that an answers for your sessions will be allowed to come back)
zone-pair security IN-OUT source IN destination OUT
service-policy type inspect IN-to-OUT_PM
You can use many classes in a single policy-map, main point is you must use identical type (inspect, according ZBF)
if you have several internal zones you should write many zecurity-pairs, and if you lazy enought- use same policy in every zone-pair, or use individual policy for each zone-pair.
--
Best Regards,
Alex
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide