Showing results for 
Search instead for 
Did you mean: 

Understanding the Cisco IOS Zone-based Policy Firewall


Cisco’s original  implementation of a router-based stateful firewall is called Context Based Access Control (CBAC) or, sometimes,  the Classic IOS Firewall. The basic configuration element of CBAC is the ip inspect command, which instructs IOS software to watch connection initiation requests for a particular (L4 or L7) protocol that arrive on a given router interface. The key point here is that CBAC inspection policies control traffic flows between pairs of interfaces and, as such, when a router has multiple interfaces that need firewall functionality, configuration complexity will automatically increase.

While dedicated firewalls (such as ASA appliances) are inherently closed from a security standpoint, a router is regarded as a connectivity provider, and therefore, normally does not impose restrictions by means of any implicit packet filter. Although CBAC is employed to transform the router into a true stateful firewall, it always does that on a per-interface basis. There is no method for globally ‘closing the router at once’ and this, eventually, makes some security-centric administrators treat this type of implementation with suspicion.

These challenges of scalability and ease of configuration motivated Cisco to develop a new approach for router-based firewalling known as the Zone-based Policy Firewall (ZFW). ZFW introduces the concept of security zones, which allow simpler definition of the degree of trustworthiness of a given interface, making administrators’ lives a lot easier when deploying firewall policies.

To help you understand this important security resource of Cisco IOS-based routers I wrote a series of posts on my personal blog

( I do hope this initiative to be helpful.

From CBAC to the Cisco Zone-based Policy Firewall

Building Blocks for a Cisco Zone-based Firewall policy

Zone Policy Firewall: Understanding the default deny behavior

Building a simple policy with the Cisco Zone-based Firewall

Logging connections in the Cisco Zone-based Policy Firewall

Logging dropped packets with the Cisco Zone-based Policy Firewall

Integrating ACLs with the Cisco Zone-based Policy Firewall

Deploying the Cisco Zone-based Policy Firewall with ACLs and NAT

Basic Configuration of the Cisco Zone-based Policy Firewall in Transparent Mode

FTP Inspection with the Cisco Zone-based Policy Firewall

HTTP Inspection on non-standard ports with the Cisco Zone-based Policy Firewall

Cisco Zone-based Policy Firewall: Understanding the self zone

Cisco Zone-based Policy Firewall: Controlling Intrazone traffic

User-based Access Control with the Cisco IOS Zone-based Policy Firewall


Alexandre,  A couple months ago I added your book Cisco Firewalls to my bookshelf at Safari Books Online.  It really is a great reference book.


Hi Beckner,


   Thanks for the comment.

   I did my best to produce something useful to the field, in an attempt to complement the material already available. My basic motivation was to bring a different perspective, not so product-centric but, rather, functionality focused.  Moreover, I made a great effort to present meaningful examples that could effectively help on the learning process.




Note: The Cisco Firewalls title covers both IOS Firewall (CBAC and the Zone-based Policy Firewall) and, of course, ASA.


Two new posts available on the ZFW series, presenting examples of how the Zone-based Policy Firewall may be used within IPv6 environments:

Sample Configuration of the Cisco IOS Zone-based Policy Firewall with IPv6

Cisco IOS Zone-based Policy Firewall: L7 inspection for FTP over IPv6