Even though ASA devices are considered as the dedicated firewall device, Cisco integrated the firewall functionality in the router which in fact will make the firewall a cost effective device. The Zone Based firewall replaces the CBAC by introducing many features in its firewall functionality. The ZBF mainly deals with the security zones, where we can put the interfaces into various security zones and control the traffic between the zones.

Comparison chart of ZBF & CBAC

CBAC

Zone Based Firewall

Controls inbound & outbound access on an interface

Controls Bidirectional access between zones.

Uses inspect statements and stateful ACLs

Uses C3PL Configuration language

Support from IOS Release 11.2

Support from IOS Release 12.4(6)

When you first look at the ZBF configuration you would think it is complex and difficult. But once you understand the actual concept behind the configuration everything seems to be easy for you. Here I am going to divide the full configuration into different logical sets and finally combine all those sets to get the full configuration.

ZBF Configuration Tasks

We can configure a Zone Based Firewall by accomplishing the below tasks:

Configure zones.

Assign Router Interfaces to zones

Create zone pairs

Configure Interzone Access Policy

Which Include:

Class Maps

Policy Maps

5. Apply policy maps to zone pairs

Network Diagram

I am using the below diagram as a reference to configure Zone Based Firewall :

Here I am defining three zones i.e Inside zone, Outside zone and DMZ zone.

Below is the rule set for our ZBF:

1. From Inside to Outside -http, tcp, udp, icmp and pop3 is allowed

2. From Outside to Inside -icmp is allowed

3. From Inside to DMZ -http, tcp and icmp is allowed

4. From Outside to DMZ -only HTTP is allowed.

Before going to the configuration you have to understand the default rule of communication between the zones:

Interzone (Between two zones) communication – Denied by default

Intrazone communication (Inside a zone) – Allowed by default

Task 1: Configure zones

We have to configure three zones. Inside , Outside , DMZ

INSIDE Zone - This is the zone where my LAN is located

OUTSIDE Zone – This is the zone where the router is connected to the Internet

DMZ Zone – Company's DMZ zone.

Connect the router via console or putty and switch to the global configuration mode and type the command as below :

Router(config)#zone security INSIDE

Router(config)#zone security OUTSIDE

Router(config)#zone security DMZ

Now we got three zones in our firewall.

Task 2 :Assign Router Interfaces to zones

Now we have to assign the router's interface to a particular zone.Here I am going to assign Gigabyte Ethernet 0/0 (LAN interface) to INDISE zone , Ge0/1 to OUTSIDE zone and Ge0/2 to DMZ zone.

For this we have to go to the particular interface and attach the interface to the zone.Type the command below to achieve this:

Router(config)#interface gigabitEthernet 0/0

Router(config-if)#zone-member security INSIDE

Router(config)#interface gigabitEthernet 0/1

Router(config-if)#zone-member security OUTSIDE

Router(config)#interface gigabitEthernet 0/2

Router(config-if)#zone-member security DMZ

Task 3: Create zone pairs

Zone pairs are created to connect the zones. If you want to make two zones to communicate you have to create zone pairs.

DO NOT create zone pairs for non-communicating zones.

Here the communication is happening between:

INSIDE to OUTSIDE

OUTSIDE to INSIDE

OUTSIDE to DMZ

INSIDE to DMZ

So we need to create four zone pairs. The command is as follows:

Router(config)#zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE

Router(config)#zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE

Router(config)#zone-pair security OUT-TO-DMZ source OUTSIDE destination DMZ

Router(config)#zone-pair security IN-TO-DMZ source INSIDE destination DMZ

Router(config)#exit

Task 4: Configure Interzone Access Policy

The interzone access policy is the key part of the zone based firewall where we configure layer 3 & layer 4 access policies.

In this step we will create Class Maps and Policy Maps.

Class Map Configuration

Class map will group the traffic into different categories. In our situation we have to create class maps for all the traffic between the zones.

Here I am going to create the ACL and associate it with the class maps. The ACL will decide the interesting traffic.

Class Map for INSIDE-TO-OUTSIDE

Router(config)#ip access-list extended INSIDE-TO-OUTSIDE

Router(config-ext-nacl)#permit tcp 172.17.0.0 0.0.255.255 any eq www

Router(config-ext-nacl)#permit tcp 172.17.0.0 0.0.255.255 any eq echo

Router(config-ext-nacl)#permit tcp 172.17.0.0 0.0.255.255 any eq pop3

Router(config)#class-map type inspect match-all INSIDE-TO-OUTSIDE-CLASS

Router(config-cmap)#match access-group name INSIDE-TO-OUTSIDE

Class Map for OUTSIDE-TO-INSIDE

Router(config)#ip access-list extended OUTSIDE-TO-INSIDE

Router(config-ext-nacl)#permit tcp any 172.17.0.0 0.0.255.255 eq echo

Class Map for OUTSIDE-TO-DMZ

Router(config)#ip access-list extended OUTSIDE-TO-DMZ

Router(config-ext-nacl)#permit tcp any 192.168.1.0 0.0.0.255 eq www

Router(config)#ip access-list extended INSIDE-TO-DMZ

Router(config-ext-nacl)#permit tcp 172.17.0.0 0.0.255.255 192.168.1.0 0.0.0.255 eq www
Router(config-ext-nacl)#permit tcp 172.17.0.0 0.0.255.255 192.168.1.0 0.0.0.255 eq echo

Policy Map Configuration

Now we are going to define the firewall rules for the above mentioned class maps. We can apply three rules to the traffic which is classified in class maps. i.e 1.)Inspect 2.)Drop 3.)Pass

Inspect : This will inspect the traffic in a bidirectional manner

Drop : This will drop the packets

Pass : This will simply pass the packet.

During the Policy Map configuration we have to attach the corresponding class-map with the policy-map and create a rule for the particular traffic (Inspect,Drop or Pass)

There will be a drop policy, by default ,at the end of all policy maps.

Policy Map for INSIDE-TO-OUTSIDE

Router(config)#policy-map type inspect INSIDE-TO-OUTSIDE-POLICY

Router(config-pmap)#class type inspect INSIDE-TO-OUTSIDE-CLASS

Router(config-pmap-c)#inspect

Router(config-pmap)#class class-default

Router(config-pmap-c)#drop log

Policy Map for OUTSIDE-TO-INSIDE

Router(config)#policy-map type inspect OUTSIDE-TO-INSIDE-POLICY

Router(config-pmap)#class type inspect OUTSIDE-TO-INSIDE-CLASS

Router(config-pmap-c)#pass

Router(config-pmap)#class class-default

Router(config-pmap-c)#drop log

Policy Map for OUTSIDE-TO-DMZ

Router(config)#policy-map type inspect OUTSIDE-TO-DMZ-POLICY

Router(config-pmap)#class type inspect OUTSIDE-TO-DMZ-CLASS

Router(config-pmap-c)#inspect

Router(config-pmap)#class class-default

Router(config-pmap-c)#drop log

Policy Map for INSIDE-TO-DMZ

Router(config)#policy-map type inspect INSIDE-TO-DMZ-POLICY

Router(config-pmap)#class type inspect INSIDE-TO-DMZ-CLASS

Router(config-pmap-c)#pass

Router(config-pmap)#class class-default

Router(config-pmap-c)#drop log

Task 5: Apply policy maps to zone pairs

Now we have to attach the policy maps to the zone pairs that we have already created using the service-policy command.

The command is as follows:

Router(config)#zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE

Router(config-sec-zone-pair)#service-policy type inspect INSIDE-TO-OUTSIDE-POLICY

Router(config)#zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE

Router(config-sec-zone-pair)#service-policy type inspect OUTSIDE-TO-INSIDE-POLICY

Router(config)#zone-pair security OUT-TO-DMZ source OUTSIDE destination DMZ

Router(config-sec-zone-pair)#service-policy type inspect OUTSIDE-TO-DMZ-POLICY

Router(config)#zone-pair security IN-TO-DMZ source INSIDE destination DMZ

Router(config-sec-zone-pair)#service-policy type inspect INSIDE-TO-DMZ-POLICY

This is all about the basic configuration of a Zone-Based Policy Firewall.

Here I am mentioning some basic verification and troubleshooting commands :

# show class-map type inspect

#show policy-map type inspect

#show zone-pair security

Now you can deploy the Zone Based Firewall in your environment and test it.