To configure Cisco IOS Zone Based Firewall, initial step is to create Zones and Zone Pairs. Consider the network topology below. zone based firewall. Zone Based Firewall I often think of Zone Based Policy Firewall or ZBF is Cisco's new firewall engine for IOS routers. However it came as a new. Today, I will be talking about the Cisco Zone-Based Firewall, including their differences and advantages compared to a Cisco ASA. I will also.


Author: Alfred Hessel
Country: Costa Rica
Language: English
Genre: Education
Published: 1 October 2017
Pages: 584
PDF File Size: 46.18 Mb
ePub File Size: 14.20 Mb
ISBN: 511-3-68219-249-9
Downloads: 77377
Price: Free
Uploader: Alfred Hessel


Configure Interzone Access Policy Interzone Access policy is the key part of a Zone based firewall where we classify the traffic and apply the firewall policies. Class map and Policy map configurations are carried out during this task. This will classify the traffic Policy Maps: This will decide the 'fate' of the traffic Class Map Configuration Class map sort the traffic based on the following criteria 1.

A subordinate class map. In our scenario I am zone based firewall cisco the traffic based on access group. A zone pair must be defined for each direction in which traffic is allowed to be initiated.

For zone based firewall cisco, a common simple policy is that the internal network can initiate any sort of traffic to the Internet, but no traffic may be initiated from the Internet to the internal network.

IOS Zone-Based Firewall

This policy requires only a single zone pair, from the internal zone to the Internet zone. If there exists a requirement for traffic to be initiated from the Zone based firewall cisco zone to the internal zone, a second zone pair in the opposite direction must also be created.

In early versions of IOS zone based firewall cisco firewall, traffic flowing from one interface to another within the same security zone was allowed to pass by default. In recent versions, however, even intra-zone traffic requires a zone pair definition with a single zone as both the source and destination.

We'll create three zone pairs to meet our requirements: Trusted to Internet - Allows Internet access from the internal network Guest to Internet - Allows Internet access from the guest wireless network Trusted to Trusted - Allows routing of traffic among the data, voice, and MPLS interfaces Zone based firewall cisco command to configure a zone pair uses the following syntax: Policies are defined as inspection policy maps, which are very similar in construct to policy maps used for quality of service QoS classification and marking.

Policy maps reference class maps, which in turn reference access lists or NBAR definitions to classify traffic.


One of three security actions can be taken on traffic matched by a class map: Drop - The traffic is dropped. Pass - The traffic is permitted.


Inspect - The traffic is permitted and inspected statefully so that return traffic in the opposite direction is also permitted. First, we'll create a class map to match all of the traffic we want to allow from the Trusted zone out to the Internet.

We want to inspect zone based firewall cisco traffic outbound to the Internet so that return traffic is allowed statefully. For example, we don't want to risk a guest bringing in a laptop infected with a spambot, sending out spam from our Internet connection, and getting our organization's IP space blacklisted.

How to configure Cisco IOS Zone Based Firewall

We'll limit guests to basic web access. We do this by creating inspection policy maps.

Since we want to zone based firewall cisco all intra-zone traffic, we can use the pass action on the default class map; there is no need to inspect and allow return traffic since the intra-zone pair applies in both directions.

Router config policy-map type inspect Trusted Router config-pmap class class-default Router config-pmap-c pass Lastly, we'll apply the three policy maps to their appropriate zone pairs.

Router show policy-map type inspect zone-pair policy exists on zp Trusted Zone-pair: