Cisco IOS Zone based Firewall Tutorial
In this tutorial we will learn about Zone Based Firewall, but before digging into details let’s start with basic concepts.
Security zone is a group of interfaces to which a policy can be applied. By default, traffic can flow freely within that zone but all traffic to and from that zone is dropped by default. To allow traffic pass between zones, administrators must explicitly declare by creating a zone-pair and a policy for that zone. Another notice is that traffic originated from the router itself is allowed to pass freely.
Zone-pair allows you to specify a uni-directional firewall policy between two zones. In other words, a zone-pair specifies the direction of the interesting traffic. This direction is defined by specifying a source and destination zone. Notice that we can’t defined a zone as both source and destination zone.
Zone Policy defines what we want to allow or deny to go between zones. For example we just want to allow HTTP while dropping SMTP, ICMP… We have 3 actions “pass”, “drop” and “inspect”. The “pass” and “drop” actions are self-explanatory. The action “inspect” tell the router to use a pre-defined class-map to filter the traffic.
Now enough theory! It’s time for the configuration.
In this scenario, we are going to configure 2 zones “inside” and “outside”. In this example, we will configure two tasks:
+ Only allow ping (icmp) traffic from the INSIDE Zone to OUTSIDE Zone (not vice versa).
Notice: you need to make sure all the networks are reachable with a routing protocol before configuring zone-based-firewall.
First we divide the networks into 2 zones: Inside and Outside.
Create Inside zone and Outside zone
Router(config)#zone security INSIDE
Router(config)#zone security OUTSIDE
(In fact, we don’t need to type “exit” before typing “zone security OUTSIDE”)
Assign IP addresses and apply zones to interfaces
Router(config)#interface fa0/0
Router(config-if)#ip address 10.0.1.1 255.255.255.0
Router(config-if)#no shutdown
Router(config-if)#zone-member security INSIDE
Router(config)#interface fa0/1
Router(config-if)#ip address 10.0.2.1 255.255.255.0
Router(config-if)#no shutdown
Router(config-if)#zone-member security INSIDE
Router(config)#interface fa1/0
Router(config-if)#ip address 12.12.12.1 255.255.255.0
Router(config-if)#no shutdown
Router(config-if)#zone-member security OUTSIDE
Define “interesting” traffic with class-map
Router(config)#class-map type inspect match-any CLASS_MAP_IN_TO_OUT
Router(config-cmap)#match protocol icmp
In the class-map configuration, we have two most used parameters: match-any and match-all. If match-any is used, traffic must meet only one of the match criteria in the class map. In contrast, if match-all is specified, traffic must match all the criteria of that class-map. In this example we just want to check if it is “icmp” protocol or not so we can use either “match-any” or “match-all”. Maybe you will ask: “How can I use “match-all” as a packet can’t match 2 or more protocols?” The answer is we can use “match-all” in order from more specific to less specific protocol. For example:
match protocol http
match protocol tcp
We defined what traffic we want to monitor. Now we need to specify what we want to do with that traffic.
Router(config)#policy-map type inspect POLICY_MAP_IN_TO_OUT
Router(config-pmap)#class type inspect CLASS_MAP_IN_TO_OUT
Router(config-pmap-c)#inspect
I want to explain more about the “inspect” action in the policy-map POLICY_MAP_IN_TO_OUT. Unlike the “drop” and “pass” actions, when using this action we need to tell the router which class-map the router must look up for the “interesting traffic”.
Notice that at the end of each policy-map there is a hidden class class-default that drops “all other” traffic by default, just like the implicit “deny all” at the end of each access list. Something like this:
class class-default
drop
Ok, mostly done! The last thing is specifying the direction of this firewall (recall that the Zone based Firewall is uni-directional). We do this with a zone-pair.
Router(config)#zone-pair security ZONE_PAIR_IN_TO_OUT source INSIDE destination OUTSIDE
Router(config-sec-zone-pair)#service-policy type inspect POLICY_MAP_IN_TO_OUT
As you see, we define the direction by specifying the source and destination. Of course traffic will flow from the source to the destination. In this case we only permit traffic from INSIDE to OUTSIDE.
A big notice is “return traffic is allowed by default”. So if a policy permits the traffic in the outbound direction, it also permits the return traffic in the inbound direction.
It is not possible for traffic to flow between an interface that is a member of a security zone and one that is not a member of a security zone, because a policy can be applied only between two zones. If an interface on a router cannot be part of a security zone or firewall policy, it may be necessary to put that interface in a security zone and configure a “pass all” policy between that zone and other zones where traffic should flow.
In conclusion to configure Zone Based Policy Firewall we need to do these steps:
+ Specify zones.
+ Specify what type of traffic (protocol) we want to monitor with a class-map.
+ Specify what action we want to do (drop, permit or inspect) with a policy-map.
+ Specify the direction we want to apply the filter with a zone-pair.
In this example we configured:
+ Zones: INSIDE and OUTSIDE
+ Type of traffic: icmp (ping)
+ Action: inspect (because we don’t allow or deny all types of traffic so we must use “inspect” action)
+ Direction: INSIDE to OUTSIDE
We can say this firewall in plain text: “only allow icmp traffic from INSIDE to OUTSIDE, drop other traffic”.
Now if we make a ping from a PC (INSIDE) to 12.12.12.2 (OUTSIDE) then it works well
(INSIDE)#ping 12.12.12.2
!!!!!
but a ping from 12.12.12.2 (OUTSIDE) to a PC (INSIDE) will be dropped
(OUTSIDE)#ping 10.0.1.1
…..
Hi ,
First, I thank you on this explanation . But i am not understanding what you are saying here :[ "A big notice is “return traffic is allowed by default”. So if a policy permits the traffic in the outbound direction, it also permits the return traffic in the inbound direction."]
Because if i ping from INSIDE -> to -> OUTSIDE and it okay, I should be able to received Ping From OUTSIDE -> to -> INSIDE. (According to your statement)
How then can we receive ACK for ICMP from OUTSIDE back to INSIDE (ICMP return trafic for TTL)
Or Does Zone rules works like Establish in ACL (CBAC) ,where by Router/Firewall we regonized the traffic Return Traffic. ( Traffic was from inside before ,so it will allow it on returning back )?
Thanks
Dindin
The router can recognize the return traffic (Traffic was from inside before ,so it will allow it on returning back). For example, if you allow icmp from INSIDE -> OUTSIDE then the router will automatically allow ICMP_ECHO_REPLY from OUTSIDE -> INSIDE. Surely you can not make a successful ping from OUTSIDE -> INSIDE.
Thank you for the effort. much appreciated.
@ Securitytut
Thanks a lot
Regards,
Dindin.
Hi,
regarding the action inspect can you explain to me please how that action work is there a matching table for that action i know pass and drop from its name but inspect i couldn’t understand how it works and when we can use it
Unlike the “drop” and “pass” actions, when using this action we need to tell the router which class-map the router must look up for the “interesting traffic”. For example:
Router(config)#policy-map type inspect POLICY_MAP_IN_TO_OUT
Router(config-pmap)#class type inspect CLASS_MAP_IN_TO_OUT
Router(config-pmap-c)#inspect
-> We tell the router to use the class-map CLASS_MAP_IN_TO_OUT
Hi,
I applied the following command in order to allow ping from outside to inside:
Router(config)#zone-pair security ZONE_PAIR_IN_TO_OUT source OUTSIDE destination INSIDE
Router(config-sec-zone-pair)#service-policy type inspect POLICY_MAP_IN_TO_OUT
but i couldn’t ping the inside?? Any further commands I need to configure?
Yes, it’s enough. Did you remove the first zone-pair security? (source INSIDE, dest OUTSIDE)
No, I keep both
The AYT feature on Cisco routers currently supports Black ICE or Zone Alarm personal firewalls…
The configuration details herein are mostly fictional concrete addresses interfaces .. router copy running-config startup-configrouter copy startup-config tftp 192.168.0.100 path file.
is this lab come in exams can some body tell
BION I’m ipmrseesd! Cool post!
@jamil: No, this is just a tutorial
Thank you for the tutorial, i appreciate your effort.
Very good explaination…..Thanks securitytut
WELCOME
hi alert (document.cookie)
welcome to our site
Hello guys I just passed the exam…………….almost questions R from spike 165……….plz check all simulation on this site…………
As I am referrind this site from last 1 week
I want to study all the topics in sequential manner, so can any1 provide me the topics os security
Hello Guys,
Is there any way we can practice this sim in GNS3?
I’m using c3600 router image, and tried to configure these commands with no success. If anyone got to simulate the lab in GNS3 please share.
Thanks
@Mohammad
Maybe the problem is with your router image. My co-workers and I have made some simulations with the cisco 7200 route image, it works really good. If you want I can provide you the route image.
before beginning the lab you must make sure that the ios version is 12.4(6) or above whatever the router image
via the command
#show version
before beginning the lab you must make sure that the ios version is 12.4(6) or above whatever the router image
via the command
#show version
Hey jose,
please provide me the router image. e-mail id bhattacharya1988@gmail.com tell me the step in this mail id
Hi Guys,
please provide me a simulation copy. i am prepairing to take CCNA-Security this coming 2012. thanks. Jhavie_jag@yahoo.com
@jose
Hi jose, youve mention in your post that cisco 7200 woorks really good can i ask forthe image of it..and how did you do it..can i ask for the ways or process to be done? here’s my email saladaga1987@yahoo.com thaNKS..