Zone Based Firewall
Cisco Zone based firewall configuration is an inbuilt feature on Cisco IOS routers used for security purpose. In ZBF we create different zones and then assign different interfaces in the zones. Once the interfaces are assigned to a zone then we create security policies to allow/deny traffic between different zones. To create a security policy for traffic between zones we have to create a zone pair. We have to configure zone pairs ourselves and apply a security policy to them to determine what traffic is permitted from one zone firewall to another. All security policies are attached to the zone pairs.
Related- Firewall Security Zones
Let us use a simple topology below to Configure ZBF on Cisco IOS Routers –
Related: Zone based firewall
First of all we configure the routing on R1 and R3 as below:
Next we create two zones Zone_1 and Zone_2 on R2 which will act as our ZBF:
Next we assign the interface to correct zone
Next we configure the Zone pairs
Now we have the ZBF enabled and by default all traffic is denied.
Our packets are dropped as the default behaviour is to block all traffic between the zones.
Next step is to define the security policies which have three options:
Pass: traffic is permitted.
Drop: traffic is dropped.
Inspect: traffic is permitted and inspected so that return traffic is allowed.
Let us create a simple security policy to allow the ICMP traffic:
Note we have used inspect under policy-map which will allow the traffic to flow in both directions i.e. Zone_1 to Zone_2 and vice versa.
The policy-map is finally applied on the zone-pair created earlier:
Now we see the traffic for ICMP/ping is allowed between R1 and R3
Related- Firewall vs Router