Cisco Zone-Base Policy Firewall is the latest technology in Cisco IOS Firewall and was introduced in IOS version 12.4(6)T and updated to a much more reliable Firewall since then.
ZFW are configured by assigning interfaces to zones, which must be created first. A zone defines a boundary where traffic is subjected to policy restrictions as it crosses to another zone. The default policy is to deny all traffic, this means that traffic cannot flow between zones, unless a policy is explicitly configured. The configuration of ZFW follows the policy language known as CPL. Users familiar with the Cisco IOS Software Modular quality-of-service (QoS) CLI (MQC) might recognize that the format is similar to QoS’s use of class maps to specify which traffic will be affected by the action applied in a policy map.
Before we begin configuring our firewall, we must first visualize how do we want the traffic to flow through our firewall and which traffic to be inspect by our firewall. For this tutorial we want traffic that is initiated from the Trusted zone to either zones to be allowed to return, traffic from the Untrusted zone can be initiated to the DMZ zone but not to the trusted zone and finally traffic cannot be initiated from the DMZ zone to any zone. Apart from this we will inspect all traffic from the Trusted zone and inspect http/https traffic from the Untrusted zone initiated against the DMZ zone.
The first step is to create zones, this is done in global configuration mode with the command "zone security". Our Trusted zone will be the local area network which represents the corporate traffic. Our Untrusted zone represents the internet and the DMZ is the server zone. Let's configure the zones as shown in our topology.
R1(config)#zone security Trusted R1(config-sec-zone)#zone security Untrusted R1(config-sec-zone)#zone security DMZ R1(config-sec-zone)#exit R1(config)#
Now that we have our zones configured, we can assign interfaces to the zones. This is obviously done in interface configuration mode with the command "zone-member security".
R1(config)#int f0/0 R1(config-if)#zone-member security Untrusted R1(config-if)#int f1/1 R1(config-if)#zone-member security Trusted R1(config-if)#int f1/0 R1(config-if)#zone-member security DMZ R1(config-if)#exit R1(config)#
After assigning interfaces to the zones, traffic can no longer flow between zones due to the default policy of ZFW until we finish our configuration. Now we configure the Class-maps which identify the traffic the ZFW is going to inspect. To do this, in configuration mode we create a class-map of type inspect with the command "class-map type inspect" followed by the keyword match-all or match-any. It is important to know the difference between these two match criteria. Match-all specifies that all traffic in the class-map criteria must match, match-any specifies that traffic must meet only one of the match criteria in the class-map. Let's configure one class-map that match all IP traffic and one class-map that match http/https traffic only.
R1(config)#class-map type inspect match-any Trusted2Any R1(config-cmap)#match protocol icmp R1(config-cmap)#match protocol udp R1(config-cmap)#match protocol tcp R1(config-cmap)#exit R1(config)#class-map type inspect match-any Untrusted2DMZ R1(config-cmap)#match protocol http R1(config-cmap)#match protocol https R1(config-cmap)#exit R1(config)#
The next step is to configure the policy-maps which will apply the policy to the inspected traffic by the class-maps. Like the previous step we will configure two policy-maps one for the Trusted and another for the Untrusted zones.
R1(config)#policy-map type inspect Trusted2Any R1(config-pmap)#class Trusted2Any ? R1(config-pmap-c)#inspect R1(config-pmap-c)#exit R1(config-pmap)#exit R1(config)#policy-map type inspect Untrusted2DMZ R1(config-pmap)#class Untrusted2DMZ R1(config-pmap-c)#inspect R1(config-pmap-c)#exit R1(config-pmap)#exit R1(config)#
The final step is to configure the flow of traffic and which policy to apply to that traffic. We do this by configuring the zone-pairs and a service policy inside those zone-pairs.
R1(config)#zone-pair security Trusted2DMZ source Trusted destination DMZ R1(config-sec-zone-pair)#service-policy type inspect Trusted2Any R1(config-sec-zone-pair)#exit R1(config)#zone-pair security Trusted2Untrusted source Trusted destination Untrusted R1(config-sec-zone-pair)#service-policy type inspect Trusted2Any R1(config-sec-zone-pair)#exit R1(config)#zone-pair security Untrusted2DMZ source Untrusted destination DMZ R1(config-sec-zone-pair)#service-policy type inspect Untrusted2DMZ R1(config-sec-zone-pair)#exit R1(config)#
As stated earlier in this tutorial to configure cisco ZFW you must create zones and assign them to interfaces. ZFW have a default "special" zone called the self zone. This zone refers to the router it self, and caution must be taken when applying rules to this zone, as by mistake legit traffic might be denied. In our configuration we can ping any device from the Trusted zone, because this type of traffic is allowed. We know that according to our configuration we cannot ping the Trusted zone and the DMZ from the Untrusted zone, but we can ping the ZFW from the Untrusted zone. Knowing this we can configure the ZFW to drop all pings against it self.
R1(config)#class-map type inspect match-any Untrusted2Self R1(config-cmap)#match protocol icmp R1(config-cmap)#exit R1(config)#policy-map type inspect Untrusted2Self R1(config-pmap)#class Untrusted2Self R1(config-pmap-c)#Drop R1(config-pmap-c)#exit R1(config-pmap)#exit R1(config)#zone-pair security Untrusted2Self source Untrusted destination self R1(config-sec-zone-pair)#service-policy type inspect Untrusted2Self R1(config-sec-zone-pair)#exit
