How To configure Cisco Router Zone Based Firewall?

Cisco Router Zone Based Firewall

Cisco routers are good at providing intent-based networking for WAN, LAN, and Cloud. The Cis-co IOS router implements firewall features through a Zone-Based Firewall or Context-Based Access Control (CBAC). Cisco Router Zone Based Firewall is the successor of CBAC and its concept is to group different interfaces sharing the same security attributes. The permission for traffic for-warding is not made between physical interfaces. Instead, permissions for traffic forwarding are made between the zones or within a zone. To know more about the Zone-Based Firewall configuration, follow these steps.

Configuration Layout:

In the above-mentioned diagram, there are three zones:

  • Inside Zone - Private LAN
  • DMZ Zone - DMZ hosts
  • Outside Zone - Internet

Set Of Rules For Zone Based Firewall:

  • From Inside Zone to Outside Zone - http, icmp, and POP3 are allowed
  • From Outside Zone to Inside Zone - icmp is allowed
  • From Inside Zone to DMZ Zone - http and icmp are allowed
  • From Outside Zone to DMZ Zone - http is allowed

Step 1: Configure Zones And Assign Router Interfaces

First, connect your Cisco router via putty and then switch to global configuration mode.Input the following commands in the console to configure the zones.

  • Router(config)#zone security INSIDE
  • Router(config)#zone security OUTSIDE
  • Router(config)#zone security DMZ

Once the router zones are configured, assign the router interface to a particular zone using the following commands.

  • Router(config)#interface gigabitEthernet 0/0
  • Router(config-if)#zone-member security INSIDE
  • Router(config)#interface gigabitEthernet 0/1
  • Router(config-if)#zone-member security OUTSIDE
  • Router(config)#interface gigabitEthernet 0/2
  • Router(config-if)#zone-member security DMZ

In the above commands, we have assigned Gigabyte Ethernet 0/0 to the Inside zone, Gigabyte Ethernet 0/1 to the Outside zone, and Gigabyte Ethernet 0/2 to the DMZ zone.

Continue the given below steps to configure cisco router zone based firewall.

Step 2: Create Zone Pairs

Input the following commands to create zone pairs.

  • Router(config)#zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
  • Router(config)#zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
  • Router(config)#zone-pair security OUT-TO-DMZ source OUTSIDE destination DMZ
  • Router(config)#zone-pair security IN-TO-DMZ source INSIDE destination DMZ

Step 3: Configure Interzone Access Policy

After creating zone pairs, configure the Interzone Access Policy. During this task, you need to configure Class Maps and Policy Maps as well. To create a Class Map configuration, sort out the traffic based on access groups.

Class Map for Inside to Outside zone:

  • Router(config)#ip access-list extended INSIDE-TO-OUTSIDE
  • Router(config-ext-nacl)#permit tcp 172.17.0.0 0.0.255.255 any eq www
  • Router(config-ext-nacl)#permit tcp 172.17.0.0 0.0.255.255 any eq pop3
  • Router(config-ext-nacl)#permit icmp 172.17.0.0 0.0.255.255 any
  • Router(config)#class-map type inspect match-all INSIDE-TO-OUTSIDE-CLASS
  • Router(config-cmap)#match access-group name INSIDE-TO-OUTSIDE

Class Map for Outside to Inside Zone:

  • Router(config)ip access-list extended OUTSIDE-TO-INSIDE
  • Router(config-ext-nacl)#permit icmp any 172.17.0.0 0.0.255.255
  • Router(config)#class-map type inspect match-all OUTSIDE-TO-INSIDE-CLASS
  • Router(config)#match access-group name OUTSIDE-TO-INSIDE

Class Map for Inside to DMZ zone:

  • Router(config)#ip access-list extended INSIDE-TO-DMZ
  • Router(config-ext-nacl)#permit tcp 172.17.0.0 0.0.255.255 192.168.1.0 0.0.0.255 eq www
  • Router(config-ext-nacl)#permit icmp 172.17.0.0 0.0.255.255 192.168.1.0 0.0.0.255
  • Router(config)#class-map type inspect match-all INSIDE-TO-DMZ-CLASS
  • Router(config-cmap)#match access-group name INSIDE-TO-DMZ

Class Map for Outside to DMZ zone:

  • Router(config)#ip access-list extended OUTSIDE-TO-DMZ
  • Router(config-ext-nacl)#permit tcp any 192.168.1.0 0.0.0.255 eq www
  • Router(config)#class-map type inspect match-all OUTSIDE-TO-DMZ-CLASS
  • Router(config)#match access-group name OUTSIDE-TO-DMZ

After configuring the class maps, apply the firewall policy using policy maps. In general, there are three actions against the traffic with the policy-map configuration.

  • Inspect
  • Drop
  • Pass

Continue reading the given steps to configure cisco router zone based firewall.

Carry out the following commands to configure the policy maps.

Policy Map for Inside to Outside zone:

  • Router(config)#ip access-list extended INSIDE-TO-DMZ
  • Router(config-ext-nacl)#permit tcp 172.17.0.0 0.0.255.255 192.168.1.0 0.0.0.255 eq www
  • Router(config-ext-nacl)#permit icmp 172.17.0.0 0.0.255.255 192.168.1.0 0.0.0.255
  • Router(config)#class-map type inspect match-all INSIDE-TO-DMZ-CLASS
  • Router(config-cmap)#match access-group name INSIDE-TO-DMZ

Policy Map for Outside to Inside zone:

  • Router(config)#ip access-list extended INSIDE-TO-DMZ
  • Router(config-ext-nacl)#permit tcp 172.17.0.0 0.0.255.255 192.168.1.0 0.0.0.255 eq www
  • Router(config-ext-nacl)#permit icmp 172.17.0.0 0.0.255.255 192.168.1.0 0.0.0.255
  • Router(config)#class-map type inspect match-all INSIDE-TO-DMZ-CLASS
  • Router(config-cmap)#match access-group name INSIDE-TO-DMZ

Policy Map for Outside to DMZ zone:

  • Router(config)#policy-map type inspect OUTSIDE-TO-DMZ-POLICY
  • Router(config-pmap)#class type inspect OUTSIDE-TO-DMZ-CLASS
  • Router(config-pmap)#inspect
  • Router(config-pmap)#class class-default
  • Router(config-pmap)#drop log

Policy Map for Inside to DMZ zone:

  • Router(config)#policy-map type inspect INSIDE-TO-DMZ-POLICY
  • Router(config-pmap)#class type inspect INDISE-TO-DMZ-CLASS
  • Router(config-pmap)#pass
  • Router(config-pmap)#class class-default
  • Router(config-pmap)#drop log

Step 4: Apply The Policy Maps To The Created Zone Pairs

For the created zone pairs, you have to apply the policy maps using the following commands.

  • Router(config)#zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
  • Router(config-sec-zone-pair)#service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
  • Router(config)#zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
  • Router(config-sec-zone-pair)#service-policy type inspect OUTSIDE-TO-INSIDE-POLICY
  • Router(config)#zone-pair security OUT-TO-DMZ source OUTSIDE destination DMZ
  • Router(config-sec-zone-pair)#service-policy type inspect OUTSIDE-TO-DMZ-POLICY
  • Router(config)#zone-pair security IN-TO-DMZ source INSIDE destination DMZ
  • Router(config-sec-zone-pair)#service-policy type inspect INSIDE-TO-DMZ-POLICY

You have now seen the basic configuration of the Cisco Router Zone Based Firewall. Call us for more assistance and get instant solution.