What are Zone-Based Firewalls and how to use them?

Zone-Based Firewalls (ZBF) is a firewall methodology of placing interfaces into zone and defining traffic definitions to allow traffic to pass or drop. In the past firewalls were comprised of access-list that would define both source and destination as well as having the option to specify a port. This type of firewall is often referred to as a Context-Based Access Control (CBAC) firewall. Traffic defined in a CBAC firewall was either permitted or denied based on the access-list rule sets. Such rule sets are very limited and cumbersome to manage with even a moderate number of access-list definitions. Hence, the creation of Zone-Based Firewalls.

In the network below there is a single router, one end-user computer, and two servers. We will be performing a total of three configurations: allow the LAN to reach the Internet using only ping (icmp), allow the DMZ to reach the Internet using only telnet (tcp port 23), and allow the Internet to reach the Server2 and Server3 using only telnet (tcp port 23 and 2323). In a real world use case the configurations are very similar. In that scenario you would likely allow traffic to web or email server in the DMZ rather than allowing telnet. However, the rule sets are exactly the same so you can easily supplement the protocols and ports used for others or add as you see fit.

Base router configuration

Step 1: Configure all applicable router interfaces. We are also going to assign a secondary IP address on FastEthernet0/0 which will be used later in one of the inbound rule configurations.

R1(config)#interface FastEthernet0/0
R1(config-if)#ip address 1.1.1.2 255.255.255.248 secondary
R1(config-if)#ip address 1.1.1.1 255.255.255.248
R1(config-if)#ip nat outside
!
R1(config)#interface FastEthernet0/1
R1(config-if)#ip address 10.1.0.1 255.255.255.0
R1(config-if)#ip nat inside
!
R1(config)#interface FastEthernet1/0
R1(config-if)#ip address 10.1.10.1 255.255.255.0

Step 2: Configure NAT with an access-list so that LAN and DMZ subnets can access the Internet, NAT 1.1.1.2 to 10.1.0.2, and PAT 1.1.1.1:2323 to 10.1.0.3:23.

R1(config)#ip nat inside source list 1 interface FastEthernet0/0 overload
R1(config)#ip nat inside source static tcp 10.1.0.3 23 1.1.1.1 2323 extendable
R1(config)#ip nat inside source static 10.1.0.2 1.1.1.2
!
R1(config)#access-list 1 permit 10.1.10.0 0.0.0.255
R1(config)#access-list 1 permit 10.1.0.0 0.0.0.255
R1(config)#access-list 1 deny any

Steps to configure a Zone-Based Firewall

Step 3: Create the required zones and place the applicable interfaces into them.

R1(config)#zone security INTERNET
R1(config)#zone security LAN
R1(config)#zone security DMZ
!
R1(config)#interface FastEthernet0/0
R1(config-if)#zone-member security INTERNET
!
R1(config)#interface FastEthernet0/1
R1(config-if)#zone-member security DMZ
!
R1(config)#interface FastEthernet1/0
R1(config-if)#zone-member security LAN

Step 4: Configure a class-map, policy-map, and zone-pair to allow the LAN to reach the INTERNET zone using only icmp.

R1(config)#class-map type inspect match-any LAN-ALLOWED-PROTOCOLS
R1(config-cmap)#match protocol icmp
!
R1(config)#policy-map type inspect LAN-TO-INTERNET-POLICY
R1(config-pmap)#class type inspect LAN-ALLOWED-PROTOCOLS
R1(config-pmap-c)#inspect
!
R1(config)#zone-pair security ZP-LAN-TO-INTERNET source LAN destination INTERNET
R1(config-sec-zone-pair)#service-policy type inspect LAN-TO-INTERNET-POLICY

Step 5: Configure a class-map, policy-map, and zone-pair to allow the DMZ to reach the INTERNET zone using only telnet.

R1(config)#class-map type inspect match-any DMZ-ALLOWED-PROTOCOLS
R1(config-cmap)#match protocol telnet
!
R1(config)#policy-map type inspect DMZ-TO-INTERNET-POLICY
R1(config-pmap)#class type inspect DMZ-ALLOWED-PROTOCOLS
R1(config-pmap-c)#inspect
!
R1(config)#zone-pair security ZP-DMZ-TO-INTERNET source DMZ destination INTERNET
R1(config-sec-zone-pair)#service-policy type inspect DMZ-TO-INTERNET-POLICY

NOTE: In a real world deployment of Zone Based firewall you will want to configure addition match protocol statements. A few protocols I recommend defining are dns, ftp, https, http, icmp, tcp and udp. To add one or more simply use the command match protocol followed by a protocol when in class-map configuration mode.

Allowing traffic into a zone

Step 6: Configure an access-list that allows traffic from any host to the servers on the DMZ using port 23 (telnet).

R1(config)#ip access-list extended FIREWALL-EXCEPTIONS-ACL
R1(config-ext-nacl)#permit tcp any host 10.1.0.2 eq 23
R1(config-ext-nacl)#permit tcp any host 10.1.0.3 eq 23

Step 7: Configure a class-map, policy-map, and zone-pair to allow the INTERNET zone to reach the DMZ zone. The key difference for this zone configuration is we are matching the access-group named FIREWALL-EXCEPTIONS-ACL in place of a protocol.

R1(config)#class-map type inspect match-any FIREWALL-EXCEPTIONS
R1(config-cmap)#match access-group name FIREWALL-EXCEPTIONS-ACL
!
R1(config)#policy-map type inspect FIREWALL-EXCEPTIONS-POLICY
R1(config-pmap)#class type inspect FIREWALL-EXCEPTIONS
R1(config-pmap-c)#inspect
R1(config-pmap)#class class-default
R1(config-pmap-c)#drop
!
R1(config)#zone-pair security ZP-INTERNET-TO-DMZ source INTERNET destination DMZ
R1(config-sec-zone-pair)#service-policy type inspect FIREWALL-EXCEPTIONS-POLICY

Block traffic to the self zone from the Internet

Step 8: By default traffic is allowed to the router self zone. The self zone represents the router itself so if you ping an interface of the router it will reply. This is fine from a LAN interface but less than desirable from an interface that is connected to the Internet. Below we will configure the default action to drop traffic from the Internet to the self zone.

R1(config)#policy-map type inspect INTERNET-TO-SELF-POLICY
R1(config-pmap)#class class-default
R1(config-pmap-c)#drop log
!
R1(config)#zone-pair security ZP-INTERNET-TO-SELF source INTERNET destination self
R1(config-sec-zone-pair)#service-policy type inspect INTERNET-TO-SELF-POLICY

Allowing DHCP traffic into the self zone

Step 9: In step 8 we configured a policy-map and zone-pair to block traffic to the self zone from the Internet. If receive a DHCP address from a Internet service provide your router will no longer be able to obtain a dynamic IP address. You will need to reconfigure the rule sets for the self zones we configured in step 8 to instead match the below.

R1(config)#class-map type inspect match-all dhcp
R1(config-cmap)#match protocol udp
!
R1(config)#policy-map type inspect INTERNET-TO-SELF-POLICY
R1(config-pmap)#class type inspect dhcp
R1(config-pmap-c)#pass
R1(config-pmap)#class class-default
R1(config-pmap-c)#drop
!
R1(config)#policy-map type inspect SELF-POLICY-TO-INTERNET
R1(config-pmap)#class type inspect dhcp
R1(config-pmap-c)#pass
R1(config-pmap)#class class-default
R1(config-pmap-c)#drop
!
R1(config)#zone-pair security ZP-INTERNET-TO-SELF source INTERNET destination self
R1(config-sec-zone-pair)#service-policy type inspect INTERNET-TO-SELF-POLICY
!
R1(config)#zone-pair security ZP-SELF-TO-INTERNET source self destination INTERNET
R1(config-sec-zone-pair)#service-policy type inspect SELF-POLICY-TO-INTERNET

Verify the configuration

Now that the configuration is finished lets verify remote connectivity using the ping and telnet commands. Use ping to verify you can ping from PC1 to PC2 but not from Server2 and Server3. Similarly ping to the router's outside interface 1.1.1.1 will also not respond. Use the telnet command to verify connectivity to Server2 and Server3 from PC2. The Server3 device will only respond using port 2323 and Server2 will only respond using port 23.


Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts

Cisco Networking

BGP Load Sharing

What is load sharing and why to use it?Load balancing with BGP is not possible in a multihomed environment with two ISPs. BGP selects only the single best path to a destination among the BGP Read more…

Cisco Firewall

Configuring Dynamic Multipoint VPN and Zone Based Firewall

What is a Dynamic Multipoint VPN and why to use it?DMVPN provides the capability for creating a dynamic-mesh VPN network without having to pre-configure (static) all possible tunnel end-point peers, including IPsec (Internet Protocol Security) Read more…

Cisco Networking

Configuring Layer 2 MPLS VPN

What is a Layer 2 MPLS VPN and why to use it?Layer 2 VPNs are a type of Virtual Private Network (VPN) that uses MPLS labels to transport data. The communication occurs between routers that Read more…