Tag: zonebased

Zone-Based Firewall Lab

So you can’t afford a nice shiny ASA firewall, a well no firewall for me so. Not true, you can use a Cisco Router with the correct license and use it as a Zone-Based Firewall. YAY.


This is the topology I’ll be using in this lab. The goal is to allow icmp and http traffic from the LAN Router out to the Internet Router but drop telnet traffic.

I’ve setup the Internet Router to allow telnet connections via the vty lines. Also, I am running eigrp as the routing protocol between the routers.

First let’s show telnet working from the LAN Router to the Internet Router.


Success! I can log into it. And while I’m at it let me show http working. For this I enable the Internet Router as a http server using the following command #ip http server


Now it’s time to configure the Zone-Based Firewall.

Step 1: Create two zones INSIDE and OUTSIDE you can call this TRUSTED and UNTRUSTED if you like it doesn’t really matter what you call them once it’s meaningful.


Step 2: Create a class-map to match protocols you want to allow.


You must use the “type inspect” command when configuring the class-map otherwise it would be a normal class-map used for QoS for example. Also, the match-any command is also important, the match-any is equal to an OR as in match http OR icmp. If you used the match-all command this is equal to an AND as in match http AND icmp and if they match take action.

Step 3: Create a policy-map and reference the class-map in the policy map you will either drop (block) pass (allow the traffic this is none stateful) or inspect (allow the traffic and keep track of it in the stateful table)


Step 4: Create a service-policy, this tells the ZBFW in what direction to apply it, if you remember in Step 1 we created two different zones called INSIDE and OUTSIDE. It also references the policy-map in Step 3.

The zone-pair command got truncated so here it is in full:

ZBFW(config)#zone-pair security ALLOW_HTTP_ICMP source INSIDE destination OUTSIDE


Step 5: Now it is time to apply the two different zones to the interfaces. The reason I left this to last is a soon as you apply a zone to an interface it will start to block all traffic between the two different zones until you configure Steps 2 to 4.


That should do it now, let’s test it and see if it is working.

First I’ll try to telnet to the Internet Router this should fail.


As you can see from the output the firewall is configured correctly. It isn’t allowing telnet traffic anymore but it is allowing http and also icmp pings.


Check the zone-based firewall using the command #show policy-firewall session here we can see the http session allowed from the LAN Router (INSIDE) to the Internet Router (OUTSIDE) on port 80 and also the icmp session.

Hope you found this useful.