In previous posts we studied many aspects of the Cisco Zone-based Policy Firewall (ZFW) operation:
- How the ZFW compares with Context Based Access Control (CBAC)
- Building blocks of a Zone-based firewall policy
- The default deny behavior of the ZFW
- How to build a simple L4 policy with the Zone firewall
- How to log connections and dropped packets a ZFW environment
- Integration of the Zone firewall with Access Control Lists (ACLs)
- How to integrate the ZFW with Network Address Translation (NAT) and ACLs
The next step in our series about the Zone-based Firewall is to illustrate a basic configuration for ZFW operating in transparent mode. If you are not acquainted with the basic concepts pertaining to transparent firewalling, please check the post: “Quick Review of Firewall Connectivity options: Routed Mode and Transparent Mode” [ http://alexandremspmoraes.wordpress.com/2012/01/19/quick-review-of-firewall-connectivity-options-routed-mode-and-transparent-mode/ ].
It is easy to observe in the reference topology that the building blocks for the zone-based firewall policy are identical to those already studied. The significant change has to do with connectivity and not with rule construction. The figure also registers an audit-trail message and the command used to verify established sessions.
The audit-trail message and the show policy-firewall session command clearly show that the connection initiator (10.5.5.1) and the responder (10.5.5.2) are on the same IP subnet.
As discussed before, we could add L3/L4 restrictions to the basic inspection policy.
The ZFW interfaces shown in the figure (F0 and F1) are assigned to bridge-group 1.
The IP address of the ZFW needs to be configured in a Bridged Virtual Interface (BVI). Specifically, interface bvi 1, to match the bridge-group number. It is important to emphasize, however, that this IP is not used as a gateway address when hosts on interfaces F1 and F0 need to communicate.
To interconnect this BVI with the other IP-enabled interfaces, you need to enable Integrated Routing and Bridging (IRB) on your Cisco IOS router. This is accomplished with the bridge irb and bridge 1 route ip configuration commands.
** Related Posts:
- Zone Firewall Series: http://alexandremspmoraes.wordpress.com/tag/zone-firewall/
- Bridging Series: http://alexandremspmoraes.wordpress.com/tag/bridging/