Basic Configuration of the Cisco Zone-based Policy Firewall in Transparent Mode

In previous posts we studied many aspects of the Cisco Zone-based Policy Firewall (ZFW) operation:

  • How the ZFW compares with Context Based Access Control (CBAC)
  • Building blocks of a Zone-based firewall policy
  • The default deny behavior of the ZFW
  • How to build a simple L4 policy with the Zone firewall
  • How to log connections and dropped packets a ZFW environment
  • Integration of the Zone firewall with Access Control Lists (ACLs)
  • How to integrate the ZFW with Network Address Translation (NAT) and ACLs

The next step in our series about the Zone-based Firewall is to illustrate a basic configuration for ZFW operating in transparent mode. If you are not acquainted with the basic concepts pertaining to transparent firewalling, please check the post: “Quick Review of Firewall Connectivity options: Routed Mode and Transparent Mode” [ http://alexandremspmoraes.wordpress.com/2012/01/19/quick-review-of-firewall-connectivity-options-routed-mode-and-transparent-mode/ ].

It is easy to observe in the reference topology that the building blocks for the zone-based firewall policy are identical to those already studied. The significant change has to do with connectivity and not with rule construction. The figure also registers an audit-trail message and the command used to verify established sessions.

Reference topology for the Cisco Zone-based Policy Firewall in transparent mode
** Notes:
  • The audit-trail message and the show policy-firewall session command clearly show that the connection initiator (10.5.5.1) and the responder (10.5.5.2) are on the same IP subnet.
  • As discussed before, we could add L3/L4 restrictions to the basic inspection policy.
  • The ZFW interfaces shown in the figure (F0 and F1) are assigned to bridge-group 1.
  • The IP address of the ZFW needs to be configured in a Bridged Virtual Interface (BVI). Specifically, interface bvi 1, to match the bridge-group number. It is important to emphasize, however, that this IP is not used as a gateway address when hosts on interfaces F1 and F0 need to communicate.
  • To interconnect this BVI with the other IP-enabled interfaces, you need to enable Integrated Routing and Bridging (IRB) on your Cisco IOS router. This is accomplished with the bridge irb and bridge 1 route ip configuration commands.

** Related Posts:

About these ads

Leave a comment

Filed under English, Firewalls, Security

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s