Now that we have studied several practical scenarios for the Cisco IOS Zone-based Policy Firewall (ZFW), it is time to apply this knowledge to IPv6 environments. It is very important to emphasize that the logic of policy construction (as well as the building blocks) are identical to those employed for IPv4.
Our reference topology brings a simple network containing two security zones and an L4-only policy that defines the rules to allow the initiation of outbound connections. The figure also documents the output of a typical debug command used to gain visibility about session creation.
** Topics for Study:
- By reviewing the contents of previous posts in the ZFW series, would you be able to insert L3 restrictions in this scenario ? (For example, the client host in the INSIDE should only be able to access FTP and HTTP on the OUTSIDE server).
- How can you enable logging ? (both for connection setup/teardown and dropped packets)
- What are the commands used to display information about existent security zones and structure of policy elements ?
** Related Posts:
- Zone-based Policy Firewall series: http://alexandremspmoraes.wordpress.com/tag/zone-firewall/
- IPv6 series: http://alexandremspmoraes.wordpress.com/tag/ipv6/