Building a simple policy with the Cisco Zone-based Firewall

This quick post is aimed at illustrating the relationships among the ZFW building blocks available in the Class-Based Policy Language (CPL). To achieve that, we will build a very simple ZFW policy that employs only L4 inspection.

Some important aspects to observe in the scenario of Figure 1:

  • The top-level class-map TOP-CLASS1 specifies that only UDP and TCP connections are allowed from the source to the destination zone. Any other traffic (such as ICMP, GRE or IPSec) will be blocked when trying to flow from the INSIDE to the OUTSIDE zone.
  • The inspect action in the TOP-CLASS1 class-map is in charge of creating the entries in the state table (for allowed connections) and handling return traffic.
  • There is no interface ACL in this scenario. It is important to emphasize that interface ACLs are not part of a ZFW structure because they do interfere in the return traffic, thus breaking stateful inspection. The correct way of leveraging ACLs will be covered in another post.
  • The reserved class named class-default takes care of dropping and logging the packets that do not fall in the definition of the TOP-CLASS1 class-map.
  • Given that ZFW policies are unidirectional in nature, no connections can be initiated from the OUTSIDE zone to the INSIDE. (Unless we define a second zone-pair security statement interconnecting the OUTSIDE to the INSIDE).
  • In the event you needed to add another internal interface to the environment (for instance F2), the basic requirement would be to assign F2 to the INSIDE zone. (All the settings in the OUTBOUND1 policy would automatically apply).
  • In this first example we are not worried about specific application protocols or IP address restrictions yet.

Figure 1: Sample ZFW Policy using only Layer 4 Protocols

Figure 2 registers some important commands to verify ZFW policy structure:

  • The show zone security command provides information about the security zones already configured in the router. Notice that there is a system defined zone called SELF, which includes the router addresses. (Packets to and from the router on a ZFW scenario are handled by the SELF zone, which will be discussed in another post).
  • The show policy-firewall config zone-pair command summarizes the ZFW building blocks in use. It is a quick way of viewing the policy structure.

Figure 2: Viewing ZFW Policy Structure


** Related Posts:



Leave a comment

Filed under English, Firewalls, Security

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s