A previous article about the Cisco Zone-based Policy Firewall (ZFW) exemplified the construction of a simple L4 policy. Several other posts in the ZFW series underlined the fact that we cannot use interface ACLs in a ZFW environment (to avoid breaking the stateful inspection activities).
The current post builds upon our past discussions and documents the correct way of configuring ACLs within a zone-based firewall policy.
The focus of the policy structure depicted below is on the class-map called JOINT1, which specifies two simultaneous conditions that must be met for packets to flow from the INSIDE to the OUTSIDE zone:
- Inspection happens at L4 for application protocols that use either TCP or UDP transport. This is governed by the class-map TOP-CLASS1, already studied in the article Building a simple policy with the Cisco Zone-based Firewall.
- Restrictions that involve combination of source and destination addresses and L4 ports are imposed the extended access-list ACL1. This ACL is called by the match-all class-map JOINT1.
The object-groups referred to by access-list ACL1 are those defined in the post ‘The use of object-groups in Cisco IOS software’.
There is no interface ACL in this setup. The ACL rules are taken care of as part of one of the building blocks of a Zone-based firewall policy. It is important to emphasize that this is the correct manner of inserting L3/L4 restrictions into a basic ZFW L4 inspection policy.
The log keyword cannot be configured as part of an Access Control Entry (ACE) that is used inside a ZFW class-map.
Newer releases of IOS allow you to list the existent class-maps and policy-maps with the show running-config class-map and show running-config policy-map commands.
** Topics for study:
What is the default category of the class-map type inspect ? (match-all or match any ?)
What are the UDP and TCP applications allowed by the OUTBOUND2 zone-pair ?
What is the funtion of the ‘TRACKING’ argument as part of the inspect action ?
Read the following post to learn more about adding Network Address Translation (NAT) to a Zone-based Policy Firewall topology: [ https://alexandremspmoraes.wordpress.com/2012/01/17/deploying-the-cisco-zone-based-policy-firewall-with-acls-and-nat/
- Zone Firewall Series: https://alexandremspmoraes.wordpress.com/tag/zone-firewall/
- ACL Series: https://alexandremspmoraes.wordpress.com/tag/identity/