Cisco Systems, Inc.(R)    Cisco | Profile | Contacts & Feedback | Help
Cisco SMB Support Assistant
Configure Zone Based Firewall on Cisco Routers
Home > Work With My Routers > Cisco Routers > Configure Zone Based Firewall on Cisco Routers  
 

Configure Zone Based Firewall on Cisco Routers

     Introduction
     Requirements
     Overview of Zone-Based Policy Network Security
     Zone based firewall Configuration Examples
          Stateful Inspection Routing Firewall
          Stateful Inspection Transparent Firewall
     Next Step
     Troubleshoot the Procedure
     Related Information

Download PDF


 		 Configure Zone Based Firewall on Cisco Routers 


Introduction

This document describes how to configure Zone based firewall on Cisco Routers. Cisco IOS Classic Firewall stateful inspection (formerly known as Context-Based Access Control, or CBAC) employed an interface-based configuration model, in which a stateful inspection policy was applied to an interface. All traffic passing through that interface received the same inspection policy. This configuration model limited the granularity of the firewall policies, and caused confusion of the proper application of firewall policies, particularly in scenarios when firewall policies must be applied between multiple interfaces.

Zone-Based Policy Firewall (also known as Zone-Policy Firewall, or ZFW) changes the firewall configuration from the older interface-based model to a more flexible, more easily understood zone-based model. Interfaces are assigned to zones, and inspection policy is applied to traffic moving between the zones. Inter-zone policies offer considerable flexibility and granularity, so different inspection policies can be applied to multiple host groups connected to the same router interface.


Back to Top


Requirements

To perform the steps described in this document, you need to have these items:


Back to Top


Overview of Zone-Based Policy Network Security

A security zone must be configured for each region of relative security within the network, so that all interfaces that are assigned to the same zone are protected with a similar level of security. For example, consider an access router with three interfaces:

  • One interface connected to the public Internet

  • One interface connected to a private LAN that must not be accessible from the public Internet

  • One interface connected to an Internet service demilitarized zone (DMZ), where a Web server, Domain Name System (DNS) server, and e-mail server must be accessible to the public Internet

Each interface in this network are assigned to its own zone. Although you might want to allow varied access from the public Internet to specific hosts in the DMZ and varied application use policies for hosts in the protected LAN.

Figure 1: Basic Security Zone Topology:

config_zone_firewall_router_01.gif

In this example, each zone holds only one interface. If an additional interface is added to the private zone, the hosts connected to the new interface in the zone can pass traffic to all hosts on the existing interface in the same zone. Additionally, the hosts’ traffic to hosts in other zones is similarly affected by existing policies.

Typically, the example network has three main policies:

  • Private zone connectivity to the Internet

  • Private zone connectivity to DMZ hosts

  • Internet zone connectivity to DMZ hosts

Zone based firewall imposes a prohibitive default security posture. Therefore, unless the DMZ hosts are specifically provided access to other networks, other networks are safeguarded against any connections from the DMZ hosts. Similarly, no access is provided for Internet hosts to access the private zone hosts, so private zone hosts are safe from unwanted access by Internet hosts.

Zone based firewall works on concept of policies created for traffic moving between the zones. To create firewall policies, you must complete these tasks:

  • Define match criteria (class map)

  • Associate actions to the match criteria (policy map)

  • Attach the policy map to a zone pair (service policy)

A class is a way of identifying a set of packets based on its contents. Normally you define a class so that you can apply an action on the identified traffic that reflects a policy. A class is designated via class maps. The class-map command creates a class map to be used for matching packets to a specified class.

An action is a specific functionality, for example, inspect, drop, pass, and police are actions. An action is defined for a class using policy map. Use the policy-map command to specify the name of the policy map to be created, added to, or modified before you can configure policies for classes whose match criteria are defined in a class map.


Back to Top


Zone based firewall Configuration Examples

In this configuration example the router is separated into five zones:

  • The public Internet is connected to FastEthernet 0 (Internet zone)

  • Two Internet servers are connected to FastEthernet 1 (DMZ zone)

  • The Ethernet switch is configured with two VLANs:

    • Workstations are connected to VLAN1 (client zone).

    • Servers are connected to VLAN2 (server zone).

    • The client and server zones are in the same subnet. A transparent firewall is applied between the zones, so the inter-zone policies on those two interfaces would only affect traffic between the client and server zones.

  • The VLAN1 and VLAN2 interfaces communicate with other networks through the bridge virtual interface (BVI1). This interface is assigned to the private zone. (See Figure 2.)

Figure 2: Zone Topology Detail

config_zone_firewall_router_02.gif

These policies are applied, using the network zones defined earlier:

  • Hosts in Internet zone can reach DNS, SMTP, and SSH services on one server in the DMZ. The other server offers SMTP, HTTP, and HTTPS services. The firewall policy restricts access to the specific services available on each host.

  • The DMZ hosts could not connect to hosts in any other zone.

  • Hosts in the client zone can connect to hosts in the server zone on all TCP, UDP, and ICMP services.

  • Hosts in the server zone cannot connect to hosts in the client zone, except a UNIX-based application server can open X Windows client sessions to X Windows servers on desktop PCs in the client zone on ports 6900 to 6910.

  • All hosts in the private zone (combination of clients and servers) can access hosts in the DMZ on SSH, FTP, POP, IMAP, ESMTP, and HTTP services, and in the Internet zone on HTTP, HTTPS, and DNS services and ICMP. Furthermore, application inspection will be applied on HTTP connections from the private zone to the Internet zone in order to assure that supported instant messaging and P2P applications are not carried on port 80. (See Figure 3.)

Figure 3: Zone-Pair service permissions to be applied in the configuration example

config_zone_firewall_router_03.gif

These firewall policies are configured in order of complexity:

  1. Clients-Servers TCP/UDP/ICMP inspection

  2. Private-DMZ SSH/FTP/POP/IMAP/ESMTP/HTTP inspection

  3. Internet -DMZ SMTP/HTTP/DNS inspection restricted by host address

  4. Servers-Clients X Windows inspection with a port-application mapping (PAM)-specified service

  5. Private-Internet HTTP/HTTPS/DNS/ICMP with HTTP application inspection

Because you apply portions of the configuration to different network segments at different times, it is important to remember that a network segment loses connectivity to other segments when it is placed in a zone. For instance, when the private zone is configured, hosts in the private zone loses connectivity to the DMZ and Internet zones until their respective policies are defined.

Stateful Inspection Routing Firewall

Configure Private Internet Policy

Figure 4 illustrates the configuration of private Internet policy.

config_zone_firewall_router_04.gif

The private Internet policy applies Layer 4 inspection to HTTP, HTTPS, DNS, and Layer 4 inspection for ICMP from the private zone to the Internet zone. This allows connections from the private zone to the Internet zone, and allows the return traffic. Layer 7 inspection carries the advantages of tighter application control, better security, and support for applications requiring fixup. However, Layer 7 inspection, as mentioned, requires a better understanding of network activity, as Layer 7 protocols that are not configured for inspection would not be allowed between zones.

  1. Define class-maps that describe the traffic that you want to permit between zones, according to policies described earlier.

    Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#class-map type inspect match-any internet-traffic-class
Router(config-cmap)#match protocol http
Router(config-cmap)#match protocol https
Router(config-cmap)#match protocol dns
Router(config-cmap)#match protocol icmp

  2. Configure a policy-map to inspect traffic on the class-maps you just defined.

    Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#policy-map type inspect private-internet-policy  
Router(config-pmap)#class type inspect internet-traffic-class  
Router(config-pmap-c)#inspect

  3. Configure the private and internet zones and assign router interfaces to their respective zones.

    Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)# zone security private
Router(config-sec-zone)#zone security internet
Router(config-sec-zone)#int bvi1            
Router(config-if)#zone-member security private
Router(config-if)#int fastethernet 0
Router(config-if)#zone-member security internet

  4. Configure the zone-pair and apply the appropriate policy-map.

    Note: You only need to configure the private Internet zone pair at present in order to inspect connections sourced in the private zone traveling to the Internet zone.

    Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#zone-pair security private-internet source 
               private destination internet
Router(config-sec-zone-pair)#service-policy type 
                             inspect private-internet-policy

    This completes the configuration of the Layer 7 inspection policy on the private Internet zone-pair to allow HTTP, HTTPS, DNS, and ICMP connections from the clients zone to the servers zone and to apply application inspection to HTTP traffic to assure that unwanted traffic is not allowed to pass on TCP 80, HTTP’s service port.

Configure Private DMZ Policy

Figure 5 illustrates the configuration of private DMZ policy.

config_zone_firewall_router_05.gif

The private DMZ policy adds complexity because it requires a better understanding of the network traffic between zones. This policy applies Layer 7 inspection from the private zone to the DMZ. This allows connections from the private zone to the DMZ, and allows the return traffic. Layer 7 inspection carries the advantages of tighter application control, better security, and support for applications requiring fixup. However, Layer 7 inspection, as mentioned, requires a better understanding of network activity, as Layer 7 protocols that are not configured for inspection would not be allowed between zones.

  1. Define class-maps that describe the traffic that you want to permit between zones, according to policies described earlier.

    Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#class-map type inspect match-any L7-inspect-class
Router(config-cmap)#match protocol ssh
Router(config-cmap)#match protocol ftp
Router(config-cmap)#match protocol pop3
Router(config-cmap)#match protocol imap
Router(config-cmap)#match protocol esmtp
Router(config-cmap)#match protocol http

  2. Configure policy-maps to inspect traffic on the class-maps you just defined.

    Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#policy-map type inspect private-dmz-policy
Router(config-pmap)#class type inspect L7-inspect-class
Router(config-pmap-c)#inspect

  3. Configure the private and DMZ zones and assign router interfaces to their respective zones.

    Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# zone security private
Router(config-sec-zone)#zone security dmz
Router(config-sec-zone)#int bvi1            
Router(config-if)#zone-member security private
Router(config-if)#int fastethernet 1
Router(config-if)#zone-member security dmz

  4. Configure the zone-pair and apply the appropriate policy-map.

    Note: You only need to configure the private DMZ zone-pair at present in order to inspect connections sourced in the private zone traveling to the DMZ.

    Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#zone-pair security private-dmz source 
               private destination dmz
Router(config-sec-zone-pair)#service-policy type 
                             inspect private-dmz-policy

    This completes the configuration of the Layer 7 inspection policy on the private DMZ to allow all TCP, UDP, and ICMP connections from the clients zone to the servers zone. The policy does not apply fixup for subordinate channels, but provides an example of simple policy to accommodate most application connections.

Configure Internet DMZ Policy

Figure 6 illustrates the configuration of Internet DMZ policy.

config_zone_firewall_router_06.gif

This policy applies Layer 7 inspection from the Internet zone to the DMZ. This allows connections from the Internet zone to the DMZ, and allows the return traffic from the DMZ hosts to the Internet hosts that originated the connection. The Internet DMZ policy combines Layer 7 inspection with address groups defined by ACLs to restrict access to specific services on specific hosts, groups of hosts, or subnets. This is accomplished by nesting a class-map specifying services within another class-map referencing an ACL to specify IP addresses.

  1. Define class-maps and ACLs that describe the traffic that you want to permit between zones, according to policies described earlier.

    Multiple class-maps for services must be used, as differing access policies are applied for access to two different servers. Internet hosts are allowed DNS and HTTP connections to 172.16.2.2, and SMTP connections are allowed to 172.16.2.3. Note the difference in the class-maps. The class-maps specifying services use the match-any keyword to allow any of the listed services. The class-maps associating ACLs with the service class-maps use the match-all keyword to require that both conditions in the class map must be met to allow traffic.

    Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#access-list 110 permit ip any host 172.16.2.2
Router(config)#access-list 111 permit ip any host 172.16.2.3
Router(config)#class-map type inspect match-any dns-http-class
Router(config-cmap)#match protocol dns
Router(config-cmap)#match protocol http
Router(config-cmap)#class-map type inspect match-any smtp-class
Router(config-cmap)#match protocol smtp
Router(config-cmap)#class-map type inspect match-all dns-http-acl-class
Router(config-cmap)# match access-group 110
Router(config-cmap)#match class-map dns-http-class
Router(config-cmap)#class-map type inspect match-all smtp-acl-class
Router(config-cmap)#match access-group 111
Router(config-cmap)#match class-map smtp-class

  2. Configure policy-maps to inspect traffic on the class-maps you just defined.

    Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#policy-map type inspect internet-dmz-policy
Router(config-pmap)#class type inspect dns-http-acl-class
Router(config-pmap-c)#inspect
Router(config-pmap-c)#class type inspect smtp-acl-class
Router(config-pmap-c)#inspect

  3. Configure the Internet and DMZ zones and assign router interfaces to their respective zones. Skip the DMZ configuration if you set it up in the previous section.

    Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#zone security internet
Router(config-sec-zone)#zone security dmz
Router(config-sec-zone)#int fastethernet 0
Router(config-if)#zone-member security internet
Router(config-if)#int fastethernet 1
Router(config-if)#zone-member security dmz

  4. Configure the zone-pair and apply the appropriate policy-map.

    Note: You only need to configure the Internet DMZ zone pair at present, to inspect connections sourced in the Internet zone traveling to the DMZ zone.

    Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#zone-pair security internet-dmz source internet 
               destination dmz
Router(config-sec-zone-pair)#service-policy type 
                             inspect internet-dmz-policy

    This completes the configuration of the address-specific Layer 7 inspection policy on the Internet DMZ zone-pair.

Stateful Inspection Transparent Firewall

Configure Servers-Clients Policy

Figure 7 illustrates the configuration of server-client policy.

config_zone_firewall_router_07.gif

The servers-clients policy applies inspection using a user-defined service. Layer 7 inspection is applied from the servers zone to the clients zone. This allows X Windows connections to a specific port range from the servers zone to the clients zone, and allows the return traffic. X Windows is not a natively supported protocol in PAM, so a user-configured service in PAM must be defined so the ZFW can recognize and inspect the appropriate traffic.

Two or more router interfaces are configured in an IEEE bridge-group to provide Integrated Routing and Bridging (IRB) to provide bridging between the interfaces in the bridge-group and routing to other subnets via the Bridge Virtual Interface (BVI). The transparent firewall policy will offer apply firewall inspection for traffic “crossing the bridge”, but not for traffic that leaves the bridge-group via the BVI. The inspection policy only applies to traffic crossing the bridge-group. Therefore, in this scenario, the inspection would only be applied to traffic that moves between the clients and servers zones, which are nested inside the private zone. The policy applied between the private zone, and public and DMZ zones, only comes into play when traffic leaves the bridge-group via the BVI. When traffic leaves via the BVI from either the clients or servers zones, the transparent firewall policy would not be invoked.

  1. Configure PAM with a user-defined entry for X Windows.

    X Windows clients (where applications are hosted) open connections for display information to clients (where user is working) in a range starting at port 6900.

    Each additional connection uses successive ports, so if a client displays 10 different sessions on one host, the server uses ports 6900-6909. Therefore, if you inspect the port range from 6900 to 6909, connections opened to ports beyond 6909 would fail:

    Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#ip port-map user-Xwindows port tcp from 6900 to 6910

  2. Review PAM documents to address additional PAM questions or check granular protocol inspection documentation for information about the details of interoperability between PAM and Cisco IOS Firewall stateful inspection.

  3. Define class-maps that describe the traffic that you want to permit between zones, according to policies described earlier.

    Router#Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#class-map type inspect match-any Xwindows-class
Router(config-cmap)#match protocol user-Xwindows

  4. Configure policy-maps to inspect traffic on the class-maps you just defined.

    Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#policy-map type inspect servers-clients-policy
Router(config-pmap)# class type inspect Xwindows-class
Router(config-pmap-c)#inspect

  5. Configure the client and server zones and assign router interfaces to their respective zones.

    If you configured these zones and assigned interfaces in the Clients-Servers Policy Configuration section, you can skip to the zone-pair definition. Bridging IRB configuration is provided for completeness.

    Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#bridge irb
Router(config)#bridge 1 protocol ieee
Router(config)#bridge 1 route ip
Router(config)#zone security clients
Router(config-sec-zone)#zone security servers
Router(config-sec-zone)#int vlan 1
Router(config-if)#bridge-group 1
Router(config-if)#zone-member security clients
Router(config-if)#int vlan 2
Router(config-if)#bridge-group 1
Router(config-if)#zone-member security servers

  6. Configure the zone-pair and apply the appropriate policy-map.

    Note: You only need to configure the servers-clients zone pair at present in order to inspect connections sourced in the servers zone traveling to the clients zone.

    Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#zone-pair security servers-clients 
               source servers destination clients
Router(config-sec-zone-pair)#service-policy type inspect 
                             servers-clients-policy

    This completes the configuration of the user-defined inspection policy in the servers-clients zone-pair to allow X Windows connections from the server zone to the client zone.

Configure Clients-Servers Policy

Figure 8 illustrates the configuration of client-server policy.

config_zone_firewall_router_08.gif

The client-servers policy is less complex than the others. Layer 4 inspection is applied from the clients zone to the servers zone. This allows connections from the clients zone to the servers zone, and allows return traffic. Layer 4 inspection carries the advantage of simplicity in the firewall configuration, in that only a few rules are required to allow most application traffic. However, Layer 4 inspection also carries two major disadvantages.

  • Applications such as FTP or streaming media services frequently negotiate an additional subordinate channel from the server to the client. This functionality is usually accommodated in a service fixup that monitors the control channel dialog and allows the subordinate channel. This capability is not available in Layer 4 inspection.

  • Layer 4 inspection allows nearly all application-layer traffic. If network use must be controlled so only a few applications are permitted through the firewall, an ACL must be configured on outbound traffic to limit the services allowed through the firewall.

Both router interfaces are configured in an IEEE bridge group, so this firewall policy applies transparent firewall inspection. This policy is applied on two interfaces in an IEEE IP bridge group. The inspection policy only applies to traffic crossing the bridge group. This explains why the clients and servers zones are nested inside the private zone.

  1. Define class-maps that describe the traffic that you want to permit between zones, according to policies described earlier.

    Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#class-map type inspect match-any L4-inspect-class
Router(config-cmap)#match protocol tcp
Router(config-cmap)#match protocol udp
Router(config-cmap)#match protocol icmp

  2. Configure policy-maps to inspect traffic on the class-maps you just defined.

    Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#policy-map type inspect clients-servers-policy
Router(config-pmap)#class type inspect L4-inspect-class
Router(config-pmap-c)#inspect

  3. Configure the clients and servers zones and assign router interfaces to their respective zones.

    Router#conf t
Enter configuration commands, one per line.  End with C
Router(config)#zone security clients
Router(config-sec-zone)#zone security servers
Router(config-sec-zone)#int vlan 1
Router(config-if)#zone-member security clients
Router(config-if)#int vlan 2
Router(config-if)#zone-member security servers

  4. Configure the zone-pair and apply the appropriate policy-map.

    Note: You only need to configure the clients-servers zone-pair at present, to inspect connections sourced in the clients zone traveling to the servers zone.

    Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)# zone-pair security clients-servers 
source clients destination servers
Router(config-sec-zone-pair)# service-policy type 
inspect clients-servers-policy

    This completes the configuration of the Layer 4 inspection policy for the clients-servers zone-pair to allow all TCP, UDP, and ICMP connections from the client zone to the server zone. The policy does not apply fixup for subordinate channels, but provides an example of simple policy to accommodate most application connections.


Back to Top


Next Step

You have now configured Zone based Firewall on your router.

Refer to Router Support Page to make further changes to your router.

Refer to Configuration Overview Page to configure other devices in your network.


Back to Top


Troubleshoot the Procedure

This section provides information about common problems that you may encounter. If this information does not solve your problem, contact the SMB Technical Assistance Center (SMB TAC) for assistance.

Problem

Cause(s) and Suggested Solution(s)

You are unable to connect to the router with Security Device Manager (SDM).

Refer to Configure Your Router with Security Device Manager.


Back to Top


Related Information
Service Requests

  Open a service request
  Update a service request

Feedback

Please rate this site:
++ + +/- - --

Suggestions for improvement:




If Cisco may contact you for more details
or for future feedback opportunities,
please enter your contact information:
Full Name:
Email:



© 1992-2006 Cisco Systems, Inc. All rights reserved. Terms and Conditions, Privacy Statement, Cookie Policy and Trademarks of Cisco Systems, Inc.