configuring IOS firewall Zone Based --> remotely

Unanswered Question
May 30th, 2009
User Badges:

Hi to all,

need to deploy the folling IOS firewall Zone Based configuration to a running remotely router.




class-map type inspect match-any untrust-trust-cmap

match protocol telnet

match protocol ssh


policy-map type inspect untrust-trust-pmap

class type inspect untrust-trust-cmap


class class-default



class-map type inspect match-any trust-untrust-cmap

match protocol tcp

match protocol udp



policy-map type inspect trust-untrust-pmap

class type inspect trust-untrust-cmap


class class-default


zone security trust

zone security untrust


zone-pair security trust-untrust source trust destination untrust

service-policy type inspect trust-untrust-pmap


zone-pair security untrust-trust source untrust destination trust

service-policy type inspect untrust-trust-pmap


interface FastEthernet0/0

zone-member security trust

int dialer 0

zone-member security untrust

interface ATM0/0

zone-member security untrust


Roberto Taccon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
plumbis Mon, 06/01/2009 - 21:34
User Badges:
  • Silver, 250 points or more

This is always very risky. I would suggest that you issue the "reload in " command before trying to configure any interfaces as zone-members. I would stage the entire policy-map based configuration first, then I would configure the zone-member pairs in the "inside", "outside", "self" order, but there is 0 guarantee this will work. If you do lock yourself out the "reload in" command will reload the router and you can ssh back to the box after it finishes rebooting.

good luck!

ROBERTO TACCON Tue, 06/02/2009 - 06:17
User Badges:


thanks for the info (I know the reload command and also the rollback command).

Q1) When I try to insert on the 1st interface the "zone-member security trust" or "zone-member security untrust" I LOST THE ROUTER CAUSE THE OTHER INTERFACES ARE NOT CONFIGURED: HOW I CAN ACTIVATE THE ZONE-MEMBER COMMAND ON THE ROUTER WITHOUT LOST IT ?

Q2) it's possible (like Juniper JUNOS) made alla the new configuration and execute the "commit now" when I've finished ?

Q3) Is there any other feature on cisco IOS to allow to configure the router, check the configuration and only AFTER put it on the running config (the only tip i?ve found is to modify the startup config and load in or merge the running config with another conf...)?


Using Cisco Config Rollback

Replace the Running Configuration with the Latest Good Archive After Two Minutes Unless the Change Being Made Is Confirmed

Router#show archive

There are currently 4 archive configurations saved.

The next archive file will be named disk0:/config-archive-4

Archive # Name


1 disk0:/config-archive-1

2 disk0:/config-archive-2

3 disk0:/config-archive-3 <- Most Recent

Router#config replace disk0:/config-archive-3 time 120

If the configuration was successful, apply the changes

Router#config confirm

• If the config changes caused the user to be locked out, the router will automatically revert to the last saved archive configuration after two minutes, and connectivity will be restored


Roberto Taccon


This Discussion