Need suggestion on this network design and configuration

Answered Question
Jul 23rd, 2010

Hi experts,

I will have a task to configure a Cisco 1811 router as a gateway/router device. It has three interfaces. G0/0 is WAN link to internet. G0/1 and G0/2 are for internal connections. (I made up the interface name. They can be different)

novotel les halles.jpg

As you can see the G0/1 will be in another public IP range. The router will just do routing. There is no filtering, throttling or NATing between G0/1 and G0/0. The G0/2 will be in private IP range. NAT/PAT and firewalling are required between G0/2 and G0/0 or G0/1.

I haven't done this type of config (using a router as a gateway) for a long time. I used to use the "Classic IOS firewall" with the "ip inspect" commands. It looks like there is new way of configuring it, called "Zone based firewall". I guess my first question is that do I use the new ZBF or old IOS firewall?

If  I'm suggested to use ZBF, how do I define zones? Do I define three zones or just two? I don't need firewalling between G0/2 and G0/1. I only need NAT/PAT. Can I put them into the same zone? Will ZBF require any configuration to allow traffic passing between interfaces of the same zone?

Any advice are welcome.

Thanks,

Difan

I have this problem too.
0 votes
Correct Answer by Jennifer Halim about 6 years 4 months ago

My recommendation would be to start the CLI configuration for ZBFW from scratch as it will appear to be much simpler than if you configure it through SDM. SDM throw in a lot of unnessary configuration lines that will just confuse you even more. You can of course try to use the SDM template and see how it looks like in CLI, if you don't mind it, then you can tweak it. Otherwise, if it gets really complicated, then you can just remove the config on zone base and start from scratch.

Hope that helps.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jennifer Halim Fri, 07/23/2010 - 15:32

There are a few steps that you would need to configure ZBFW as follows:

1) Define your traffic by using the ACL

2) Classify that using class-map

3) Configure the inspection under policy-map

4) Configure zone member for each interface

5) Configure zone pairing for interface that needs to communicate with each other (and this also includes traffic to and from the router which is definited with self zone), and assign the service-policy through this zone pairing.

6) Assign the zone member to each interface

If g0/1 and g0/2 can freely pass between the 2 interfaces, you can assign them to the same zone.

Here is the configuration guide on ZBFW for your reference:

http://www.cisco.com/en/US/partner/docs/ios/sec_data_plane/configuration/guide/sec_zone_polcy_firew.html

If you want simpler solution, then you can still configure CBAC (ip inspect) as before.

Hope that helps.

Difan Zhao Fri, 07/23/2010 - 15:41

Hey halijenn,

Thanks for reply. If ZBFW will replace CBAC. I guess I will have to move on to use the new one... Hopefully Cisco will stick on this one for a while before going to another solution!

I guess I only have one question left. I got a reply on this from another website. Someone suggested me to use Cisco SDM wizard to create template and then use command line to further twick it. What do you think??

Thanks!

Difan

Correct Answer
Jennifer Halim Fri, 07/23/2010 - 15:48

My recommendation would be to start the CLI configuration for ZBFW from scratch as it will appear to be much simpler than if you configure it through SDM. SDM throw in a lot of unnessary configuration lines that will just confuse you even more. You can of course try to use the SDM template and see how it looks like in CLI, if you don't mind it, then you can tweak it. Otherwise, if it gets really complicated, then you can just remove the config on zone base and start from scratch.

Hope that helps.

Actions

This Discussion