Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
420
Views
0
Helpful
3
Replies

Need suggestion on this network design and configuration

Go to solution
Difan Zhao
Level 5
Level 5

‎07-23-2010 10:36 AM - edited ‎03-11-2019 11:15 AM

Hi experts,

I will have a task to configure a Cisco 1811 router as a gateway/router device. It has three interfaces. G0/0 is WAN link to internet. G0/1 and G0/2 are for internal connections. (I made up the interface name. They can be different)

novotel les halles.jpg

As you can see the G0/1 will be in another public IP range. The router will just do routing. There is no filtering, throttling or NATing between G0/1 and G0/0. The G0/2 will be in private IP range. NAT/PAT and firewalling are required between G0/2 and G0/0 or G0/1.

I haven't done this type of config (using a router as a gateway) for a long time. I used to use the "Classic IOS firewall" with the "ip inspect" commands. It looks like there is new way of configuring it, called "Zone based firewall". I guess my first question is that do I use the new ZBF or old IOS firewall?

If  I'm suggested to use ZBF, how do I define zones? Do I define three zones or just two? I don't need firewalling between G0/2 and G0/1. I only need NAT/PAT. Can I put them into the same zone? Will ZBF require any configuration to allow traffic passing between interfaces of the same zone?

Any advice are welcome.

Thanks,

Difan

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Difan Zhao

‎07-23-2010 03:48 PM

My recommendation would be to start the CLI configuration for ZBFW from scratch as it will appear to be much simpler than if you configure it through SDM. SDM throw in a lot of unnessary configuration lines that will just confuse you even more. You can of course try to use the SDM template and see how it looks like in CLI, if you don't mind it, then you can tweak it. Otherwise, if it gets really complicated, then you can just remove the config on zone base and start from scratch.

Hope that helps.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎07-23-2010 03:32 PM

There are a few steps that you would need to configure ZBFW as follows:

1) Define your traffic by using the ACL

2) Classify that using class-map

3) Configure the inspection under policy-map

4) Configure zone member for each interface

5) Configure zone pairing for interface that needs to communicate with each other (and this also includes traffic to and from the router which is definited with self zone), and assign the service-policy through this zone pairing.

6) Assign the zone member to each interface

If g0/1 and g0/2 can freely pass between the 2 interfaces, you can assign them to the same zone.

Here is the configuration guide on ZBFW for your reference:

http://www.cisco.com/en/US/partner/docs/ios/sec_data_plane/configuration/guide/sec_zone_polcy_firew.html

If you want simpler solution, then you can still configure CBAC (ip inspect) as before.

Hope that helps.

0 Helpful

Go to solution
Difan Zhao
Level 5
Level 5
In response to Jennifer Halim

‎07-23-2010 03:41 PM

Hey halijenn,

Thanks for reply. If ZBFW will replace CBAC. I guess I will have to move on to use the new one... Hopefully Cisco will stick on this one for a while before going to another solution!

I guess I only have one question left. I got a reply on this from another website. Someone suggested me to use Cisco SDM wizard to create template and then use command line to further twick it. What do you think??

Thanks!

Difan

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Difan Zhao

‎07-23-2010 03:48 PM

My recommendation would be to start the CLI configuration for ZBFW from scratch as it will appear to be much simpler than if you configure it through SDM. SDM throw in a lot of unnessary configuration lines that will just confuse you even more. You can of course try to use the SDM template and see how it looks like in CLI, if you don't mind it, then you can tweak it. Otherwise, if it gets really complicated, then you can just remove the config on zone base and start from scratch.

Hope that helps.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card