×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Cisco 2911 ISR Firewall

Unanswered Question
Jul 12th, 2013
User Badges:

Hi everyone,


I would like to inquire on how to deploy Cisco 2911 ISR routers to act as Firewall to protect segments of my network. We have more than 10 units of the said router on our branch and i would like to ask on how i can make it a Firewall, it is running on IOS with sec/k9 license.


Hope that anyone can help me with my problem.


Thank you very much in advance


Best Regards,

Jayson Cruz

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.4 (5 ratings)
Loading.
Andrew Phirsov Fri, 07/12/2013 - 04:46
User Badges:
  • Silver, 250 points or more

ZBPW (ZFW) is the answer. Cisco docs will help you on how to work with the feature.

Jayson Cruz Sun, 07/14/2013 - 16:34
User Badges:

Hi Andrew,


Thank you for your reply. If it is not too much to ask may i ask for your help in having a copy/link on such cisco documents? I am currently a newbie in the field of firewalling, such as this one Cisco 2911 ISR with sec/k9 license.


Thank you very much and your assistance is very much appreciated.


Best Regards,

Jayson

Julio Carvajal Sun, 07/14/2013 - 18:11
User Badges:
  • Purple, 4500 points or more

Hi Jason,


Just want to add some links really useful (the one mentioning the self-zone was created by me)


http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml

https://supportforums.cisco.com/docs/DOC-27487

https://supportforums.cisco.com/docs/DOC-34539


If you speak spanish on the link below there's a blog that talks about ZBFW in detail


For Networking Posts check my blog at http://laguiadelnetworking.com/

Cheers,

Julio Carvajal Segura

Jayson Cruz Sun, 07/14/2013 - 21:46
User Badges:

Hi Julio,

Thank you very much for your support.

Best Regards,
Jayson


Sent from Cisco Technical Support Android App

Jayson Cruz Mon, 07/15/2013 - 02:16
User Badges:

Hello Julio,

Thank you for your answer, I am starting to be enlightened with this topic.

Yes I have another question, may I ask if I need to implement zone pairs when doing zone base firewall between different sites?


Sent from Cisco Technical Support Android App

Julio Carvajal Mon, 07/15/2013 - 08:43
User Badges:
  • Purple, 4500 points or more

Hello Jason,


No, ZBFW is independent on each site,


So if you decide to implement ZBFW on 2 different site on 2 different routers,


You will need to set the zone-pairs between the interfaces only on the SAME router,



For Networking Posts check my blog at http://laguiadelnetworking.com/


Cheers,


Julio Carvajal Segura

Jayson Cruz Mon, 07/15/2013 - 11:56
User Badges:

Hello my friend Julio,

Thank you for all your inputs, it has been a great learning experience for me. I wonder if zone based firewall can ba configured for HA (high availability) in active active mode.

I just recently found out that the requirement is to configure IOS FW on two routers connected via iBGP with each router has different eBGP peering and redundant to each other.

Oh and by the way, I just try your blog/forum however I can't understand what's written on it since it was not in English, but nonetheless I think it is very much educational.

Best Regards,
Jayson


Sent from Cisco Technical Support Android App

Jayson Cruz Mon, 07/15/2013 - 18:19
User Badges:

Hi Julio,

My apologies, but can I assign different zones to different subinterfaces?

I'm so sorry for causing you so much trouble.

Best regards,
Jayson


Sent from Cisco Technical Support Android App

Jayson Cruz Mon, 07/15/2013 - 20:53
User Badges:

Hello,

What will happen if some of the subinterfaces are not remembered to a zone. Can it still route traffic outside the service provider port configured to be in public zone?

Thank you very much!

Best regards,
Jayson


Sent from Cisco Technical Support Android App

Julio Carvajal Tue, 07/16/2013 - 09:00
User Badges:
  • Purple, 4500 points or more

Hello,


Traffic from an interface that does not belong to a zone to an interface that belongs to one will not be allowed ( and backwards)


So if you will set the ISP interface into a zone, the sub-interface must be placed into one,


For Networking Posts check my blog at http://laguiadelnetworking.com/


Cheers,


Julio Carvajal Segura

Jayson Cruz Mon, 07/22/2013 - 13:56
User Badges:

Hi Julio,

A good day its me again. My apologies to bother you again. May i ask for your advice regarding the set-up of my IOS Zone-Based Firewall via 2911 routers.

I have 2 2911 beanch routers with bgp peering on a WAN links to reach the branch. On the LAN interface of the said Branch Routers are the LAN segments configured via subinterface command and running HSRP with the other branch router.

How would i implement Zone-Based Firewall with HA without having drops because of asymetric routing. Im sorry since the configuration guide that you have sent me as so many options and configurations that i tend to be confusing on which one is another option and which one is prt of the previous procedure. I hope you could help me with this one as i need to implement it within this week.

Thanks you very much and I'm sorry for bothering you.

Thank you very much!

Jayson


Sent from Cisco Technical Support Android App

Julio Carvajal Mon, 07/22/2013 - 14:47
User Badges:
  • Purple, 4500 points or more

Hello Jayson,


Nice to see you again,


To be honest with you I have only played once with the HA configuration on IOS routers,


I will need to sit down and read the documentation again in order to provide you a good feedback, I will try to get 2 routers so I can play with them (If I am able to do it I will get back to u)


Regards


For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/

Cheers,

Julio Carvajal Segura

Jayson Cruz Mon, 07/22/2013 - 17:11
User Badges:

Hello My Friend Julio,


Thanks you very much for your unwavering support.


May I share to you the topology i wish to implement. Cisco 2911 ISR is configured to be redundant during bgp failure and router failure. Would like the Cisco 2911 ISR with IOS Firewall to be HA and mitigate the asymetric routing. The host is redundant via HSRP using subinterface


Again Thank you very much on your support.


Best Regards,
Jayson

Jayson Cruz Mon, 07/22/2013 - 18:03
User Badges:

Hi Julio,


Thank you!  Apparently I dont know how to do it.


Appreciate if you could give me a hand with the set up.


Im very sory for bothering you.


Thanks!


Best Regards,

Jayson

Jayson Cruz Mon, 07/22/2013 - 18:23
User Badges:

Hi Julio,


I understand. Thank you very much!


Hope we can talk again someday.


Best Regards,

Jayson

Jayson Cruz Mon, 07/22/2013 - 21:14
User Badges:

Hi Evryone,


Can anyone help me with the HA/redundancy issue?


Thanks!


Best Regards,

Jayson

Jayson Cruz Tue, 07/30/2013 - 23:15
User Badges:

Hi everyone!

May i ask if it is possible to block specific udp/tcp ports on ios zone-based firewall?

Thank you very much!

Best Regards,
Jayson


Sent from Cisco Technical Support Android App

Julio Carvajal Wed, 07/31/2013 - 09:48
User Badges:
  • Purple, 4500 points or more

Hello Jayson,


It is possible, just don't match them with a permit or inspect rule,


I have created some posts on my blog related to ZBFW, go ahead and review them. They will help you.



For Networking Posts check my blog at http://www.laguiadelnetworking.com


Cheers,

Julio Carvajal Segura

Actions

This Discussion