Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Cisco 2911 ISR Firewall

Hi everyone,

I would like to inquire on how to deploy Cisco 2911 ISR routers to act as Firewall to protect segments of my network. We have more than 10 units of the said router on our branch and i would like to ask on how i can make it a Firewall, it is running on IOS with sec/k9 license.

Hope that anyone can help me with my problem.

Thank you very much in advance

Best Regards,

Jayson Cruz

24 REPLIES

Cisco 2911 ISR Firewall

ZBPW (ZFW) is the answer. Cisco docs will help you on how to work with the feature.

Community Member

Cisco 2911 ISR Firewall

Hi Andrew,

Thank you for your reply. If it is not too much to ask may i ask for your help in having a copy/link on such cisco documents? I am currently a newbie in the field of firewalling, such as this one Cisco 2911 ISR with sec/k9 license.

Thank you very much and your assistance is very much appreciated.

Best Regards,

Jayson

Re: Cisco 2911 ISR Firewall

Hi Jason,

Just want to add some links really useful (the one mentioning the self-zone was created by me)

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml

https://supportforums.cisco.com/docs/DOC-27487

https://supportforums.cisco.com/docs/DOC-34539

If you speak spanish on the link below there's a blog that talks about ZBFW in detail

For Networking Posts check my blog at http://laguiadelnetworking.com/

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Community Member

Re:Cisco 2911 ISR Firewall

Hi Julio,

Thank you very much for your support.

Best Regards,
Jayson


Sent from Cisco Technical Support Android App

Re: Cisco 2911 ISR Firewall

Hello,

Sure, any other question u have?

For Networking Posts check my blog at http://laguiadelnetworking.com/

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Community Member

Re:Cisco 2911 ISR Firewall

Hello Julio,

Thank you for your answer, I am starting to be enlightened with this topic.

Yes I have another question, may I ask if I need to implement zone pairs when doing zone base firewall between different sites?


Sent from Cisco Technical Support Android App

Re:Cisco 2911 ISR Firewall

Hello Jason,

No, ZBFW is independent on each site,

So if you decide to implement ZBFW on 2 different site on 2 different routers,

You will need to set the zone-pairs between the interfaces only on the SAME router,

For Networking Posts check my blog at http://laguiadelnetworking.com/

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Community Member

Re:Cisco 2911 ISR Firewall

Hello my friend Julio,

Thank you for all your inputs, it has been a great learning experience for me. I wonder if zone based firewall can ba configured for HA (high availability) in active active mode.

I just recently found out that the requirement is to configure IOS FW on two routers connected via iBGP with each router has different eBGP peering and redundant to each other.

Oh and by the way, I just try your blog/forum however I can't understand what's written on it since it was not in English, but nonetheless I think it is very much educational.

Best Regards,
Jayson


Sent from Cisco Technical Support Android App

Re:Cisco 2911 ISR Firewall

Hello Jayson,

Here is a link for the failover cluster for ZBFW (It's supported)

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_zbf/configuration/15-2mt/sec-data-zbf-ha.html

For Networking Posts check my blog at http://laguiadelnetworking.com/

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Community Member

Re:Cisco 2911 ISR Firewall

Hi Julio,

My apologies, but can I assign different zones to different subinterfaces?

I'm so sorry for causing you so much trouble.

Best regards,
Jayson


Sent from Cisco Technical Support Android App

Re:Cisco 2911 ISR Firewall

Hello,

Yes, you can,

Do not worry Jayson, Here to help

For Networking Posts check my blog at http://laguiadelnetworking.com/

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Community Member

Re:Cisco 2911 ISR Firewall

Hello,

What will happen if some of the subinterfaces are not remembered to a zone. Can it still route traffic outside the service provider port configured to be in public zone?

Thank you very much!

Best regards,
Jayson


Sent from Cisco Technical Support Android App

Re:Cisco 2911 ISR Firewall

Hello,

Traffic from an interface that does not belong to a zone to an interface that belongs to one will not be allowed ( and backwards)

So if you will set the ISP interface into a zone, the sub-interface must be placed into one,

For Networking Posts check my blog at http://laguiadelnetworking.com/

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Community Member

Re:Cisco 2911 ISR Firewall

Hi Julio,

A good day its me again. My apologies to bother you again. May i ask for your advice regarding the set-up of my IOS Zone-Based Firewall via 2911 routers.

I have 2 2911 beanch routers with bgp peering on a WAN links to reach the branch. On the LAN interface of the said Branch Routers are the LAN segments configured via subinterface command and running HSRP with the other branch router.

How would i implement Zone-Based Firewall with HA without having drops because of asymetric routing. Im sorry since the configuration guide that you have sent me as so many options and configurations that i tend to be confusing on which one is another option and which one is prt of the previous procedure. I hope you could help me with this one as i need to implement it within this week.

Thanks you very much and I'm sorry for bothering you.

Thank you very much!

Jayson


Sent from Cisco Technical Support Android App

Re:Cisco 2911 ISR Firewall

Hello Jayson,

Nice to see you again,

To be honest with you I have only played once with the HA configuration on IOS routers,

I will need to sit down and read the documentation again in order to provide you a good feedback, I will try to get 2 routers so I can play with them (If I am able to do it I will get back to u)

Regards

For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Community Member

Re:Cisco 2911 ISR Firewall

Hello My Friend Julio,

Thanks you very much for your unwavering support.

May I share to you the topology i wish to implement. Cisco 2911 ISR is configured to be redundant during bgp failure and router failure. Would like the Cisco 2911 ISR with IOS Firewall to be HA and mitigate the asymetric routing. The host is redundant via HSRP using subinterface

Again Thank you very much on your support.

Best Regards,
Jayson

Re:Cisco 2911 ISR Firewall

Hello Jayson,

Yes, the HA topology or feature will look for that particular scenario ( no disruption on the network ) so this is definetly what you need to implement,

For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Community Member

Cisco 2911 ISR Firewall

Hi Julio,

Thank you!  Apparently I dont know how to do it.

Appreciate if you could give me a hand with the set up.

Im very sory for bothering you.

Thanks!

Best Regards,

Jayson

Cisco 2911 ISR Firewall

Hello Jayson,

I am sorry but at the moment I do not have the time or devices to start a setup like this so I would not be able to do it,

Hopefully someone else can do it,

For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Community Member

Cisco 2911 ISR Firewall

Hi Julio,

I understand. Thank you very much!

Hope we can talk again someday.

Best Regards,

Jayson

Cisco 2911 ISR Firewall

Hello Jayson,

I hope the same, have a great day

For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Community Member

Cisco 2911 ISR Firewall

Hi Evryone,

Can anyone help me with the HA/redundancy issue?

Thanks!

Best Regards,

Jayson

Community Member

Re:Cisco 2911 ISR Firewall

Hi everyone!

May i ask if it is possible to block specific udp/tcp ports on ios zone-based firewall?

Thank you very much!

Best Regards,
Jayson


Sent from Cisco Technical Support Android App

Re:Cisco 2911 ISR Firewall

Hello Jayson,

It is possible, just don't match them with a permit or inspect rule,

I have created some posts on my blog related to ZBFW, go ahead and review them. They will help you.

For Networking Posts check my blog at http://www.laguiadelnetworking.com


Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
837
Views
22
Helpful
24
Replies
CreatePlease to create content