The Cisco IOS Zone Based Firewall is one of the most advanced forms of stateful firewall used in the Cisco IOS devices. The zone based firewall (ZFW) is the successor of Classic IOS firewall or CBAC (Context-Based Access Control). In Zone-Based Policy Firewall, multiple security zones are defined. Each router interface is configured to be part of one of the zones. The traffic flow is unrestricted between interfaces belonging to same zone, but traffic flow between two different zones is blocked unless an access policy is defined between them. In traditional firewall, the policies are applied on the interface itself, whereas in zone-based firewall they are applied between the zones. Cisco IOS Zone-Based Firewall for IPv6 coexists with Cisco IOS Zone-Based Firewall for IPv4 in order to support IPv6 traffic.
Use Cisco Feature Navigator to find the latest information about platform support and Cisco IOS Software image support.
The below topology brings a simple network containing two security zones. Host H1 (Client) and H2 (Admin) are connected to inside interface Gigabit Ethernet 0/1 accessing web server connected to outside interface Gigabit Ethernet 0/0. We will have the goal of allowing 1) Only HTTP and HTTPS traffic for H1 (Client) from the inside to the outside 2) HTTP, HTTPS and ICMP for H2 (Admin) from the inside to the outside All other traffic should drop from inside to outside.
Configuration of Zone based firewall on router consists of 5 steps shown as follows:
Step 1: Create zones:
ZFW(config)#zone security INSIDE
ZFW(config)#zone security OUTSIDE
Step 2: Configure interfaces in the zone you just have created:
ZFW(config-if)#zone-member security INSIDE
ZFW(config-if)#zone-member security OUTSIDE
By default, traffic between interfaces in different zones cannot talk to each other while these in the same zone can.
Step 3: Configure the class-maps:
Class maps provide traffic classification and that will reference the traffic to inspect. It is based on one or more match conditions. It can match based on ACL, protocol or another class map. Conditions can use OR (default), AND, or NOT.
ipv6 access-list IN-TO-OUT-ACL(For allowing ICMPV6 access to H2)
permit icmp host 2001::2 any echo-request sequence 10
class-map type inspect match-any IN-TO-OUT-CLASS
match protocol https
match protocol https
match access-group name IN-TO-OUT-ACL
Step 4: Define the policy for this traffic with a policy map:
Policy maps associate actions with traffic classes. Policy maps determine the firewall policy applied to a class, that can be Pass, drop, Inspect, Log, Reset. There is always an implicit class-default as the last class in each policy-map. The default action of class-default is drop.
ZFW(config)#policy-map type inspect IN-TO-OUT-POLICY
ZFW(config-pmap)#class type inspect IN-TO-OUT-CLASS
You can also configure Parameter maps for connecting thresholds, timeouts, and other parameters pertaining to the inspect action.
ZFW(config)#parameter-map type inspect ipv6-header
ZFW(config-sec-zone-pair)#service-policy type inspect IN-TO-OUT-POLICY
1) To display zones, descriptions, and interfaces zones are applied to use "show zone security" command.
2) To display zone pairs and service policy associated with each zone pair use "show zone-pair security" command.
3) Use "sh policy-map type inspect zone-pair sessions" to displays Cisco stateful packet inspection sessions created because a policy map is applied on the specified zone pair.
The below output display, when session established by Host H2 (2001::2/128) to Server for HTTP and HTTPS.
4) The default action of class-default is drop and it is configured with log option. From the below output you can see, when Host H1(2001::3) try to ping S1, firewall drops these packets and display log message on the terminal.