Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

ZBFW recommended configuration and template

This guide is used as a guide to configuring zone based firewall.


1. A zones must already be designed and mapped to a router topology

2. Traffic that must pass between zones must already be identified and understood

In our example, we'll be using the following diagram:


Here is the chart we'll be using to identify inter-zone traffic:

inxhttp, imaphttp, ftp
out-http, smtpx

Once we have designed the ZBFW using the above criteria, it is time to apply this configuration. Here are the steps we will execute:

1. Create "match access-list" and "protocol class-map" to identified traffic and apply protocol specific inspection respectively.

2. Create "traffic class-map" to apply "match access-list" and "protocol class-map".

3. Create "traffic policy-map" to inspect, drop or pass the traffic identified by the "traffic class-map".

4. Create "traffic service-policy" and apply "traffic policy-map" created in #3.

Step 1: Create "match access-list" and "protocol class-map"

Create access-list that will identify traffic to be matched when traversing across the zones.

ip access-list extended IN_TO_OUT_ACL

     10 permit ip any

ip access-list extended INT_TO_DMZ_ACL

     10 permit ip

ip access-list extended DMZ_TO_OUT_ACL

     10 permit ip any

ip access-list extended OUT_TO_DMZ_ACL

     10 permit ip any

class-map type inspect match-any IN_TO_OUT_PROTOCOLS

     match protocol http

     match protocol ftp

class-map type inspect match-any IN_TO_DMZ_PROTOCOLS

     match protocol http

     match protocol imap

class-map type inspect match-any DMZ_TO_OUT_PROTOCOLS

     match protocol smtp

class-map type inspect match-any OUT_TO_DMZ_PROTOCOLS

     match protocol http

     match protocol smtp

Step 2: Create "traffic class-map"

Create a class-map to combine the access-list and class-map we identified in step 1.

class-map type inspect match-all IN_TO_OUT_CMAP

     match access-group name IN_TO_OUT_ACL

     match class-map IN_TO_OUT_PROTOCOLS

class-map type inspect match-all IN_TO_DMZ_CMAP

     match access-group name IN_TO_DMZ_ACL

     match class-map IN_TO_DMZ_PROTOCOLS

class-map type inspect match-all DMZ_TO_OUT_CMAP

     match access-group name DMZ_TO_OUT_ACL

     match class-map DMZ_TO_OUT_PROTOCOLS

class-map type inspect match-all OUT_TO_DMZ_CMAP

     match access-group name OUT_TO_DMZ_ACL

     match class-map OUT_TO_DMZ_PROTOCOLS

Step 3: Create "traffic policy-map"

Now that we've created the four necessary class-map that identify the traffic, we'll need to apply the action to them.

policy-map type inspect IN_TO_OUT_PMAP

     class IN_TO_OUT_CMAP


policy-map type inspect IN_TO_DMZ_PMAP

     class IN_TO_OUT_CMAP


policy-map type inspect DMZ_TO_OUT_PMAP

     class DMZ_TO_OUT_CMAP


policy-map type inspect OUT_TO_DMZ_PMAP

     class OUT_TO_DMZ_CMAP


Step 4: Apply the "traffic service-policy"

The last step is to apply the policy-map to each zone-pair, effectively activating the zone based firewall.

zone-pair security IN_TO_OUT_ZP source INSIDE destination OUTSIDE

     service-policy type inspect IN_TO_OUT_PMAP

zone-pair security IN_TO_DMZ_ZP source INSIDE destination DMZ

     service-policy type inspect IN_TO_DMZ_PMAP

zone-pair security DMZ_TO_OUT_ZP source DMZ destination OUTSIDE

     service-policy type inspect DMZ_TO_OUT_PMAP

zone-pair security OUT_TO_DMZ_ZP source OUTSIDE destination DMZ

     service-policy type inspect OUT_TO_DMZ_PMAP

Please note that the zones must be predefined or step 4 will fail. If not already done, please create the zones using the following commands

zone security INSIDE

zone security DMZ

zone security OUTSIDE

Final Steps

Now that the entire ZBFW policy has been built, the last steps are to associate each interface with a zone-member.

interface FastEthernet0/0

     zone-member INSIDE

interface FastEthernet0/1

     zone-member DMZ

interface FastEthernet0/2

     zone-member OUTSIDE