Chapter 13: Implementing Cisco IOS Zone-Based Firewalls

I. Cisco IOS Zone-Based Firewall

1. How Zone-Based Firewall Operates
1. Zones are created, such as inside, outside, dmz, etc...
2. Policies are unidirectional, for example, a policy would have to be created for traffic
from the inside to the outside. Stateful filtering will take care of return traffic.
However to allow traffic sourced from the outside to the inside, you would have to
create an additional policy for that as well.

2. Specific Features of Zone-Based Firewalls

1.
2.
3.
4.
5.
6.
7.

Stateful inspection
Application inspection
Packet filtering
URL filtering
Transparent firewall (implementation method)
Support for virtual routing and forwarding (VRF)
ACLs are not required as a filtering method to implement policy

3. Zones and Why We Need Pairs of Them

1. Zones are created and then interfaces are added to a zone. Multiple interfaces can join
a zone, but only one zone. The Self-Zone is that of the router itself; traffic destined to
the actual router (the routers IP address) is the self zone. By default all traffic is
allowed in and out of the self zone.
2. By default traffic within a zone is allowed, even between interfaces of the same zone.
However you must create a zone pair and a unidirectional policy to allow traffic from
one zone to another zone. Within this policy you can configure inspection and other
policies. Policies are always unidirectional.
3. This policy could be configured to inspect the traffic and use the stateful database to
keep track of return traffic.
4. You could also have a DMZ zone. A zone-pair would most likely be created between
the outside zone and the dmz zone, both ways.

5. Here is an example of a medium sized company with a DMZ

4. Putting the Pieces Together

1. Cisco Common Classification Policy Language (C3PL) must like ASA MPF and IOS
MQC.
2. Three main components
a. Class maps These are used to identify traffic, such as traffic that should be
inspected. Traffic can be matched based on Layer 3 through Layer 7 of the OSI
model, including application-based matching. Class maps can also refer to ACLs
for the purpose of identifying traffic or even call upon other class maps. Class maps
can have multiple match statements. A class map can specify that all match
statements have to match (match all) or can specify that matching any of the entries
is considered a match (which is a match-any condition). A system defined class
map named class-default can be used that represents all traffic not matched in a
more specific (administratively configured) class maps.
b. Policy maps These are the actions that should be taken on the traffic. Policy
maps call on the class maps for the classification of traffic. Policy maps with
multiple sections are processed in order. The primary actions that can be
implemented by the policy map are inspect (which means that stateful inspection
should happen), permit (which means that traffic is permitted but not inspected,
drop, or log.
c. Service policies This is where you apply the policies, identified from a policy
map, to a zone pair. This step actually implements the policy.

d. Policy maps are top to bottom with the class maps. If one class-map is not
matched, top to bottom comparison until none are matched; hitting the implicit
deny. The only zone that does not have an implicit deny is the self zone.
Table 13-2 Policy Map Actions
Policy
Description
When to Use It
Action
Inspect

Permit and
statefully inspect
the traffic

This should be used on transit traffic initiated by users who expect to

get replies from devices on the other side of the firewall

Pass

Permits/allows the
traffic but does not
create an entry in
the stateful
database

Traffic that does not need a reply. Also in the case of protocols that do
not support inspection, this policy could be applied to the zone pair for
specific outbound traffic, and be applied to a second zone pair for
inbound traffic

Drop

Deny the packet

Traffic you do not want to allow between the zones where this policy
map is applied

Log

Log the packets

If you want to see log information about packets that were dropped
because of policy, you can add this option

5. Services Policies
Table 13-3 Traffic Interaction Between Zones

Ingress Interface
Member of Zone

Egress Interface
Member of Zone

Zone Pair Exists,

with Applied
Policy

Result

No

No

Does not matter

Traffic is forwarded

No

Yes (any zone)

Does not matter

Traffic is dropped

Yes (zone A)

Yes (zone A)

Does not matter

Traffic is forwarded

Yes (zone A)

Yes (zone B)

No

Traffic is dropped

Yes (zone A)

Yes (zone B)

Yes

Policy is applied. If
policy is inspect

1. How to configure based on the above components

6. The Self Zone

Table 13-4 Self Zone Traffic Behavior
Source Traffic
Destination
Zone Pair
Result
Member of Zone Traffic
Exists, with a
Member of
Policy
Zone
Applied
Self

Zone A

No

Traffic is passed

Zone A

Self

No

Traffic is passed

Self

Zone A

Yes

Policy is applied

Zone A

Self

Yes

Policy is applied

II. Configuring and Verifying Cisco IOS Zone-Based Firewall

1. First Things First
2. Using CCP to Configure the Firewall
1. Select router you want to configure and navigate to Configure > Security > Firewall
> Firewall
2.

1. The above, click next

2. Select interfaces and select which interfaces are trusted and not trusted

3. Interfaces not assigned to a zone cannot pass traffic to or between interfaces assigend
to a zone.

4. If CME is applicable, click yes to allow CME traffic through firewall, otherwise click
no.

5. The above indicates that the untrusted interface cannot be used to access the routers
management plane through that particular interface(s).

6. The above asks which security level you want to implement, details about them:
a. High Security With this setting, the firewall identifies and drops instant
messaging and peer-to-peer traffic. It does application inspection for web and
email traffic and drops noncompliant traffic. It does generic inspection of TCP and
UDP applications.
b. Medium Security This is similar to the High Security option, but does not check
web and email traffic for protocol compliance
c. Low Security The router does not perform any application inspection. It does
do generic TCP and UDP inspection

7. Configure the DNS server above

8. After clicking next, you get a summary of the features that will be implemented
9. Below are the commands that CCP issued to configure your zone based firewall policy.

3. f

4. f

5. f

6. f

7. f

8. f

9. f

10.Verifying the Firewall

1. To edit and verify using CCP Configure > Security > Firewall > Firewall click Edit

2. To check logs, go to Monitor > Router > Logging

3. To see the firewall status and current activity you can use the Monitor feature within
CCP. Monitor > Security > Firewall Status

11.Verifying the Configuration from the Command Line

12.Implementing NAT in Addition to ZBF

1.

Configure > Router > NAT launch basic NAT Wizard

2. If using a DMZ with a server that must be able to be reached from the outside, you
would use Advanced NAT, however we are using basic nat for the following examples.
3. Launch the Selected Task

4. Select the outside interface, and then check the networks you want to be translated

13.Verifying Whether NAT Is Working

III. Do I Know This Already? Quiz

Table 13-1 Do I Know This Already? Section-to-Question Mapping
Foundation Topics Section
Questions
Cisco IOS Zone-Based Firewall

1-4

Configuring and Verifying Cisco IOS Zone-Based Firewall

5-8

1. Which zone is implied by default and does not need to be manually created?
a. Inside
b. Outside
c. DMZ
d. Self
2. If interface number 1 is in zone A, and interface number 2 is in zone B, and there is no
policy or service commands applied yet to the configuration, what is the status of
transit traffic that is being routed between these two interfaces?
a. Denied
b. Permitted
c. Inspected
d. Logged
3. When creating a specific zone pair and applying a policy to it, policy is being
implemented on initial traffic in how many directions?
a. 1
b. 2
c. 3
d. Depends on the policy
4. What is the default policy between an administratively created zone and the self zone?
a. Deny
b. Permit
c. Inspect
d. Log
5. What is one of the added configuration elements that the Advanced security setting has
in the ZBF Wizard that is not included in the Low security setting?
a. Generic TCP inspection
b. Generic UDP inspection
c. Filtering of peer-to-peer networking applications
d. NAT
6. Why is it that the return traffic, from previously inspected sessions, is allowed back to
the user, in spite of not having a zone pair explicitly configured that matches on the
return traffic?
a. Stateful entries (from the initial flow) are matched, which dynamically allows
return traffic
b. Return traffic is not allowed because it is a firewall
c. Explicit ACL rules need to be placed on the return path to allow the return traffic
d. A zone pair in the opposite direction of the initial zone pair (including an applied
policy) must be applied for return traffic to be allowed
7. What does the keyword overload imply in a NAT configuration?
a. NAT is willing to take up to 100 percent of available CPU
b. PAT is being used
c. NAT will provide best effort but not guaranteed service, due to an overload
d. Static NAT is being used

8. Which of the following commands shows the current NAT translations on the router?
a. Show translations
b. show nat translations
c. show ip nat translations
d. show ip nat translations

IV. Review All the Key Topics

Table 13-5 Key Topics
Key Topic
Description
Element

Page
Number

Text

Overview of how the ZBF operates -

294

List

Specific features of the ZBF -

294

List

Putting the pieces together -

296

Table 13-2

Policy map actions -

297

Table 13-3

Traffic interaction between zones -

298

Example 13-1 ZBF components

299

Table 13-4

Self zone traffic behavior

300

List

ZBF Wizard configurable security levels -

304

Example 13-4 CLI commands to implement NAT -

322

Example 13-5 Viewing existing translations -

323

V. Complete the Tables and Lists from Memory

Table 13-2 CSD Supported Operating Systems
Operating
Prelogin
Host Scan
Vault
System
Assessment

Windows XP
SP2 x64 (64
bit)

Cache
Keystroke
Cleaner (32- Logger
Bit Browsers Detection
Only)

Host
Emulation
Detection

Windows XP
SP2 and SP3
x86 (32 bit)

Windows
Vista x86 (32
bit) and x64
(64 bit)

X
requires
KB935855

X
requires
KB935855

X
requires
KB935855

Windows 7
x86 (32 bit)
and x64 (64
bit)

Windows
Mobile 6.0,
6.1, 6.1.4,
and 6.5

Mac OS X
10.6, 10.6.1,
10.6.2x86
and x64

Mac OS X
10.5.x x86
and x64

Red Hat
Enterprise
Linux 3 x86
and x64
biarch

Red Hat
Enterprise
Linux 4 x86
and x64
biarch

Fedora Core
4 and later
x86 and x64
biarch

Ubuntu

Table 13-3 CSD Privilege Levels Required for Installation with AnyConnect Client
AnyConnect Client
AnyConnect Client and Executable File
Installed
CSD Install Together
Administrative
privileges required?

No

Table 13-2 Policy Map Actions

Policy Description
Action

Yes

Yes

When to Use It

Inspect Permit and

statefully inspect
the traffic

This should be used on transit traffic initiated by users who expect to

get replies from devices on the other side of the firewall

Pass

Permits/allows the
traffic but does
not create an entry
in the stateful
database

Traffic that does not need a reply. Also in the case of protocols that
do not support inspection, this policy could be applied to the zone
pair for specific outbound traffic, and be applied to a second zone
pair for inbound traffic

Drop

Deny the packet

Traffic you do not want to allow between the zones where this policy
map is applied

Log

Log the packets

If you want to see log information about packets that were dropped
because of policy, you can add this option

Table 13-3 Traffic Interaction Between Zones

Ingress Interface Egress Interface Member of
Member of Zone Zone

Zone Pair Exists, with

Applied Policy

Result

No

No

Does not matter

Traffic is forwarded

No

Yes (any zone)

Does not matter

Traffic is dropped

Yes (zone A)

Yes (zone A)

Does not matter

Traffic is forwarded

Yes (zone A)

Yes (zone B)

No

Traffic is dropped

Yes (zone A)

Yes (zone B)

Yes

Policy is applied. If
policy is inspect or pass,
the initial traffic is
forwarded. If the policy
is drop, the initial traffic
is dropped

Table 13-4 Self Zone Traffic Behavior

Source Traffic Member Destination Traffic
of Zone
Member of Zone

Zone Pair Exists, with a Result

Policy Applied

Self

Zone A

No

Traffic is passed

Zone A

Self

No

Traffic is passed

Self

Zone A

Yes

Policy is applied

Zone A

Self

Yes

Policy is applied

VI. Define Key Terms

1.
2.
3.
4.
5.
6.
7.

zones zone pairs class map type inspect policy map type inspect service policy stateful inspection PAT -

VII. Command Reference to Check Your Memory

Table 13-6 Command Reference
Command

Description

Show class-map type inspect

Show ZBF-related class maps

Show policy-map type inspect

Show ZBF related policy maps

Class-map type inspect match-any MY-CLASS- Create a ZBF-related class map that will be a match
MAP
if any of its entries is a match
Policy-map type inspect MY-POLICY-MAP

Create a ZBF-related policy map

Class type inspect MY-CLASS-MAP

Used inside a ZBF policy map to call on the

classification services of a zone-based class map

Zone-pair security in-to-out source inside

destination outside

Create a zone pair that identifies an initial

unidirectional flow of traffic

Show ip nat translations

Show current active address translations occurring

on the router