Apr 30 2012   1:51PM GMT

Cisco ZFW Config Example

Joshua Wood Joshua Wood Profile: Joshua Wood

Hi all, so you want to use Cisco’s new router based firewall known as the zone-based firewall or ZFW. For all of those unaware the ZFW is the next version of the firewall system that Cisco is going to be using for their routers.

You might be using CBAC or perhaps and ACL and you want to switch to the zone-based method that Cisco is moving to with their firewall system but you don’t know where to start. Below I have outlined how to create a very basic implementation of the ZFW firewall. The comments are the lines that start with exclamation marks as those are excluded when copied and pasted into a running config.

Before the config example though let’s run through a couple of quick points. First, the ZFW needs at least 5 parts. These are the class-map, policy-map, zone definitions, zone pairings and finally applying the zones to the interfaces. You need one zone-pair for each direction that you want traffic to travel in.

! This is the class-map section of the ZFW implementation.
! Here you define the protocols and/or ACL’s you want to use.
! Essentially this is the inspect statements of CBAC if you have used CBAC
class-map type inspect match-any FW_INSPECT_ACL_CM
match access-group name FW_INSPECT_ACL
class-map type inspect match-any FW_INSPECT_L7_CM
match protocol ssh
match protocol ftp
match protocol imap
match protocol https
match protocol dns
match protocol http
match protocol smtp
class-map type inspect match-any FW_INSPECT_L4_CM
match protocol tcp
match protocol udp
match protocol icmp

! Here is where all of the class-maps are brought together.
! Policy-maps are like an aggregation points for the class-maps.
policy-map type inspect FW_INSPECT_PM
class type inspect FW_INSPECT_ACL_CM
inspect FW-LOG
class type inspect FW_INSPECT_L4_CM
inspect FW-LOG
class type inspect FW_INSPECT_L7_CM
inspect FW-LOG
class class-default
drop log

! This is the security zones. Each zone type has a definition.
! For our purposes there are only two definitions.
zone security INTERNET
zone security LAN

! The zone-pairs match the policy-maps with the zones and define the
! direction that they work in.
zone-pair security INTERNET_TO_LAN source INTERNET destination LAN
service-policy type inspect FW_INSPECT_PM
zone-pair security LAN_TO_INTERNET source LAN destination INTERNET
service-policy type inspect FW_INSPECT_PM

! An ACL if you want one.
ip acce extended FW_INSPECT_ACL
permit ip any any

! And finally apply the ZFW entries to the correct ports.
int gig 0/1
zone-member security INTERNET
int gig 0/2
zone-member security LAN

And you are done outside some testing and tweaking. Next post I will explain how to turn on logging for the ZFW.

Until next time,
TechStop (JW)

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: