Zone Based Firewall Configuration Example

ReneMolenaar · December 26, 2016, 6:17pm

This topic is to discuss the following lesson:

system · May 11, 2013, 2:54pm

Hello René

Networklessones.com is very informative…

thank you…

ReneMolenaar · May 11, 2013, 2:55pm

Glad you like it

system · June 12, 2013, 2:34am

Hi Rene,

Really good post to understand the concepts behind the zone based firewall.

Can you advise under what kind of network environments you would use zone based firewall?

Thank you,
Jay

ReneMolenaar · June 13, 2013, 7:04am

Hi Jay,

The Zone Based Firewall is nice to use if you have an ISR with many interfaces that doesn’t run too much traffic and when you don’t have the budget to buy a separate firewall.

Rene

system · November 16, 2013, 11:50am

Thank you Rene . Clean , Simple and very informative.

system · December 5, 2013, 4:06am

Thanks a lot for writing this post. It helped me so much!

system · April 14, 2014, 10:07am

Thanks! very helpful!

ReneMolenaar · April 14, 2014, 10:44am

Glad to be of service!

system · July 20, 2014, 7:06pm

Hi Rene

What if i would like to inspet protocol which is unavaible i NBAR?
How can create my own “protocols” to inspect

Thanks
Luck

system · July 23, 2014, 11:18am

Hi Rene,

First of all thanks a lot for the very nice posts.

I was trying the same example but the only difference is that i was trying to inspect http traffic (match protocol http). Therefore when i try to generate some web traffic from the VM web browser, the http traffic is blocked. Once i changed the same class-map to the below it works. My question is why when matching http only the web traffic is blocked.

ip access-list extended ANY
  permit ip any any 
class-map type inspect LAN-TO-WAN
 match access-group name ANY

ReneMolenaar · July 31, 2014, 1:21pm

Hi Luck,

NBAR is the “lazy” way to match certain protocols. If NBAR doesn’t support your protocol then you have two options:

Use an Access-list to match on the protocol (TCP/UDP/ICMP/etc) and the port numbers.

OR

You can create custom protocols for NBAR, you’ll have more options but it’s also a bit more complicated. Take a look here to see what I mean:

Hope that helps,

Rene

system · August 3, 2014, 9:23pm

Hello,

Thanks a lot for your explanations regarding the self zone, I’ve been looking for some simple examples and you got it right to the point.

Keep up the good work,

Lionel

ReneMolenaar · August 4, 2014, 1:05pm

You are welcome Lionel.

ReneMolenaar · August 6, 2014, 11:03am

Hi Houssam,

If i understand you correctly, with “match protocol http” you were unable to get HTTP traffic inspected so the return traffic was allowed? That should work. What do you see with the show commands or when you enable a debug?

The access-list/class-map example that you have will allow everything from LAN > WAN, including HTTP.

Rene

system · September 5, 2014, 12:56pm

Hello Rene,

Excellent article about zone based firewall. Very informative and easy to read and understand the concepts. Thanks.

Regards,
Maros

ReneMolenaar · September 10, 2014, 10:27am

Hi Maros,

Thank you, I’m glad to hear that it was useful!

Rene

system · September 18, 2014, 2:37am

that was useful
thanks a lot

venter13 · September 18, 2014, 5:05am

Hi rene,

i want to ask,
in service policy , they have drop, pass, and inspect…
i try to use drop and pass, and it still block the traffic…
so what difference with drop,pass, and inspect…

ReneMolenaar · September 22, 2014, 10:40am

Hi John,

Good question…

When you use drop, the packet is discarded right away.

When you use pass…the packet is allowed outbound but there won’t be a rule for the return traffic so it will be dropped inbound.

Inspect will allow the packet outbound but also automatically creates a rule for the return traffic so that it is allowed inbound.

Does that make sense?

Rene