Zone Based Firewall Configuration Example

This topic is to discuss the following lesson:

Hello René is very informative… :slight_smile:

thank you…

Glad you like it :slight_smile:

Hi Rene,

Really good post to understand the concepts behind the zone based firewall.

Can you advise under what kind of network environments you would use zone based firewall?

Thank you,

Hi Jay,

The Zone Based Firewall is nice to use if you have an ISR with many interfaces that doesn’t run too much traffic and when you don’t have the budget to buy a separate firewall.


Thank you Rene . Clean , Simple and very informative.

Thanks a lot for writing this post. It helped me so much!

Thanks! very helpful!

Glad to be of service!

Hi Rene

What if i would like to inspet protocol which is unavaible i NBAR?
How can create my own “protocols” to inspect


Hi Rene,

First of all thanks a lot for the very nice posts.

I was trying the same example but the only difference is that i was trying to inspect http traffic (match protocol http). Therefore when i try to generate some web traffic from the VM web browser, the http traffic is blocked. Once i changed the same class-map to the below it works. My question is why when matching http only the web traffic is blocked.

ip access-list extended ANY
  permit ip any any 
class-map type inspect LAN-TO-WAN
 match access-group name ANY

Hi Luck,

NBAR is the “lazy” way to match certain protocols. If NBAR doesn’t support your protocol then you have two options:

  • Use an Access-list to match on the protocol (TCP/UDP/ICMP/etc) and the port numbers.


  • You can create custom protocols for NBAR, you’ll have more options but it’s also a bit more complicated. Take a look here to see what I mean:

Hope that helps,



Thanks a lot for your explanations regarding the self zone, I’ve been looking for some simple examples and you got it right to the point.

Keep up the good work,


You are welcome Lionel.

Hi Houssam,

If i understand you correctly, with “match protocol http” you were unable to get HTTP traffic inspected so the return traffic was allowed? That should work. What do you see with the show commands or when you enable a debug?

The access-list/class-map example that you have will allow everything from LAN > WAN, including HTTP.


Hello Rene,

Excellent article about zone based firewall. Very informative and easy to read and understand the concepts. Thanks.


Hi Maros,

Thank you, I’m glad to hear that it was useful!


that was useful
thanks a lot

Hi rene,

i want to ask,
in service policy , they have drop, pass, and inspect…
i try to use drop and pass, and it still block the traffic…
so what difference with drop,pass, and inspect…

Hi John,

Good question…

When you use drop, the packet is discarded right away.

When you use pass…the packet is allowed outbound but there won’t be a rule for the return traffic so it will be dropped inbound.

Inspect will allow the packet outbound but also automatically creates a rule for the return traffic so that it is allowed inbound.

Does that make sense?