Zone Based Firewall Configuration Example

Hi Simon,

Here’s an example:

class-map type inspect match-all LAN_TO_WAN
 match access-group name LAN_TO_WAN
class-map type inspect match-all WAN_TO_LAN
 match access-group name WAN_TO_LAN
class-map type inspect match-all ISAKMP_IPSEC
 match access-group name ISAKMP_IPSEC
class-map type inspect match-all DHCP
 match access-group name DHCP_CLIENT
!
policy-map type inspect WAN_TO_SELF
 class type inspect ICMP
  pass
 class type inspect ISAKMP_IPSEC
  pass
 class type inspect DHCP
  pass
 class class-default
  drop
policy-map type inspect WAN_TO_LAN
 class type inspect WAN_TO_LAN
  pass
 class class-default
  drop
policy-map type inspect LAN_TO_WAN
 class type inspect LAN_TO_WAN
  pass 
 class class-default
  drop
!
zone security LAN
zone security WAN
zone-pair security LAN_TO_WAN source LAN destination WAN
 description LAN_TO_WAN TRAFFIC
 service-policy type inspect LAN_TO_WAN

zone-pair security WAN_TO_LAN source WAN destination LAN
 description WAN_TO_LAN TRAFFIC
 service-policy type inspect WAN_TO_LAN

zone-pair security WAN_TO_SELF source WAN destination self
 description WAN_TO_SELF TRAFFIC
 service-policy type inspect WAN_TO_SELF
!
ip access-list extended DHCP_CLIENT
 permit udp any eq bootps any

ip access-list extended ICMP
 permit icmp any any

ip access-list extended ISAKMP_IPSEC
 permit udp host <remote_peer> any eq isakmp
 permit esp host <remote_peer> any
 permit udp host <remote_peer> any eq non500-isakmp

ip access-list extended LAN_TO_WAN
 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

ip access-list extended WAN_TO_LAN
 permit ip 192.168.2.0 0.0.0.255 192.168.1.0.0 0.0.0.255

This will allow a remote peer to establish an IPSec tunnel from WAN to the SELF zone (router). ICMP traffic to SELF is permitted and the router can get an IP address from the ISP through DHCP.

Once the VPN is established, traffic between the LAN (192.168.1.0) and a remote subnet (192.168.2.0) is permitted (pass).

Rene