Zone-Based Firewall – Configuration (CCIE Notes)

Let’s have a look at a very basic configuration first;

1. Zone Security

zone security OUTSIDE
zone security INSIDE

2. Zone Member

interface fa0/0 zone-member security OUTSIDE
interface fa0/1 zone-member security INSIDE

3. Zone Pair

zone-pair security ZP-OUTSIDE-to-INSIDE source OUTSIDE destination INSIDE
zone-pair security ZP-INSIDE-to-OUTSIDE source INSIDE destination OUTSIDE
! A service policy needs to be attached to the zone-pair which is shown in the later half of this post

Up till here, we have built the foundation of a ZBFW policy and have all the basic stuff laid out. Now comes the major part of it where we define the L3/L4 or L7 class-maps and policy-maps while using ACLs to classify traffic.

4. Class Maps

– Use L7 class-maps. You can also nest an L7 class-map in another L7 class-map

class-map type inspect match-any CM-INSIDE-to-OUTSIDE
 match protocol tcp
 match protocol udp
 match protocol icmp
access-list 101 permit ip host
class-map type inspect match-all CM-OUTSIDE-to-INSIDE
 match access-group 101

match-any – Use when either of the match criteria should be matched. Example, TCP or UDP.

match-all – Use when all the matching criteria should be matched. Example, an ACL with protocol HTTP.

5. Policy Maps

policy-map type inspect PM-INSIDE-to-OUTSIDE
 class type inspect CM-INSIDE-to-OUTSIDE
 class class-default
policy-map type inspect PM-OUTSIDE-to-INSIDE
 class type inspect CM-OUTSIDE-to-INSIDE
 class class-default
 drop log

6. Apply the policy-map to a zone-pair


Bookmark to follow my CCIE Security v4 journey ->


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s