Let’s have a look at a very basic configuration first;

1. Zone Security

zone security OUTSIDE
zone security INSIDE

2. Zone Member

interface fa0/0 zone-member security OUTSIDE
interface fa0/1 zone-member security INSIDE

3. Zone Pair

zone-pair security ZP-OUTSIDE-to-INSIDE source OUTSIDE destination INSIDE
zone-pair security ZP-INSIDE-to-OUTSIDE source INSIDE destination OUTSIDE
!
! A service policy needs to be attached to the zone-pair which is shown in the later half of this post

Up till here, we have built the foundation of a ZBFW policy and have all the basic stuff laid out. Now comes the major part of it where we define the L3/L4 or L7 class-maps and policy-maps while using ACLs to classify traffic.

4. Class Maps

– Use L7 class-maps. You can also nest an L7 class-map in another L7 class-map

class-map type inspect match-any CM-INSIDE-to-OUTSIDE
 match protocol tcp
 match protocol udp
 match protocol icmp
!
access-list 101 permit ip 123.12.23.0 255.255.255.0 host 136.123.12.1
!
class-map type inspect match-all CM-OUTSIDE-to-INSIDE
 match access-group 101

match-any – Use when either of the match criteria should be matched. Example, TCP or UDP.

match-all – Use when all the matching criteria should be matched. Example, an ACL with protocol HTTP.

5. Policy Maps

policy-map type inspect PM-INSIDE-to-OUTSIDE
 class type inspect CM-INSIDE-to-OUTSIDE
 inspect
 class class-default
 drop
!
policy-map type inspect PM-OUTSIDE-to-INSIDE
 class type inspect CM-OUTSIDE-to-INSIDE
 inspect
 class class-default
 drop log

6. Apply the policy-map to a zone-pair

Bookmark to follow my CCIE Security v4 journey -> https://networkology.net/ccie-security/