Zone-Based Firewall – Configuration (CCIE Notes)

Let’s have a look at a very basic configuration first;

1. Zone Security

zone security OUTSIDE
zone security INSIDE

2. Zone Member

interface fa0/0 zone-member security OUTSIDE
interface fa0/1 zone-member security INSIDE

Continue reading

Zone-Based Firewall – Concepts (CCIE Notes)


  • Zone-Based firewall may work in conjunction with CBAC but it is not recommended.
  • UDP based trace route is not supported through ICMP inspection.
  • Multicast stateful inspection is not supported.
  • Since ZBFW does not inspect GRE or ESP packets, use ‘pass’ to allow such packets as inspecting them would drop the traffic.

Continue reading