zone-based firewall on cisco routers
Tuesday, March 31st, 2009Cisco introduced Zone-based Policy Firewall since it’s 12.4(6) IOS release. It helps organizing firewall policies on multi-interface routers. This small tutorial will show how to set up a simple firewall policy on a router that interconnects three networks:
- Internet (on FastEthernet 0)
- DMZ (on FastEthernet 1)
- Intranet (on FastEthernet 2)
The steps are:
- Define class-maps that describe the traffic that you want to permit between zones
- Configure policy-maps to inspect traffic on the class-maps you just defined
- Configure the clients and servers zones and assign router interfaces to their respective zones
- Configure the zone-pair and apply the appropriate policy-map
- Configure access-lists for strengthening the firewall
