network – cisco zone based firewall

Cisco IOS Software Release 12.4(6)T introduced Zone-Based Policy Firewall (ZFW), a new configuration model for the Cisco IOS Firewall feature set. This new configuration model offers intuitive policies for multiple-interface routers, increased granularity of firewall policy application, and a default deny-all policy that prohibits traffic between firewall security zones until an explicit policy is applied to allow desirable traffic.

Access list 100 is for inside-outside access.
Access list 120 is for outside-inside access.

access-list 100 permit icmp any any
access-list 120 permit icmp any any

Create the zone names.

zone security INSIDE
zone security OUTSIDE

Assign interface to a zone.

interface FastEthernet0/0
zone-member security INSIDE

interface FastEthernet0/1
zone-member security OUTSIDE

Create a class map to match the ACL.

class-map type inspect match-all INSIDE-in-CLASS
match access-group 100

class-map type inspect match-all OUTSIDE-in-CLASS
match access-group 120

Create a policy-map to match the class-map.

policy-map type inspect INSIDE-in-POL
class type inspect INSIDE-in-CLASS
class class-default
drop log

policy-map type inspect OUTSIDE-in-POL
class type inspect OUTSIDE-in-CLASS
class class-default
drop log

Then assign the policy map to a zone pair and apply your policy.

zone-pair security INSIDE-OUTSIDE source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-in-POL

zone-pair security OUTSIDE-INSIDE source OUTSIDE destination INSIDE
service-policy type inspect OUTSIDE-in-POL


Testing try and send ping from inside to outside.

show zone security - will show you which interfaces are assigned to each zone.

R2#sh zone security

zone self
Description: System defined zone

Member Interfaces:

Member Interfaces:

Show access-list - shows you matches which = packets are matching acl.

R2#sh access-lists

Extended IP access list 100
10 permit icmp any any (2 matches)

Extended IP access list 120
10 permit icmp any any (1 match)

Dynamic logs created by the drop log statement under the policy-map

*Mar 1 00:07:43.663: %FW-6-DROP_PKT: Dropping Other session on zone-pair INSIDE-OUTSIDE class class-default due to DROP action found in policy-map with ip ident 22620

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s