Cisco IOS Software Release 12.4(6)T introduced Zone-Based Policy Firewall (ZFW), a new configuration model for the Cisco IOS Firewall feature set. This new configuration model offers intuitive policies for multiple-interface routers, increased granularity of firewall policy application, and a default deny-all policy that prohibits traffic between firewall security zones until an explicit policy is applied to allow desirable traffic.
Access list 100 is for inside-outside access.
Access list 120 is for outside-inside access.
access-list 100 permit icmp any any
access-list 120 permit icmp any any
Create the zone names.
zone security INSIDE
zone security OUTSIDE
Assign interface to a zone.
interface FastEthernet0/0
zone-member security INSIDE
interface FastEthernet0/1
zone-member security OUTSIDE
Create a class map to match the ACL.
class-map type inspect match-all INSIDE-in-CLASS
match access-group 100
class-map type inspect match-all OUTSIDE-in-CLASS
match access-group 120
Create a policy-map to match the class-map.
policy-map type inspect INSIDE-in-POL
class type inspect INSIDE-in-CLASS
inspect
class class-default
drop log
policy-map type inspect OUTSIDE-in-POL
class type inspect OUTSIDE-in-CLASS
inspect
class class-default
drop log
Then assign the policy map to a zone pair and apply your policy.
zone-pair security INSIDE-OUTSIDE source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-in-POL
zone-pair security OUTSIDE-INSIDE source OUTSIDE destination INSIDE
service-policy type inspect OUTSIDE-in-POL
-------------------------------------------------
Testing try and send ping from inside to outside.
show zone security - will show you which interfaces are assigned to each zone.
R2#sh zone security
zone self
Description: System defined zone
zone INSIDE
Member Interfaces:
FastEthernet0/0
zone OUTSIDE
Member Interfaces:
FastEthernet0/1
Show access-list - shows you matches which = packets are matching acl.
R2#sh access-lists
Extended IP access list 100
10 permit icmp any any (2 matches)
Extended IP access list 120
10 permit icmp any any (1 match)
Dynamic logs created by the drop log statement under the policy-map
*Mar 1 00:07:43.663: %FW-6-DROP_PKT: Dropping Other session 192.168.1.1:27668 192.168.2.2:23 on zone-pair INSIDE-OUTSIDE class class-default due to DROP action found in policy-map with ip ident 22620
myexploit 