Cisco Firewalling Solutions: Cisco IOS
Zone-Based Firewall and Cisco ASA

© 2012 Cisco and/or its affiliates. All rights reserved.

1


Contents
At the end of this chapter, you will be able to do the following:
• Introduce and describe the function, operational framework, and building
blocks of Cisco IOS Zone-Based Firewalls
• Describe the functions of zones and zone pairs, as well as their
relationship in hierarchical policies
• Describe Cisco Common Classification Policy Language for creating
zone-based firewall policies
• List the default policies for the different combinations of zone types
• Demonstrate the configuration and verification of zone-based firewalls
using Cisco Configuration Professional and the CLI
• Demonstrate the configuration of NAT services for zone-based firewalls
• Describe the Cisco ASA family of products, identifying key supported
features
• Describe the building blocks of Cisco ASA configuration
© 2012 Cisco and/or its affiliates. All rights reserved.

2


Cisco Firewall Solutions
Cisco offers multiple different firewall solutions, each geared to a different
environment. Currently, Cisco Firewall offerings include

• Cisco IOS Firewall
• Cisco ASA 5500 Adaptive Security Appliances
• Cisco ASA 1000V Cloud Firewall
• Cisco Virtual Security Gateway for Nexus 1000V Series Switch
• Cisco Catalyst 6500 Series ASA Services Module
• Cisco Catalyst 6500 Series Firewall Services Module
• Cisco Small Business SA500 Series Security Appliances

© 2012 Cisco and/or its affiliates. All rights reserved.

3


Cisco IOS Zone-Based Policy Firewall

© 2012 Cisco and/or its affiliates. All rights reserved.

4


Zone-Based Policy Firewall Overview

To demonstrate this model, the figure shows three zones:
• Untrusted: Represents the Internet
• DMZ: Demilitarized zone, which contains the corporate servers accessed
by the public
• Trusted: Represents the inside network
© 2012 Cisco and/or its affiliates. All rights reserved.

5



Interzone Policies
The interzone policies in a Figure are as follows:
• Public-DMZ: DMZ policy that sets the rules for traffic originating from the
untrusted zone with the DMZ as destination
• DMZ-Private: Private policy that sets the rules for the traffic originating
from the DMZ with the trusted zone as destination
• Private-DMZ: DMZ policy that sets the rules for the traffic originating from
the trusted zone with the DMZ as destination.
• Private-Public: Pubic policy that sets the rules for the traffic originating
from the trusted zone with the untrusted zone as destination

© 2012 Cisco and/or its affiliates. All rights reserved.

6


Cisco IOS Zone-Based Policy Firewalls
support
the following features
• Stateful inspection
• Application inspection
• URL filtering
• Per-policy parameter
• Transparent firewall
• Virtual routing and forwarding aware firewall

© 2012 Cisco and/or its affiliates. All rights reserved.


7


Benefits
Key benefits of zone-based policy firewall are as follows:
• It is not dependent on ACLs.
• The router security posture is restrictive (which means block unless
explicitly allowed).
• C3PL makes policies easy to read and troubleshoot.
• One policy affects any given traffic instead of needing multiple ACL and
inspection actions.

© 2012 Cisco and/or its affiliates. All rights reserved.

8


Zones and Zone Pairs

Interfaces Belong to Zone

© 2012 Cisco and/or its affiliates. All rights reserved.

9


Zone-Based Topology Examples
Simple Firewall Topology with Two Security Domains

Medium-Sized Organization with Three Zones


© 2012 Cisco and/or its affiliates. All rights reserved.

10


Introduction to Cisco Common
Classification
Policy Language
To create firewall policies, complete the following tasks:
Step 1. Define a match criterion (class map).
Step 2. Associate actions to the match criteria (policy map).
Step 3. Attach the policy map to a zone pair (service policy).

© 2012 Cisco and/or its affiliates. All rights reserved.

11


Components of Cisco Common
Classification Policy Language

Cisco Common Classification Policy Language policies are modular, object oriented,
and hierarchical in nature:
• Modular and object oriented: These traits give the firewall administrator the flexibility
to create building-block objects such as class maps and policy maps, and reuse them
within a given policy and across policies.
• Hierarchical: This feature results in powerful policies that can be expanded to
include customized inspection, application layer rules, and advanced inspection
features

© 2012 Cisco and/or its affiliates. All rights reserved.

12


C3PL: If-Then-Else Structure

© 2012 Cisco and/or its affiliates. All rights reserved.

13


Modular Object-Oriented Configuration
Design

© 2012 Cisco and/or its affiliates. All rights reserved.

14


Characteristics of class map objects
• Class maps that analyze Layer 3 and Layer 4 traffic sort the traffic based
on the following criteria:
• Access-group
• Protocol
• Class-map

• The match type defines how multiple match statements are processed to
match the class:
• If match-any is specified, traffic must meet any one of the match criteria in the

class map.
• If match-all is specified, traffic must match all of the class map criteria to
belong to that particular class.

© 2012 Cisco and/or its affiliates. All rights reserved.

15


Zone-Based Policy Firewall Actions
The Cisco IOS Zone-Based
Policy Firewall can take three
possible actions when you
configure it using CCP or the CLI:
• inspect: This action configures
Cisco IOS stateful packet
inspection.
• drop: This action is analogous
to deny in an ACL. An additional
log option can be added to drop
to log dropped packets.

© 2012 Cisco and/or its affiliates. All rights reserved.

• pass: This action is analogous
to permit in an ACL. The pass
action does not track the state of
connections or sessions within
the traffic; pass allows the traffic
only in one direction. A

corresponding policy must be

16


Zone-Based Policy Firewall: Default
Policies,
Traffic Flows, and Zone
The membership of the router network interfaces in zones is subject to
several rules governing interface behavior, as is the traffic moving
Interaction
between zone member interfaces:

• A zone must be configured before you can assign interfaces to the zone.
• You can assign an interface to only one security zone.
• Traffic is implicitly allowed to flow by default among interfaces that are
members of the same zone.
• To permit traffic to and from a zone member interface, a policy allowing
or inspecting traffic must be configured between that zone and any other
zone.
• Traffic cannot flow between a zone member interface and any interface
that is not a zone member. You can apply pass, inspect, and drop actions
only between two zones.
• Interfaces that have not been assigned to a zone function as classical
router ports and might still use classical stateful inspection (CBAC)
configuration.
© 2012 Cisco and/or its affiliates. All rights reserved.

17



Zone-Based Policy Firewall: Rules for
Application Traffic

© 2012 Cisco and/or its affiliates. All rights reserved.

18


Zone-Based Policy Firewall: Rules for
Router Traffic

© 2012 Cisco and/or its affiliates. All rights reserved.

19


Designing Cisco IOS Zone-Based Policy
Firewalls
The following considerations should be weighted when designing Cisco
IOS Zone-Based Policy Firewalls:
• An interface can be assigned to one zone and one zone only.
• An interface pair can be assigned one policy and one policy only.
• Consider default traffic flows for interfaces without zones, traffic flows
between zones, and traffic flows to or from the router interfaces
themselves.
• Inspection actions cannot be applied to the class-default class.
• The default policy action for unclassified traffic is drop.

© 2012 Cisco and/or its affiliates. All rights reserved.


20


Configuring Basic Interzone Policies
Using CCP and the CLI

© 2012 Cisco and/or its affiliates. All rights reserved.

21


Cisco IOS Zone-Based Firewall
Configuration Scenario Step 1. Start the Basic Firewall
wizard.

Step 2. Select trusted and
untrusted interfaces.
Step 3. Review and verify the
resulting policies.
Step 4. (Optional) Enable
logging.
Step 5. View firewall status and
activity.
Step 6. (Optional) Modify basic
policy objects.
Step 7. Verify CLI
configuration.

© 2012 Cisco and/or its affiliates. All rights reserved.


22


Step 1: Start the Basic Firewall Wizard

© 2012 Cisco and/or its affiliates. All rights reserved.

23


Step 2: Select Trusted and Untrusted
Interfaces

• Outside (untrusted) interface: Select the router interface that is
connected to the Internet or to your organization’s WAN.
• Inside (trusted) interfaces: Check the physical and logical interfaces
connecting to the LAN. You can select multiple interfaces.
© 2012 Cisco and/or its affiliates. All rights reserved.

24


Three levels
Three levels are available, implementing the following policies:
• High Security
• The router identifies inbound and outbound instant messaging and peer-topeer traffic and drops it.
• The router checks inbound and outbound HTTP traffic and email traffic for
protocol compliance, and drops noncompliant traffic.
• The router returns traffic for other TCP and UDP applications if the session

was initiated inside the firewall.
• Choose this option if you want to prevent use of these applications on the
network.

• Medium Security
• The router identifies inbound and outbound instant messaging and peer-topeer traffic, and checks inbound and outbound HTTP traffic and email traffic for
protocol compliance.
• The router returns TCP and UDP traffic on sessions initiated inside the firewall.
• Choose this option if you want to track use of these applications on the

© 2012 Cisco and/or its affiliates. All rights reserved.

25