Zone Based Firewall Example, Part 2 - Guest Zone

Zone Based Firewalls (ZBF) are an easy way to turn your Security licensed Cisco ISR G2 Router into a firewall. In this multi-part example, I'll create a 5 zone firewall which will include an Inside, Outside, DMZ, Guest and Self zones. This is a basic example to demonstrate the the structure of a ZBF, not a study in firewall design.

Just to clarify:

DMZ - Your Demilitarized Zone for web servers and FTP servers

Guest - Wireless guest access to outside

Inside - Your inside LAN

Outside - Represents the Internet

Self - This is the router itself, traffic generated by the router and traffic destined to the router, e.g. TACACS+, SSH, Telnet, TFTP, etc.


In Part 2, we'll look at creating a simple guest wireless network which will allow users connected to the Guest wireless to access the Internet, but not the inside LAN.

! Define Zone for Zone Based Firewall

Zone security GUEST

! Class-Map that matches criteria specified in the GUEST-TO-OUT-ACL

Class-map type inspect GUEST-TO-OUT-CLASS
 Match access-group name GUEST-TO-OUT-ACL

! Policy-Map to inspect inside traffic going outbound, dropped traffic is logged

Policy-map type inspect GUEST-TO-OUT-POLICY
 Class type inspect GUEST-TO-OUT-CLASS
  Inspect
 Class class-default
  Drop log

! Create Zone Pair and Apply Service-Policy (Policy-Maps)

Zone-pair security GUEST-TO-OUT source GUEST destination OUTSIDE
 Service-policy type inspect GUEST-TO-OUT-POLICY

! Assign Zone to router interfaces

Interface GigabitEthernet0/2

 Zone-member security GUEST

! ACL allows GUEST network to access the Internet

ip access-list extended GUEST-TO-OUT-ACL
 permit ip 172.16.0.0 0.0.0.255 any