CCNA Security – Firewalls

Firewall solutions:

  • packet filtering (ACLs)
  • proxy (through another macine, additional features: caching, filtering, etc.)
  • stateful filtering (allows the response back)

Stateful filtering:

  • reflexive ACLs
  • CBAC (Content Based Access Control)
  • Zone Based Firewall

Steps to create Zone Based Firewall:

  1. Identify zones (interface)
  2. Identify traffic (class maps)
  3. Identify action (policy maps)
  4. Identify zone pairs
  5. Identify policy to zone pair mappings (service policy)

Action can be:

  • inspect
  • allow to pass
  • drop


Zone Based Firewall

! default configuration of the interfaces
configure terminal
interface f0/0
ip address
no shutdown
interface f0/1
ip address
no shutdown

! default route
ip route

! create admin user
username admin privilege 15 secret password

! enable http and https for CCP
ip http server
ip http secure-server
ip http authentication local

! configure PAT
access-list 1 permit
ip nat inside source list 1 interface f0/0 overload
interface f0/1
ip nat inside
interface f0/0
ip nat outside

! create zones
zone security OUTSIDE
zone security INSIDE

interface f0/0
zone-member security OUTSIDE
interface f0/1
zone-member security INSIDE

! create classmap
class-map type inspect  match-any INSPECTED
match protocol icmp
match protocol tcp
match protocol udp

! create policy
policy-map type inspect POLICY
class-type inspect INSPECTED

! create zone-pairs
zone-pair security INSIDE-OUTSIDE source INSIDE destination OUTSIDE
service-policy type inspect POLICY

! check configuration
show policy-map type inspect zone-pair
show policy-map type inspect zone-pair session