Features and Functionalities of the Cisco IOS Zone-Based Firewall

In a typical enterprise deployment, different parts of the network usually represent different departments, floors, buildings, or anything that shares common characteristics. 

Since these network parts consist of numerous endpoints and users with the same or similar network demands, such as access to various services, servers, or different network parts, you can apply one policy to filter out traffic coming in or going out.

When using Cisco ASA or Cisco Firepower NGFW firewalls, these appliances allow you to create zones and apply policy enforcement on the traffic exchanged between those. 

However, routers by default do not support this approach, and you need a special type of Cisco IOS so that the router can function like a firewall and inspect traffic between the configured zones.

This article will outline the following:

• An overview of the Cisco IOS zone-based firewall.
• An outline of the supported features and benefits it provides.
• An overview of the importance of zones and zones pairs.
• A familiarization with the C3PL configuration language.
• An explanation of configuring zone-based firewall policy on a Cisco router.

Not what you were looking for today? View some of our popular articles:

• A Must-Have Guide - Risk-Free: Protect Against VLAN and STP Attacks
• 4 Steps of Private VLAN Configuration (Back to Basics)
• What Is Public Key Infrastructure and How Important Is It?

Cisco IOS Zone-Based Policy Firewall Overview

The main goal of using a zone-based policy firewall is to separate the network into different zones and apply an inspection policy to traffic exchanged between the zones. These interzone policies provide increased flexibility and granularity, which results in a more optimized way of performing policy-based traffic filtering.

Based on the network design, specific interfaces are added to different zones, allowing you to easily inspect traffic to multiple host groups connected to the same router interface. This way, you can easily translate the traffic movement requirements into policy rules and permit or deny certain traffic moving between the zones (for example, between different departments). 

The zone-based policy firewall is configured with the Cisco Common Classification Policy Language, also known as C3PL configuration language. It uses a hierarchical structure to classify different types of traffic and apply appropriate inspection (or other actions) to it when being sent from one zone into another. 

Cisco IOS zone-based policy firewall, just like the standard firewalls, act similarly and supports these various features that are not supported on a regular Cisco router by default, among others:

• Stateful inspection.
• Application inspection.
• Transparent firewall.
• URL filtering.

An Introduction to Zones

A zone is a collection of networks that is reachable over a specific set of router interfaces. 

Usually, a zone represents a department or a specific part of the network. On a Cisco IOS zone-based policy firewall, you can create as many zones as you need based on the requirements. 

Once the zones are configured, you need to define which router interfaces belong to which zone. The rules are straightforward, and one interface can belong to only one zone, while multiple interfaces can be part of the same zone. There is also a type of zone called “self zone” that does not have any interfaces as members.

The default behavior allows unrestricted traffic exchange between interfaces that belong to the same zone while at the same time denying communications between different zones. However, the default rule can be modified based on the requirements, and interzone traffic can be allowed.

As you can notice in the image above, interface Fa0/1 is part of Zone 1, while interfaces Fa0/2 and Fa0/3 belong to Zone 2. By default, communication between Zone 1 and Zone 2 is not allowed, while intrazone traffic exchange in Zone 2 is allowed between interfaces Fa0/2 and Fa03.

________________

Hardware Options For You

Here at PivIT, we know the importance doesn't stop with the device itself. It stretches to what is available today, financing options, and more. We make it easy for you to find the hardware to build your network on your terms.

________________

The Purpose of Zone Pairs

Because the default behavior does not suit the typical traffic exchange requirements in enterprise networks, you need to make additional policy modifications. You can do this by implementing zone pairs on the router. 

A zone pair specifies a unidirectional policy between two security zones, and the direction of the allowed traffic communication is indicated by defining a source and destination zone. To allow communication between two zones in both directions, you need to create two zone pairs in which the same zones will be used as a source and destination per zone pair. 

When a system-defined self zone is used in a zone pair with an explicitly defined zone, the associated policy applies to traffic destined for the router or originated by the router but never to traffic going through the router.

As you can see in the image above, two zone pairs must be configured so that Zone 1 and Zone 2 can exchange traffic with each other. Zone pair 1 allows communication from Zone 1 to Zone 2, while Zone pair 2 allows communication from Zone 2 to Zone 1.

Creating Policies With C3PL

When zone pairs are configured, traffic still cannot flow from one zone to another. You have to apply a policy on the zone pair by using the C3PL configuration language. It is similar to Modular QoS CLI (MQC) and Modular Policy Framework (MPF). It consists of three parts:

• Class map: Uses various matching criteria, such as access groups and protocols, to identify and classify certain traffic. The match-any or match-all option can be used to process the matching criteria.
  
  
• Policy map: Defines actions such as inspect, drop or pass for the traffic matched by the class maps.
  
  
• Service policy: Specifies the zone pair where the policy map should be applied. Only one service policy is allowed to be applied to a given zone pair in the direction that is defined by the zone pair.

How to Configure C3PL

The procedure to configure C3PL on Cisco IOS zone-based policy firewall is straightforward and consists of the following steps:

1. Define zones.
2. Assign interface to zones.
3. Define class maps.
4. Define policy maps.
5. Define zone pairs.
6. Apply policy maps to zone pairs.

As you can see in the image above, there is only one zone pair: Zone1_to_Zone2, with Zone1 as a source and Zone2 as a destination. The requirement is to inspect (stateful) the traffic sent from Zone1 to Zone2, which will allow the return traffic while denying all traffic initiated from Zone2 and destined for Zone1 because of the lack of a zone pair allowing that.

You need to configure the following commands on the router so that the requirement is satisfied: 

________________

Long lead times getting you down and making deadlines impossible to meet? What if there's a simple solution and more?

- Get a single source for your IT needs.

- Get hardware options to match your budget.

- Get speedy fast lead times.

View PivIT's OneCall Flexible Service Level Agreements to get next-day or 4-hour hardware replacements, or on-site spares. We have a solution for everyone!

________________

Router as a Simple Replacement for a Firewall

Using a firewall in a network is the best option for policy enforcement. However, you will not always have that luxury. This might be a common approach for headquarters but not for small branch offices. 

Therefore, using a Cisco IOS zone-based policy firewall will allow you to support various firewall policy filtering features while simultaneously permitting and denying specific traffic being exchanged between different parts of the network according to your needs. Use this guide the next time you need a refresher on this critical process.