Step-by-Step Lab Guide

Configuring a Zone-Based Policy Firewall (ZPF)

Lab Overview

• Objective: Configure a Zone-Based Policy

Firewall on Cisco Router R3.
• Key Tasks:
• Verify network connectivity
• Create firewall zones and policies
• Test firewall functionality using ping,
Telnet, and web access
Devices:

• Routers R1, R2, R3

• PCs: PC-A, PC-C
• Firewall Goal: Allow internal
access to external resources
while blocking external access
to internal resources.
Understanding Zone-Based Policy Firewall
(ZPF)
• What is a Zone-Based Policy Firewall (ZPF)?
• A Zone-Based Policy Firewall is an advanced firewall configuration approach that categorizes the router interfaces into different security
zones. Traffic between these zones is controlled based on policies you define, offering a more structured and manageable security
configuration than traditional access control lists (ACLs).
• How ZPF Works:
• Zones: A zone is a logical grouping of one or more interfaces. Examples include internal, external, or DMZ zones. Interfaces in the same
zone have unrestricted communication, while traffic between zones is controlled by the firewall policies.
• Zone Pairs: These define the direction of traffic flow between zones, specifying the source and destination zones. A policy must be
created for traffic to flow from one zone to another.
• Policies: Define the rules that determine how traffic is handled between zones. Options include:
• Inspect: Allows traffic and inspects it for stateful monitoring.
• Pass: Allows traffic without inspection.
• Drop: Blocks traffic and provides no response to the sender.
• Advantages of Using ZPF:
• Improved Security: By isolating traffic between zones, you minimize the risk of unauthorized access or attacks spreading within your
network.
• Granular Control: Policies allow you to specify which types of traffic are allowed or denied, making security management more precise.
• Simplified Management: Unlike traditional ACLs, ZPF provides a more intuitive way to configure and manage security policies based on
zones and traffic flows.
Task 1: Verify Basic Network Connectivity
• Objective: Test initial connectivity to confirm network setup.
• Steps:
• Ping PC-C from PC-A: Verify a successful connection.
• Telnet from PC-C to R2’s S0/0/1 interface: Test Telnet functionality.
• Access Web Server on PC-A from PC-C: Open the server page in a
browser on PC-C.
• Expected Result: All connectivity checks should pass.
Task 2 - Create Firewall Zones on R3
• This step defines and creates security zones on Router R3. These zones logically segment
and secure network traffic.
• Steps to Create Firewall Zones:
• Create an Internal Zone:
• We need to create a security zone for internal traffic named IN-ZONE.
• R3(config)# zone security IN-ZONE
• This zone will manage and secure traffic originating from the internal network (e.g., LAN traffic).
• Create an External Zone:
• Next, create a security zone for external traffic named OUT-ZONE.
• R3(config)# zone security OUT-ZONE
• This zone will manage and secure traffic going to or coming from external networks (e.g., the Internet or WAN traffic).
• Why Create Zones?
• Traffic Control: Zones allow us to implement security policies that control traffic flow between different
network parts. Without zones, segmenting and managing traffic securely would be difficult.
• Isolation: By defining zones, we can isolate different network parts, reducing the risk of unauthorized
access and enhancing overall network security.
Task 3 - Define a Traffic Class and Access
List
• In this task, we define which traffic will be inspected by the firewall using an Access Control List (ACL) and a class map. This
is crucial in configuring the Zone-Based Policy Firewall (ZPF) to control traffic handling.
• Steps to Define a Traffic Class and ACL:
• Create an Access Control List (ACL):
• The ACL will define the specific traffic the firewall needs to inspect and manage.
• R3(config)# access-list 101 permit ip 192.168.3.0 0.0.0.255 any
• This ACL ensures that traffic originating from the internal network (192.168.3.0/24) is permitted and identified for inspection.
• Create a Class Map to Reference the ACL:
• We use a class map to define a set of traffic that the firewall policy will inspect.
• R3(config)# class-map type inspect match-all IN-NET-CLASS-MAP
• class-map type inspect: creates a class map for inspection.
• match-all: means all the criteria (in this case, the ACL) must be matched.
• IN-NET-CLASS-MAP: is the name of the class map.
• R3(config-cmap)# match access-group 101
• links the class map to ACL 101, specifying that traffic defined in the ACL will be inspected.
• The class map groups the traffic specified in the ACL, making applying policies to this traffic easier.
• Why Define a Traffic Class and ACL?
• Traffic Identification: Using ACLs and class maps, we can identify and specify the traffic the firewall will inspect.
• Granular Control: This approach gives us fine-grained control over what traffic is inspected, blocked, or allowed, enhancing network
security.
Task 4 - Specify Firewall Policies
• This task involves creating and configuring a policy map to determine how the Zone-Based Policy Firewall (ZPF) will handle
the identified traffic. Based on our defined class map, we specify actions, like inspecting or dropping traffic.
• Steps to Specify Firewall Policies:
• Create a Policy Map:
• A policy map defines the actions the firewall should take for traffic identified by the class map.
• R3(config)# policy-map type inspect IN-2-OUT-PMAP
• policy-map type inspect: creates a new policy map for inspecting traffic.
• IN-2-OUT-PMAP: is the name given to the policy map.
• This policy map will manage traffic from the internal zone to the external zone.
• Reference the Class Map in the Policy Map:
• We specify which class map the policy map should apply to.
• R3(config-pmap)# class type inspect IN-NET-CLASS-MAP
• class type inspect: references the class map we created earlier.
• IN-NET-CLASS-MAP: is the name of the class map that defines the internal traffic.
• This associates the class map (which identifies internal traffic) with the policy map, so the policy actions are applied to that traffic.
• Specify the Action for the Policy Map:
• We use the inspect action to apply context-based access control.
• R3(config-pmap-c)# inspect
• Inspect: enables the firewall to monitor traffic flows and dynamically allow return traffic. This is a stateful inspection where the firewall keeps track of active
connections.
• Note: If no specific protocols are configured in the class map, all protocols will be inspected.
• The inspection action ensures that internal traffic can be securely monitored and allowed while allowing return traffic as part of the same session.
Why Specify Firewall Policies?
• Traffic Management: The policy map controls how traffic
between zones is managed, allowing us to permit, inspect, or
block traffic based on security requirements.
• Stateful Inspection: The firewall provides stateful packet
inspection by using the inspect action, ensuring that only
legitimate return traffic is allowed.
Task 5 - Apply Firewall Policies
• This task involves applying the previously defined firewall policies to specific traffic flows between
zones on Router R3. In doing so, we enforce security rules for traffic moving between the internal and
external network zones.
• Steps to Apply Firewall Policies:
• Create a Zone Pair:
• A zone pair defines the direction of traffic flow between two security zones and allows us to apply the policy map to manage traffic
between these zones.
• R3(config)# zone-pair security IN-2-OUT-ZPAIR source IN-ZONE destination OUT-ZONE
• zone-pair security: creates a zone pair.
• IN-2-OUT-ZPAIR: is the name of the zone pair, indicating traffic from the internal zone to the external zone.
• source IN-ZONE: specifies the internal zone as the source.
• destination OUT-ZONE: specifies the external zone as the destination.
• This command establishes the relationship between the two zones, specifying the direction of the traffic flow.
• Attach the Policy Map to the Zone Pair:
• The policy map we created earlier is now attached to the zone pair to enforce the firewall rules.
• R3(config-sec-zone-pair)# service-policy type inspect IN-2-OUT-PMAP
• service-policy type inspect: attaches the inspection policy to the zone pair.
• IN-2-OUT-PMAP: is the name of the policy map that defines the inspection actions.
• This step ensures that all traffic moving from the internal zone to the external zone is inspected and handled according to the rules
in the policy map.
Task 5 - Apply Firewall Policies
• Steps to Apply Firewall Policies:
• Assign Interfaces to Security Zones:
• We assign the physical interfaces on Router R3 to the appropriate security zones.:
• Assign Fa0/1 to the Internal Zone:
• R3(config)# interface fa0/1
R3(config-if)# zone-member security IN-ZONE
• Assign S0/0/1 to the External Zone:
• R3(config)# interface s0/0/1
R3(config-if)# zone-member security OUT-ZONE
• By associating interfaces with zones, we specify which traffic flows are subject to the
firewall rules. This assignment is critical for enforcing security between network
segments.
• Save the Configuration:
• We save the running configuration to ensure that changes are not lost after rebooting.
• R3# copy running-config startup-config
• This command saves the current configuration to the startup configuration file in
NVRAM, preserving the settings.
Why Apply Firewall Policies?
• Traffic Control: By creating a zone pair and attaching a policy
map, we can control and secure traffic flows between network
zones.
• Security Enforcement: Associating interfaces with zones ensures
that all traffic is subject to inspection and security rules,
protecting the network from unauthorized access and threats.
Task 6: Test Firewall Functionality from IN-
ZONE to OUT-ZONE
• The goal of this task is to verify that the configured Zone-Based Policy
Firewall (ZPF) on Router R3 is working as intended. Specifically, we will
ensure that internal hosts in the IN-ZONE can successfully access
external resources in the OUT-ZONE.
• Testing Steps:
• Ping PC-A from PC-C: Confirm successful ping.
• This confirms that traffic from the internal zone (IN-ZONE) to the external zone (OUT-
ZONE) is permitted and that the firewall rules correctly allow this traffic.
• Telnet from PC-C to R2:
• This indicates that Telnet traffic is allowed from IN-ZONE to OUT-ZONE. It also provides
an opportunity to verify active sessions on Router R3.
• Access PC-A Server from PC-C via Browser: Verify the web page loads.
• This shows that the firewall rules permit HTTP traffic from the internal zone to the
external zone.
Task 6: Test Firewall Functionality from IN-ZONE to OUT-ZONE

• Testing Steps:
• View Sessions on R3:
• R3# show policy-map type inspect zone-pair sessions
• This command displays the details of currently active sessions being inspected
by the firewall.
• What to Look For:
• Source IP Address and Port Number: Identify the internal host's IP address and the
originating port.
• Destination IP Address and Port Number: Verify the external resource's IP address and
the destination port.
• Why Test Firewall Functionality?
• Verification: Testing ensures that the firewall rules allow legitimate traffic from
IN-ZONE to OUT-ZONE while inspecting and managing these connections.
• Troubleshooting: Observing session details on Router R3 allows you to
troubleshoot any issues or confirm that traffic is being handled as expected.
Task 7 - Test Firewall Functionality from
OUT-ZONE to IN-ZONE
• The purpose of this task is to verify that the Zone-Based Policy Firewall (ZPF) on Router R3 is correctly
blocking unauthorized access attempts from the external zone (OUT-ZONE) to the internal zone (IN-
ZONE). This ensures that the firewall rules properly enforce security by preventing external hosts from
reaching internal resources.
• Steps to Test Firewall Functionality:
• Step 1: Attempt to Ping PC-C (Internal Host) from PC-A (External Host): The ping should fail.
• The failure indicates that ICMP traffic from OUT-ZONE to IN-ZONE is being blocked by the firewall rules, as designed. This behavior
is crucial to protect internal resources from external threats.
• Step 2: Attempt to Ping PC-C from Router R2: The ping should fail.
• This verifies that even network devices in the OUT-ZONE (like Router R2) cannot access hosts in the IN-ZONE. This restriction
helps prevent any unauthorized access attempts from external networks.
• Step 3: Check Results and Firewall Configuration
• Verification: Ensure the Zone-Based Policy Firewall functions correctly by checking that all external access attempts to internal
resources have been denied.
• Completion Check: Confirm that your configuration is correct and that the firewall rules are enforced as expected.
• Why Test Firewall Blocking Functionality?
• Security Assurance: This test ensures the firewall protects the internal network from unauthorized or malicious
external access.
• Rule Effectiveness: By testing access attempts from OUT-ZONE to IN-ZONE, you can confirm that the firewall is
applying policies accurately, blocking all traffic that should not be permitted.
Summary

• Defined security zones and assigned

interfaces
• Configured traffic classes and policies
• Applied firewall policies between zones
• Verification:
• Confirmed access from internal to
external resources
• Verified blocked access from external to
internal