C is c o | P r o file | C o n ta c ts & F e e d b a c k | H e lp

Cisc o S M B S up p ort A ssist ant

Configure Zone Based Firewall on Cisco Routers

H om e > W ork W it h M y R out ers > Cisc o R out ers > C o n f ig u r e Z o n e B a s e d F ir e w a ll o n C is c o R o u te r s

S e r v ic e R e q u e s t s
Configure Zone Based Firewall on Cisco Routers
O p en a serv ic e req uest
U p dat e a serv ic e req uest
Download PDF
I nt roduc t ion
Configure Zone Based Firewall Fe e db ac k
R eq uirem ent s
O v erv iew of Zone- Based P olic y N et work S ec urit y on Cisc o R out ers
Zone b ased firewall Configurat ion E x am p les P le a s e r a te t h is s it e :
S t at eful I nsp ec t ion R out ing Firewall + + + + /- - --
S t at eful I nsp ec t ion T ransp arent Firewall
N ex t S t ep S u g g e s tio n s fo r im p r o v e m e n t:
T roub lesh oot t h e P roc edure
R elat ed I nform at ion

I nt r odu c t i on
T h is doc um ent desc rib es h ow t o c onfigure Zone b ased firewall on Cisc o R out ers. Cisc o I O S Classic Firewall st at eful If C is c o m a y c o n ta c t y o u fo r m o r e d e ta ils
insp ec t ion ( form erly k nown as Cont ex t - Based A c c ess Cont rol, or CBA C) em p loy ed an int erfac e- b ased c onfigurat ion o r f o r fu tu r e f e e d b a c k o p p o r tu n it ie s ,
m odel, in wh ic h a st at eful insp ec t ion p olic y was ap p lied t o an int erfac e. A ll t raffic p assing t h rough t h at int erfac e rec eiv ed p le a s e e n te r y o u r c o n t a c t in f o r m a t io n :
t h e sam e insp ec t ion p olic y . T h is c onfigurat ion m odel lim it ed t h e granularit y of t h e firewall p olic ies, and c aused c onfusion of
t h e p rop er ap p lic at ion of firewall p olic ies, p art ic ularly in sc enarios wh en firewall p olic ies m ust b e ap p lied b et ween m ult ip le F u ll N a m e :
int erfac es.
E m a il:
Zone- Based P olic y Firewall ( also k nown as Zone- P olic y Firewall, or ZFW ) c h anges t h e firewall c onfigurat ion from t h e older
int erfac e- b ased m odel t o a m ore flex ib le, m ore easily underst ood z one- b ased m odel. I nt erfac es are assigned t o z ones, and
insp ec t ion p olic y is ap p lied t o t raffic m ov ing b et ween t h e z ones. I nt er- z one p olic ies offer c onsiderab le flex ib ilit y and
granularit y , so different insp ec t ion p olic ies c an b e ap p lied t o m ult ip le h ost group s c onnec t ed t o t h e sam e rout er int erfac e.

Bac k t o T op

R e q u i r e m e nt s
T o p erform t h e st ep s desc rib ed in t h is doc um ent , y ou need t o h av e t h ese it em s:

Com p let e t h e init ial c onfigurat ion in Configure Y our R out er wit h S ec urit y D ev ic e M anager doc um ent .

Com p let e t h e L A N A ddressing W ork sh eet from t h e S it e S urv ey .

R out er running Cisc o I O S soft ware v ersion 1 2 .4 ( 6 ) T or ab ov e.

Bac k t o T op

O v e r v i e w of Z one - B as e d Poli c y N e t wor k S e c u r i t y

A sec urit y z one m ust b e c onfigured for eac h region of relat iv e sec urit y wit h in t h e net work , so t h at all int erfac es t h at are
assigned t o t h e sam e z one are p rot ec t ed wit h a sim ilar lev el of sec urit y . For ex am p le, c onsider an ac c ess rout er wit h t h ree
int erfac es:

O ne int erfac e c onnec t ed t o t h e p ub lic I nt ernet

O ne int erfac e c onnec t ed t o a p riv at e L A N t h at m ust not b e ac c essib le from t h e p ub lic I nt ernet

O ne int erfac e c onnec t ed t o an I nt ernet serv ic e dem ilit ariz ed z one ( D M Z) , wh ere a W eb serv er, D om ain N am e
S y st em ( D N S ) serv er, and e- m ail serv er m ust b e ac c essib le t o t h e p ub lic I nt ernet

E ac h int erfac e in t h is net work are assigned t o it s own z one. A lt h ough y ou m igh t want t o allow v aried ac c ess from t h e p ub lic
I nt ernet t o sp ec ific h ost s in t h e D M Z and v aried ap p lic at ion use p olic ies for h ost s in t h e p rot ec t ed L A N .

Figure 1 : Basic S ec urit y Zone T op ology :

I n t h is ex am p le, eac h z one h olds only one int erfac e. I f an addit ional int erfac e is added t o t h e p riv at e z one, t h e h ost s
c onnec t ed t o t h e new int erfac e in t h e z one c an p ass t raffic t o all h ost s on t h e ex ist ing int erfac e in t h e sam e z one.
A ddit ionally , t h e h ost s t raffic t o h ost s in ot h er z ones is sim ilarly affec t ed b y ex ist ing p olic ies.

T y p ic ally , t h e ex am p le net work h as t h ree m ain p olic ies:

P riv at e z one c onnec t iv it y t o t h e I nt ernet

P riv at e z one c onnec t iv it y t o D M Z h ost s

I nt ernet z one c onnec t iv it y t o D M Z h ost s

1 of 7
 Zone b ased firewall im p oses a p roh ib it iv e default sec urit y p ost ure. T h erefore, unless t h e D M Z h ost s are sp ec ific ally
p rov ided ac c ess t o ot h er net work s, ot h er net work s are safeguarded against any c onnec t ions from t h e D M Z h ost s. S im ilarly ,
no ac c ess is p rov ided for I nt ernet h ost s t o ac c ess t h e p riv at e z one h ost s, so p riv at e z one h ost s are safe from unwant ed
ac c ess b y I nt ernet h ost s.

Zone b ased firewall work s on c onc ep t of p olic ies c reat ed for t raffic m ov ing b et ween t h e z ones. T o c reat e firewall p olic ies,
y ou m ust c om p let e t h ese t ask s:

D efine m at c h c rit eria ( c las s m ap )

A ssoc iat e ac t ions t o t h e m at c h c rit eria ( p oli c y m ap )

A t t ac h t h e p olic y m ap t o a z one p air ( s e r v i c e p oli c y )

A c lass is a way of ident ify ing a set of p ac k et s b ased on it s c ont ent s. N orm ally y ou define a c lass so t h at y ou c an ap p ly an
ac t ion on t h e ident ified t raffic t h at reflec t s a p olic y . A c lass is designat ed v ia c lass m ap s. T h e c las s - m ap c om m and c reat es
a c lass m ap t o b e used for m at c h ing p ac k et s t o a sp ec ified c lass.

A n ac t ion is a sp ec ific func t ionalit y , for ex am p le, i ns p e c t , dr op , p as s , and p oli c e are ac t ions. A n ac t ion is defined for a
c lass using p olic y m ap . U se t h e p oli c y - m ap c om m and t o sp ec ify t h e nam e of t h e p olic y m ap t o b e c reat ed, added t o, or
m odified b efore y ou c an c onfigure p olic ies for c lasses wh ose m at c h c rit eria are defined in a c lass m ap .

Bac k t o T op

Z one b as e d f i r e wall C onf i g u r at i on E x am p le s

I n t h is c onfigurat ion ex am p le t h e rout er is sep arat ed int o fiv e z ones:

T h e p ub lic I nt ernet is c onnec t ed t o Fast E t h ernet 0 ( I nt e r ne t z one )

T wo I nt ernet serv ers are c onnec t ed t o Fast E t h ernet 1 ( DM Z z one )

T h e E t h ernet swit c h is c onfigured wit h t wo V L A N s:

W ork st at ions are c onnec t ed t o V L A N 1 ( c li e nt z one ) .

S erv ers are c onnec t ed t o V L A N 2 ( s e r v e r z one ) .

T h e c lient and serv er z ones are in t h e sam e sub net . A t ransp arent firewall is ap p lied b et ween t h e z ones, so
t h e int er- z one p olic ies on t h ose t wo int erfac es would only affec t t raffic b et ween t h e c lient and serv er z ones.

T h e V L A N 1 and V L A N 2 int erfac es c om m unic at e wit h ot h er net work s t h rough t h e b ridge v irt ual int erfac e ( BV I 1 ) . T h is
int erfac e is assigned t o t h e p riv at e z one. ( S ee Figure 2 .)

Figure 2 : Zone T op ology D et ail

T h ese p olic ies are ap p lied, using t h e net work z ones defined earlier:

H ost s in I nt ernet z one c an reac h D N S , S M T P , and S S H serv ic es on one serv er in t h e D M Z. T h e ot h er serv er offers
S M T P , H T T P , and H T T P S serv ic es. T h e firewall p olic y rest ric t s ac c ess t o t h e sp ec ific serv ic es av ailab le on eac h
h ost .

T h e D M Z h ost s c ould not c onnec t t o h ost s in any ot h er z one.

H ost s in t h e c lient z one c an c onnec t t o h ost s in t h e serv er z one on all T CP , U D P , and I CM P serv ic es.

H ost s in t h e serv er z one c annot c onnec t t o h ost s in t h e c lient z one, ex c ep t a U N I X - b ased ap p lic at ion serv er c an
op en X W indows c lient sessions t o X W indows serv ers on desk t op P Cs in t h e c lient z one on p ort s 6 9 0 0 t o 6 9 1 0 .

A ll h ost s in t h e p riv at e z one ( c om b inat ion of c lient s and serv ers) c an ac c ess h ost s in t h e D M Z on S S H , FT P , P O P ,
I M A P , E S M T P , and H T T P serv ic es, and in t h e I nt ernet z one on H T T P , H T T P S , and D N S serv ic es and I CM P .
Furt h erm ore, ap p lic at ion insp ec t ion will b e ap p lied on H T T P c onnec t ions from t h e p riv at e z one t o t h e I nt ernet z one
in order t o assure t h at sup p ort ed inst ant m essaging and P 2 P ap p lic at ions are not c arried on p ort 8 0 . ( S ee Figure
3 .)

Figure 3 : Zone- P air serv ic e p erm issions t o b e ap p lied in t h e c onfigurat ion ex am p le

T h ese firewall p olic ies are c onfigured in order of c om p lex it y :

1 . Client s- S erv ers T CP / U D P / I CM P insp ec t ion

2 . P riv at e- D M Z S S H / FT P / P O P / I M A P / E S M T P / H T T P insp ec t ion

2 of 7
 3 . I nt ernet - D M Z S M T P / H T T P / D N S insp ec t ion rest ric t ed b y h ost address

4 . S erv ers- Client s X W indows insp ec t ion wit h a p ort - ap p lic at ion m ap p ing ( P A M ) - sp ec ified serv ic e

5 . P riv at e- I nt ernet H T T P / H T T P S / D N S / I CM P wit h H T T P ap p lic at ion insp ec t ion

Bec ause y ou ap p ly p ort ions of t h e c onfigurat ion t o different net work segm ent s at different t im es, it is im p ort ant t o
rem em b er t h at a net work segm ent loses c onnec t iv it y t o ot h er segm ent s wh en it is p lac ed in a z one. For inst anc e, wh en t h e
p riv at e z one is c onfigured, h ost s in t h e p riv at e z one loses c onnec t iv it y t o t h e D M Z and I nt ernet z ones unt il t h eir resp ec t iv e
p olic ies are defined.

S t at e f u l I ns p e c t i on R ou t i ng Fi r e wall

C onf i g u r e Pr i v at e I nt e r ne t Poli c y

Figure 4 illust rat es t h e c onfigurat ion of p riv at e I nt ernet p olic y .

T h e p riv at e I nt ernet p olic y ap p lies L ay er 4 insp ec t ion t o H T T P , H T T P S , D N S , and L ay er 4 insp ec t ion for I CM P from t h e
p riv at e z one t o t h e I nt ernet z one. T h is allows c onnec t ions from t h e p riv at e z one t o t h e I nt ernet z one, and allows t h e ret urn
t raffic . L ay er 7 insp ec t ion c arries t h e adv ant ages of t igh t er ap p lic at ion c ont rol, b et t er sec urit y , and sup p ort for ap p lic at ions
req uiring fix up . H owev er, L ay er 7 insp ec t ion, as m ent ioned, req uires a b et t er underst anding of net work ac t iv it y , as L ay er 7
p rot oc ols t h at are not c onfigured for insp ec t ion would not b e allowed b et ween z ones.

1 . D efine c lass- m ap s t h at desc rib e t h e t raffic t h at y ou want t o p erm it b et ween z ones, ac c ording t o p olic ies desc rib ed
earlier.

2 . Configure a p olic y - m ap t o insp ec t t raffic on t h e c lass- m ap s y ou j ust defined.

3 . Configure t h e p riv at e and int ernet z ones and assign rout er int erfac es t o t h eir resp ec t iv e z ones.

4 . Configure t h e z one- p air and ap p ly t h e ap p rop riat e p olic y - m ap .

N ot e : Y ou only need t o c onfigure t h e p riv at e I nt ernet z one p air at p resent in order t o insp ec t c onnec t ions sourc ed
in t h e p riv at e z one t rav eling t o t h e I nt ernet z one.

T h is c om p let es t h e c onfigurat ion of t h e L ay er 7 insp ec t ion p olic y on t h e p riv at e I nt ernet z one- p air t o allow H T T P ,
H T T P S , D N S , and I CM P c onnec t ions from t h e c lient s z one t o t h e serv ers z one and t o ap p ly ap p lic at ion insp ec t ion
t o H T T P t raffic t o assure t h at unwant ed t raffic is not allowed t o p ass on T CP 8 0 , H T T P s serv ic e p ort .

C onf i g u r e Pr i v at e DM Z Poli c y

Figure 5 illust rat es t h e c onfigurat ion of p riv at e D M Z p olic y .

T h e p riv at e D M Z p olic y adds c om p lex it y b ec ause it req uires a b et t er underst anding of t h e net work t raffic b et ween z ones.

3 of 7
 T h is p olic y ap p lies L ay er 7 insp ec t ion from t h e p riv at e z one t o t h e D M Z. T h is allows c onnec t ions from t h e p riv at e z one t o
t h e D M Z, and allows t h e ret urn t raffic . L ay er 7 insp ec t ion c arries t h e adv ant ages of t igh t er ap p lic at ion c ont rol, b et t er
sec urit y , and sup p ort for ap p lic at ions req uiring fix up . H owev er, L ay er 7 insp ec t ion, as m ent ioned, req uires a b et t er
underst anding of net work ac t iv it y , as L ay er 7 p rot oc ols t h at are not c onfigured for insp ec t ion would not b e allowed b et ween
z ones.

1 . D efine c lass- m ap s t h at desc rib e t h e t raffic t h at y ou want t o p erm it b et ween z ones, ac c ording t o p olic ies desc rib ed
earlier.

2 . Configure p olic y - m ap s t o insp ec t t raffic on t h e c lass- m ap s y ou j ust defined.

3 . Configure t h e p riv at e and D M Z z ones and assign rout er int erfac es t o t h eir resp ec t iv e z ones.

4 . Configure t h e z one- p air and ap p ly t h e ap p rop riat e p olic y - m ap .

N ot e : Y ou only need t o c onfigure t h e p riv at e D M Z z one- p air at p resent in order t o insp ec t c onnec t ions sourc ed in
t h e p riv at e z one t rav eling t o t h e D M Z.

T h is c om p let es t h e c onfigurat ion of t h e L ay er 7 insp ec t ion p olic y on t h e p riv at e D M Z t o allow all T CP , U D P , and
I CM P c onnec t ions from t h e c lient s z one t o t h e serv ers z one. T h e p olic y does not ap p ly fix up for sub ordinat e
c h annels, b ut p rov ides an ex am p le of sim p le p olic y t o ac c om m odat e m ost ap p lic at ion c onnec t ions.

C onf i g u r e I nt e r ne t DM Z Poli c y

Figure 6 illust rat es t h e c onfigurat ion of I nt ernet D M Z p olic y .

T h is p olic y ap p lies L ay er 7 insp ec t ion from t h e I nt ernet z one t o t h e D M Z. T h is allows c onnec t ions from t h e I nt ernet z one t o
t h e D M Z, and allows t h e ret urn t raffic from t h e D M Z h ost s t o t h e I nt ernet h ost s t h at originat ed t h e c onnec t ion. T h e I nt ernet
D M Z p olic y c om b ines L ay er 7 insp ec t ion wit h address group s defined b y A CL s t o rest ric t ac c ess t o sp ec ific serv ic es on
sp ec ific h ost s, group s of h ost s, or sub net s. T h is is ac c om p lish ed b y nest ing a c lass- m ap sp ec ify ing serv ic es wit h in anot h er
c lass- m ap referenc ing an A CL t o sp ec ify I P addresses.

1 . D efine c lass- m ap s and A CL s t h at desc rib e t h e t raffic t h at y ou want t o p erm it b et ween z ones, ac c ording t o p olic ies
desc rib ed earlier.

M ult ip le c lass- m ap s for serv ic es m ust b e used, as differing ac c ess p olic ies are ap p lied for ac c ess t o t wo different
serv ers. I nt ernet h ost s are allowed D N S and H T T P c onnec t ions t o 1 7 2 .1 6 .2 .2 , and S M T P c onnec t ions are allowed
t o 1 7 2 .1 6 .2 .3 . N ot e t h e differenc e in t h e c lass- m ap s. T h e c lass- m ap s sp ec ify ing serv ic es use t h e m at c h - any
k ey word t o allow any of t h e list ed serv ic es. T h e c lass- m ap s assoc iat ing A CL s wit h t h e serv ic e c lass- m ap s use t h e
m at c h - all k ey word t o req uire t h at b ot h c ondit ions in t h e c lass m ap m ust b e m et t o allow t raffic .

4 of 7
 2 . Configure p olic y - m ap s t o insp ec t t raffic on t h e c lass- m ap s y ou j ust defined.

3 . Configure t h e I nt ernet and D M Z z ones and assign rout er int erfac es t o t h eir resp ec t iv e z ones. S k ip t h e D M Z
c onfigurat ion if y ou set it up in t h e p rev ious sec t ion.

4 . Configure t h e z one- p air and ap p ly t h e ap p rop riat e p olic y - m ap .

N ot e : Y ou only need t o c onfigure t h e I nt ernet D M Z z one p air at p resent , t o insp ec t c onnec t ions sourc ed in t h e
I nt ernet z one t rav eling t o t h e D M Z z one.

T h is c om p let es t h e c onfigurat ion of t h e address- sp ec ific L ay er 7 insp ec t ion p olic y on t h e I nt ernet D M Z z one- p air.

S t at e f u l I ns p e c t i on T r ans p ar e nt Fi r e wall

C onf i g u r e S e r v e r s - C li e nt s Poli c y

Figure 7 illust rat es t h e c onfigurat ion of serv er- c lient p olic y .

T h e serv ers- c lient s p olic y ap p lies insp ec t ion using a user- defined serv ic e. L ay er 7 insp ec t ion is ap p lied from t h e serv ers
z one t o t h e c lient s z one. T h is allows X W indows c onnec t ions t o a sp ec ific p ort range from t h e serv ers z one t o t h e c lient s
z one, and allows t h e ret urn t raffic . X W indows is not a nat iv ely sup p ort ed p rot oc ol in P A M , so a user- c onfigured serv ic e in
P A M m ust b e defined so t h e ZFW c an rec ogniz e and insp ec t t h e ap p rop riat e t raffic .

T wo or m ore rout er int erfac es are c onfigured in an I E E E b ridge- group t o p rov ide I nt egrat ed R out ing and Bridging ( I R B) t o
p rov ide b ridging b et ween t h e int erfac es in t h e b ridge- group and rout ing t o ot h er sub net s v ia t h e Bridge V irt ual I nt erfac e
( BV I ) . T h e t ransp arent firewall p olic y will offer ap p ly firewall insp ec t ion for t raffic c rossing t h e b ridge , b ut not for t raffic
t h at leav es t h e b ridge- group v ia t h e BV I . T h e insp ec t ion p olic y only ap p lies t o t raffic c rossing t h e b ridge- group . T h erefore,
in t h is sc enario, t h e insp ec t ion would only b e ap p lied t o t raffic t h at m ov es b et ween t h e c lient s and serv ers z ones, wh ic h are
nest ed inside t h e p riv at e z one. T h e p olic y ap p lied b et ween t h e p riv at e z one, and p ub lic and D M Z z ones, only c om es int o
p lay wh en t raffic leav es t h e b ridge- group v ia t h e BV I . W h en t raffic leav es v ia t h e BV I from eit h er t h e c lient s or serv ers
z ones, t h e t ransp arent firewall p olic y would not b e inv ok ed.

1 . Configure P A M wit h a user- defined ent ry for X W indows.

X W indows c lient s ( wh ere ap p lic at ions are h ost ed) op en c onnec t ions for disp lay inform at ion t o c lient s ( wh ere user
is work ing) in a range st art ing at p ort 6 9 0 0 .

E ac h addit ional c onnec t ion uses suc c essiv e p ort s, so if a c lient disp lay s 1 0 different sessions on one h ost , t h e
serv er uses p ort s 6 9 0 0 - 6 9 0 9 . T h erefore, if y ou insp ec t t h e p ort range from 6 9 0 0 t o 6 9 0 9 , c onnec t ions op ened t o
p ort s b ey ond 6 9 0 9 would fail:

2 . R ev iew P A M doc um ent s t o address addit ional P A M q uest ions or c h ec k granular p rot oc ol insp ec t ion doc um ent at ion
for inform at ion ab out t h e det ails of int erop erab ilit y b et ween P A M and Cisc o I O S Firewall st at eful insp ec t ion.

3 . D efine c lass- m ap s t h at desc rib e t h e t raffic t h at y ou want t o p erm it b et ween z ones, ac c ording t o p olic ies desc rib ed
earlier.

4 . Configure p olic y - m ap s t o insp ec t t raffic on t h e c lass- m ap s y ou j ust defined.

5 of 7
 5 . Configure t h e c lient and serv er z ones and assign rout er int erfac es t o t h eir resp ec t iv e z ones.

I f y ou c onfigured t h ese z ones and assigned int erfac es in t h e Client s- S erv ers P olic y Configurat ion sec t ion, y ou c an
sk ip t o t h e z one- p air definit ion. Bridging I R B c onfigurat ion is p rov ided for c om p let eness.

6 . Configure t h e z one- p air and ap p ly t h e ap p rop riat e p olic y - m ap .

N ot e : Y ou only need t o c onfigure t h e serv ers- c lient s z one p air at p resent in order t o insp ec t c onnec t ions sourc ed
in t h e serv ers z one t rav eling t o t h e c lient s z one.

T h is c om p let es t h e c onfigurat ion of t h e user- defined insp ec t ion p olic y in t h e serv ers- c lient s z one- p air t o allow X
W indows c onnec t ions from t h e serv er z one t o t h e c lient z one.

C onf i g u r e C li e nt s - S e r v e r s Poli c y

Figure 8 illust rat es t h e c onfigurat ion of c lient - serv er p olic y .

T h e c lient - serv ers p olic y is less c om p lex t h an t h e ot h ers. L ay er 4 insp ec t ion is ap p lied from t h e c lient s z one t o t h e serv ers
z one. T h is allows c onnec t ions from t h e c lient s z one t o t h e serv ers z one, and allows ret urn t raffic . L ay er 4 insp ec t ion c arries
t h e adv ant age of sim p lic it y in t h e firewall c onfigurat ion, in t h at only a few rules are req uired t o allow m ost ap p lic at ion t raffic .
H owev er, L ay er 4 insp ec t ion also c arries t wo m aj or disadv ant ages.

A p p lic at ions suc h as FT P or st ream ing m edia serv ic es freq uent ly negot iat e an addit ional sub ordinat e c h annel from
t h e serv er t o t h e c lient . T h is func t ionalit y is usually ac c om m odat ed in a serv ic e fix up t h at m onit ors t h e c ont rol
c h annel dialog and allows t h e sub ordinat e c h annel. T h is c ap ab ilit y is not av ailab le in L ay er 4 insp ec t ion.

L ay er 4 insp ec t ion allows nearly all ap p lic at ion- lay er t raffic . I f net work use m ust b e c ont rolled so only a few
ap p lic at ions are p erm it t ed t h rough t h e firewall, an A CL m ust b e c onfigured on out b ound t raffic t o lim it t h e serv ic es
allowed t h rough t h e firewall.

Bot h rout er int erfac es are c onfigured in an I E E E b ridge group , so t h is firewall p olic y ap p lies t ransp arent firewall insp ec t ion.
T h is p olic y is ap p lied on t wo int erfac es in an I E E E I P b ridge group . T h e insp ec t ion p olic y only ap p lies t o t raffic c rossing
t h e b ridge group . T h is ex p lains wh y t h e c lient s and serv ers z ones are nest ed inside t h e p riv at e z one.

1 . D efine c lass- m ap s t h at desc rib e t h e t raffic t h at y ou want t o p erm it b et ween z ones, ac c ording t o p olic ies desc rib ed
earlier.

2 . Configure p olic y - m ap s t o insp ec t t raffic on t h e c lass- m ap s y ou j ust defined.

3 . Configure t h e c lient s and serv ers z ones and assign rout er int erfac es t o t h eir resp ec t iv e z ones.

6 of 7
 4 . Configure t h e z one- p air and ap p ly t h e ap p rop riat e p olic y - m ap .

N ot e : Y ou only need t o c onfigure t h e c lient s- serv ers z one- p air at p resent , t o insp ec t c onnec t ions sourc ed in t h e
c lient s z one t rav eling t o t h e serv ers z one.

T h is c om p let es t h e c onfigurat ion of t h e L ay er 4 insp ec t ion p olic y for t h e c lient s- serv ers z one- p air t o allow all T CP ,
U D P , and I CM P c onnec t ions from t h e c lient z one t o t h e serv er z one. T h e p olic y does not ap p ly fix up for
sub ordinat e c h annels, b ut p rov ides an ex am p le of sim p le p olic y t o ac c om m odat e m ost ap p lic at ion c onnec t ions.

Bac k t o T op

N e x t S te p
Y ou h av e now c onfigured Zone b ased Firewall on y our rout er.

R efer t o R out er S up p ort P age t o m ak e furt h er c h anges t o y our rout er.

R efer t o Configurat ion O v erv iew P age t o c onfigure ot h er dev ic es in y our net work .

Bac k t o T op

T r ou b le s h oot t h e Pr oc e du r e
T h is sec t ion p rov ides inform at ion ab out c om m on p rob lem s t h at y ou m ay enc ount er. I f t h is inform at ion does not solv e y our
p rob lem , c ont ac t t h e S M B T ec h nic al A ssist anc e Cent er ( S M B T A C) for assist anc e.

P rob lem Cause( s) and S uggest ed S olut ion( s)

Y ou are unab le t o c onnec t t o t h e rout er wit h S ec urit y R efer t o Configure Y our R out er wit h S ec urit y
D ev ic e M anager ( S D M ) . D ev ic e M anager.

Bac k t o T op

R e lat e d I nf or m at i on

R out er S up p ort P age

S it e S urv ey
Creat e a H y p erT erm inal Connec t ion

1 9 9 2 - 2 0 0 6 Cisc o S y st em s, I nc . A ll righ t s reserv ed. T erm s and Condit ions, P riv ac y S t at em ent , Cook ie P olic y and T radem ark s of Cisc o S y st em s, I nc .

7 of 7