ZBF on Cisco Router in 6 Steps

1. Create zone using “zone security” command. Determine inside and outside zone
Router(config)#zone security outside
Router(config)#zone security inside

2. Create access-list for traffic
Router(config)#access-list 100 permit ip 192.168.1.0 0.0.0.255 any

3. Crate class map using “class-map type inspect” to inspect traffic. Apply ACL on it
Router(config)#class-map type inspect match-all IN-NET-CLASS-MAP
Router(config-cmap)#match access-group 101

4. Create policy map using “policy-map type inspect” to inspect traffic. Apply class map to this policy map
Router(config)#policy-map type inspect IN-2-OUT-PMAP
Router(config-pmap)#class type inspect IN-NET-CLASS-MAP
Router(config-pmap-c)#inspect

5. Create zone pair using “zone-pair security”. Apply policy-map using “service-policy type inspect”
Router(config)#zone-pair security IN-2-OUT-ZPAIR source inside destination outside
Router(config-sec-zone-pair)#service-policy type inspect IN-2-OUT-PMAP

6. Apply zone security to interface using “zone-member security” command
Router(config)#interface Fa0/1
Router(config-if)#zone-member security inside

Router(config)#interface Se0/0/1
Router(config-if)#zone-member security outside

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s