Configure Zone-Based Policy Firewall

Configuring zone-based policy firewall on a cisco IOS router is not as easy. To be able to understand the topology of the configuration I used some colors. The key hierarchy is the following:

1. class-map
2. policy-map
3. zone-pair
4. zone security for interface

I used in this small example the following topology:

Configuration topology:

Router parameters:

SW: Cisco IOS Software, C2600 Software (C2600-ADVSECURITYK9-M), Version 12.4(6)T7, R*
HW: Cisco 2621XM
* This feat is available from Cisco IOS Software Release 12.4(6)T (The IM inspection is only from 12.4(9)T)

Configuration of the router:

hostname Router ! ! class-map type inspect match-any Outside_to_Inside match access-group name web_in class-map type inspect match-any Inside_to_Outside match protocol http match protocol https match protocol icmp match protocol pop3 match protocol dns match protocol smtp ! ! policy-map type inspect policy_Outside_to_Inside class type inspect Outside_to_Inside inspect class class-default policy-map type inspect policy_Inside_to_Outside class type inspect Inside_to_Outside inspect class class-default ! zone security Outside description Outside untrusted zone zone security Inside description Inside trusted zone zone-pair security Inside_to_Outside source Inside destination Outside service-policy type inspect policy_Inside_to_Outside zone-pair security Outside_to_Inside source Outside destination Inside service-policy type inspect policy_Outside_to_Inside ! ! ! interface FastEthernet0/0 ip address 50.50.50.1 255.255.255.0 ip nat outside ip virtual-reassembly zone-member security Outside duplex auto speed auto ! interface Serial0/0 no ip address shutdown no fair-queue ! interface FastEthernet0/1 ip address 192.168.1.1 255.255.255.0 ip nat inside ip virtual-reassembly zone-member security Inside duplex auto speed auto ! interface Serial0/1 no ip address shutdown ! ! ip http server no ip http secure-server ip nat inside source static tcp 192.168.1.2 80 50.50.50.2 80 extendable ! ip access-list extended web_in permit tcp host 50.50.50.71 host 192.168.1.2 eq www !

Source documentation is here if you need more details.