Security: Zone based firewall

1841-1 is the firewall which inspects traffic from inside to outside, traffic inspected is matched with the class map.

An alternative to ASA

Supposed your customer has budget constraint, and wanted security but does not want to pay for an ASA until more budget is planned for the next work year. You can suggest to use router as firewall as a temporary solution until your customer is ready to purchase an ASA. Zone based inspect layer 3, 4 and 7 packets and determine whether it should pass (without inspection), drop or inspect (stateful packet inspection, i.e. unsolicited traffic which is not originated from the inside will be dropped otherwise let the traffic passes.)

Zone based firewall configuration is the default behaviour of all ASA and PIX products, in ASA/PIX using ASDM you can specify which is trusted and untrusted, after specified the interfaces will be defined as inside and outside based on your choice, once interfaces are defined; a default value will be configured by ASA i.e. inside interface as security level 100 and outside as security level 0, 100 being fully trusted, 0 being not trusted at all. Default behaviour will be traffic from inside to outside will be allowed and inspected, traffic solicited from inside to outside will be allowed to return from outside to inside, unsolicited traffic that is not originated from the inside interface will be dropped unless you specify an ACL or do policy to allow certain traffic to be allowed from outside to inside.

Stateful packet inspection

Modern firewalls, hardware or software, are using stateful packet inspection. Traffic action (drop or pass) is based on the packet type (L3, L4 and L7), for TCP it is able to easily determined by firewalls as there’s a window, after certain period of time of idle firewall will close the “door” of outside interface. UDP is hard, this connectionless protocol is sent and forget, firewall has no way to know if the return udp packet is a solicited one or unsolicited one, hence for udp there will be a timer for the “door” to be opened. ICMP is worst, it is neither a tcp nor udp, it is hard to determine if the icmp is malicious or just normal testing, in ASA there’s a special statement just for icmp echo test, default icmp is dropped.

Configuration example

Step 1: Classify packet types (aka interesting traffic)

class-map type inspect match-any cmap-1
description Allow telnet and icmp traffic from inside to outside
match protocol icmp
match protocol telnet
match protocol ssh

Class map is used for MQC for classifying interesting traffic for QoS as well, for this type of class-map is exclusively for zone based firewall, this class map is a classification of traffic type which you want firewall to inspect.

Step 2: Configure policy map based on configured class map. Policy map is an action list based on traffic classified by class-map.

policy-map type inspect pmap-1
description action for telnet, ssh and icmp traffic as classified in cmap-1
class type inspect cmap-1
police rate 8000 burst 1500
class class-default

Step 3: Create zones

zone security inside
description Inside zone
zone security outside
description Outside zone

Step 4: Assign zones to interfaces

interface FastEthernet0/0
description Inside zone
ip address
zone-member security inside
duplex auto
speed auto

interface FastEthernet0/1
description Outside zone
ip address
zone-member security outside
duplex auto
speed auto

Step 5: Create zone pairs. Zone pairs is unidirectional, it defines action for traffic from one location to another location, we apply policy map into zone pairs to make router works as a firewall.

zone-pair security in-to-out source inside destination outside
description Inside to outside policy is applied in this zone pair
service-policy type inspect pmap-1

Verification using icmp echo


Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms


Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
Success rate is 0 percent (0/5)

ICMP from 2651-1 to 1841-2 is dropped because this is unsolicited.

Testing the rate limiter

1841-2#ping repeat 1000

Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to, timeout is 2 seconds:
Success rate is 85 percent (342/399), round-trip min/avg/max = 1/1/4 ms

Show statistics for dropped and passed traffic

1841-1#sh policy-map type inspect zone-pair

policy exists on zp in-to-out
Zone-pair: in-to-out

Service-policy inspect : pmap-1

Class-map: cmap-1 (match-any)
Match: protocol icmp
2 packets, 160 bytes
30 second rate 0 bps
Match: protocol telnet
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol ssh
0 packets, 0 bytes
30 second rate 0 bps

Packet inspection statistics [process switch:fast switch]
icmp packets: [0:751]

Session creations since subsystem startup or last reset 2
Current session counts (estab/half-open/terminating) [0:0:0]
Maxever session counts (estab/half-open/terminating) [0:1:0]
Last session created 00:08:07
Last statistic reset never
Last session creation rate 0
Maxever session creation rate 1
Last half-open session total 0
rate 8000 bps,1500 limit
conformed 751 packets, 85614 bytes; actions: transmit
exceeded 57 packets, 6498 bytes; actions: drop
conformed 0 bps, exceed 0 bps

Class-map: class-default (match-any)
Match: any
0 packets, 0 bytes

Telnet test

Trying …
% Connection timed out; remote host not responding

Trying … Open

User Access Verification

Username: cisco
Secure shell test

1841-2#ssh -l cisco



2651-1#ssh -l cisco



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s