Cisco’s zone based firewall is normally used with layer 3 interfaces but you can also use it as a transparent firewall. If you have no idea what zone based firewalls are then I suggest you first take a look at my basis ZBF configuration example. If you haven’t configured layer 2 bridging before then you should start with the transparent IOS firewall example. Having said that, let’s configure a Zone based firewall in transparent mode. This is the topology that I will be using:
Above we have 3 routers. R1 and R3 are in the same layer 2 segment because we’ll configure R2 to bridge the FastEthernet 0/0 and 0/1 interfaces. Once this is done we’ll configure the Zone Based Firewall. I will use a very simple example, by default all inter-zone traffic is denied. I want to configure R2 so that it will permit only ICMP traffic from R1 to R3 (and the return traffic). Let’s get started!
First we’ll configure bridging:
R2(config)#bridge crb R2(config)#bridge 1 protocol ieee R2(config)#interface fastEthernet 0/0 R2(config-if)#bridge-group 1 R2(config)#interface fastEthernet 0/1 R2(config-if)#bridge-group 1
I don’t need a layer 3 interface on R2 so we’ll go for concurrent routing and bridging with IEEE spanning-tree. The two FastEhernet interfaces have been added to the bridge group.
I will create a LAN and WAN zone. R1 will be in the LAN zone and R3 in the WAN zone. We’ll also add the interfaces to the correct zone and create a zone pair for traffic from our LAN to the WAN.
R2(config)#zone security LAN R2(config)#zone security WAN R2(config)#interface fastEthernet 0/0 R2(config-if)#zone-member security LAN R2(config)#interface fastEthernet 0/1 R2(config-if)#zone-member security WAN R2(config)#zone-pair security LAN-TO-WAN source LAN destination WAN
With the zones in place, we can create a security policy. We’ll use NBAR to match on ICMP traffic and create a policy-map that uses the inspect rule:
R2(config)#class-map type inspect ICMP R2(config-cmap)#match protocol icmp R2(config)#policy-map type inspect LAN-TO-WAN R2(config-pmap)#class ICMP R2(config-pmap-c)#inspect
Last but not least we have to attach that policy-map to the zone pair: