Zone Based Firewall Transparent Mode

Cisco’s zone based firewall is normally used with layer 3 interfaces but you can also use it as a transparent firewall. If you have no idea what zone based firewalls are then I suggest you first take a look at my basis ZBF configuration example. If you haven’t configured layer 2 bridging before then you should start with the transparent IOS firewall example. Having said that, let’s configure a Zone based firewall in transparent mode. This is the topology that I will be using:

zbf transparent mode

Above we have 3 routers. R1 and R3 are in the same layer 2 segment because we’ll configure R2 to bridge the FastEthernet 0/0 and 0/1 interfaces. Once this is done we’ll configure the Zone Based Firewall. I will use a very simple example, by default all inter-zone traffic is denied. I want to configure R2 so that it will permit only ICMP traffic from R1 to R3 (and the return traffic). Let’s get started!


First we’ll configure bridging:

R2(config)#bridge crb 
R2(config)#bridge 1 protocol ieee 

R2(config)#interface fastEthernet 0/0
R2(config-if)#bridge-group 1

R2(config)#interface fastEthernet 0/1
R2(config-if)#bridge-group 1

I don’t need a layer 3 interface on R2 so we’ll go for concurrent routing and bridging with IEEE spanning-tree. The two FastEhernet interfaces have been added to the bridge group.

If you decide to use bridge irb, the layer 3 bridge interface will automatically belong to the ZBF self zone.

I will create a LAN and WAN zone. R1 will be in the LAN zone and R3 in the WAN zone. We’ll also add the interfaces to the correct zone and create a zone pair for traffic from our LAN to the WAN.

R2(config)#zone security LAN
R2(config)#zone security WAN

R2(config)#interface fastEthernet 0/0
R2(config-if)#zone-member security LAN

R2(config)#interface fastEthernet 0/1
R2(config-if)#zone-member security WAN  

R2(config)#zone-pair security LAN-TO-WAN source LAN destination WAN

With the zones in place, we can create a security policy. We’ll use NBAR to match on ICMP traffic and create a policy-map that uses the inspect rule:

R2(config)#class-map type inspect ICMP
R2(config-cmap)#match protocol icmp

R2(config)#policy-map type inspect LAN-TO-WAN 
R2(config-pmap)#class ICMP

Last but not least we have to attach that policy-map to the zone pair:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 660 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

510 Sign Ups in the last 30 days

100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: ,

Forum Replies

  1. Hi Matt,

    It’s in the policy-map, take a look below:

    policy-map type inspect LAN-TO-WAN
     class type inspect ICMP
     class class-default

    The output above is from the running configuration. Here’s how to change it:

    R2(config)#policy-map type inspect LAN-TO-WAN
    R2(config-pmap)#class class-default                
    Policy-map class configuration commands:
      drop  Drop the packet
      exit  Exit from class action configuration mode
      no    Negate or set default values of a command
      pass  Pass the packet

    The pa

    ... Continue reading in our forum

  2. Hi Rene,

    I’m wanting to include a section in my ZBPF to deny access to certain URLs. Some websites are suggesting to use a parameter-map type regex whilst others are suggesting using a class-map match-any.

    parameter-map type regex url-blacklist-pmap
     pattern *
    class-map match-any URL_BLOCK
     match protocol http host ""

    I am interested in doing this to try and block various telemetry attempts by 3rd parties as the hosts file is often quite useless at this. Some use URLs hardcoded with their phone home addresses inside

    ... Continue reading in our forum

  3. Hi Rene,
    why did you use many “inspect” command , in the class-map , in the policy-map (2 times) and in the zone-pair
    which one of them should be the one to allow the return traffic ? and which one of them can I replace with drop or pass?

    Also regarding the WAN-TO-SELF should I create LAN-To-SELF deny access from the inside zone?
    Thanks a lot

  4. Hi Ali and Matt,

    About the many inspect commands…the thing is that the class-map that is used for inspection is a different one than the regular class-map. The same thing applies to the policy-map. For example, take a look at this code:

    policy-map type inspect LAN-TO-WAN
     class type inspect ICMP

    The “policy-map type inspect” part only refers to the policy-map called LAN-TO-WAN and specifies that it’s an “inspect type” policy-map. The same thing applies to the class-map we use here.

    The only command that does inspection, is the “inspect” command.


    ... Continue reading in our forum

57 more replies! Ask a question or join the discussion by visiting our Community Forum