Zone Based Firewall Configuration Example

Zone Based Firewall is the most advanced method of a stateful firewall that is available on Cisco IOS routers. The idea behind ZBF is that we don’t assign access-lists to interfaces but we will create different zones. Interfaces will be assigned to the different zones and security policies will be assigned to traffic between zones. To show you why ZBF is useful, let me show you a picture:

network lots of acl

Above you see a small network that has a LAN, DMZ and WAN with two ISPs. Let’s say our security policy looks like this:

  • Traffic from the LAN is allowed to the WAN but only to HTTP and HTTPS servers.
  • Traffic from the LAN is allowed to the DMZ unrestricted.
  • Traffic from the DMZ is not allowed to the LAN.
  • Traffic from the DMZ is allowed to the WAN but only for the DNS and HTTP servers.
  • Traffic from the WAN is allowed to the LAN, but only to a FTP server.

If you want to achieve this using access-lists, you’ll have to create multiple access-lists and attach them to different interfaces inbound and/or outbound. To say the least, it becomes an administrative pain to do this. It’s possible but annoying.

With the zone based firewall, we won’t apply the security policies to the interfaces but to security zones. Interfaces will become members of the different zones. Here’s an example of the topology above with zones:

ZBF 3 Zones

Above you see 3 zones; LAN, WAN and DMZ. The interfaces are assigned to the correct zone and now we can apply security policies to traffic between zones. For example:

  • LAN to WAN
  • LAN to DMZ
  • WAN to LAN
  • WAN to DMZ
  • DMZ to WAN
  • DMZ to LAN

To create a security policy for traffic between zones we have to create a zone pair. We have to configure zone pairs ourselves and apply a security policy to them to determine what traffic is permitted from one zone to another. All security policies are attached to the zone pairs. Now you have an idea what a zone based firewall is, let me show you how to configure this.


We will use the following topology:

zone based firewall lan wan

Above you see 3 routers and two zones called LAN and WAN. We will configure ZBF on R2. For connectivity, I’ll create a static route on R1 and R3 that points to R2:

R1(config)#ip route
R3(config)#ip route

Now we can configure the firewall.

Configure the Zones

First we will create the two zones, we only have two of them:

R2(config)#zone security LAN
R2(config)#zone security WAN

Secondly we will assign the interfaces to the correct zone:

R2(config)#interface fastEthernet 0/0
R2(config-if)#zone-member security LAN
R2(config)#interface fastEthernet 0/1 
R2(config-if)#zone-member security WAN

Let’s verify the configuration of the zones:

R2#show zone security 
zone self
  Description: System defined zone

zone LAN
  Member Interfaces:

zone WAN
  Member Interfaces:

The zones are active and interfaces have been assigned to them, now we can create the zone pairs.

Configure the Zone Pairs

R2(config)#zone-pair security LAN-TO-WAN source LAN destination WAN
R2(config-sec-zone-pair)#description LAN-TO-WAN TRAFFIC
R2(config)#zone-pair security WAN-TO-LAN source WAN destination LAN
R2(config-sec-zone-pair)#description WAN-TO-LAN TRAFFIC

Above I create two zone pairs. One for traffic from our LAN to the WAN, and another for traffic from the WAN to our LAN. A description is optional but recommended if you have many zones. Let’s verify our configuration:

R2#show zone-pair security 
Zone-pair name LAN-TO-WAN
    Source-Zone LAN  Destination-Zone WAN 
    service-policy not configured
Zone-pair name WAN-TO-LAN
    Source-Zone WAN  Destination-Zone LAN 
    service-policy not configured

Now we have zones, zone pairs and interfaces that are assigned to the zones. By default all traffic will be blocked. Let’s see if this is true:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You’ve Ever Spent on Your Cisco Career!
  • Full Access to our 739 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

545 Sign Ups in the last 30 days

100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: ,

Forum Replies

  1. Hi Simon,

    Here’s an example:

    class-map type inspect match-all LAN_TO_WAN
     match access-group name LAN_TO_WAN
    class-map type inspect match-all WAN_TO_LAN
     match access-group name WAN_TO_LAN
    class-map type inspect match-all ISAKMP_IPSEC
     match access-group name ISAKMP_IPSEC
    class-map type inspect match-all DHCP
     match access-group name DHCP_CLIENT
    policy-map type inspect WAN_TO_SELF
     class type inspect ICMP
     class type inspect ISAKMP_IPSEC
     class type inspect DHCP
     class class-default
    policy-map type inspect WAN_TO_LAN
     class type in
    ... Continue reading in our forum

  2. Hi Matt,

    It’s in the policy-map, take a look below:

    policy-map type inspect LAN-TO-WAN
     class type inspect ICMP
     class class-default

    The output above is from the running configuration. Here’s how to change it:

    R2(config)#policy-map type inspect LAN-TO-WAN
    R2(config-pmap)#class class-default                
    Policy-map class configuration commands:
      drop  Drop the packet
      exit  Exit from class action configuration mode
      no    Negate or set default values of a command
      pass  Pass the packet

    The pa

    ... Continue reading in our forum

  3. Hi Rene,

    I’m wanting to include a section in my ZBPF to deny access to certain URLs. Some websites are suggesting to use a parameter-map type regex whilst others are suggesting using a class-map match-any.

    parameter-map type regex url-blacklist-pmap
     pattern *
    class-map match-any URL_BLOCK
     match protocol http host ""

    I am interested in doing this to try and block various telemetry attempts by 3rd parties as the hosts file is often quite useless at this. Some use URLs hardcoded with their phone home addresses inside

    ... Continue reading in our forum

  4. Hi Rene,
    why did you use many “inspect” command , in the class-map , in the policy-map (2 times) and in the zone-pair
    which one of them should be the one to allow the return traffic ? and which one of them can I replace with drop or pass?

    Also regarding the WAN-TO-SELF should I create LAN-To-SELF deny access from the inside zone?
    Thanks a lot

  5. Hi Ali and Matt,

    About the many inspect commands…the thing is that the class-map that is used for inspection is a different one than the regular class-map. The same thing applies to the policy-map. For example, take a look at this code:

    policy-map type inspect LAN-TO-WAN
     class type inspect ICMP

    The “policy-map type inspect” part only refers to the policy-map called LAN-TO-WAN and specifies that it’s an “inspect type” policy-map. The same thing applies to the class-map we use here.

    The only command that does inspection, is the “inspect” command.


    ... Continue reading in our forum

77 more replies! Ask a question or join the discussion by visiting our Community Forum