IOS Zone Based Firewall Step-by-Step Basic Configuration - Page 2

Yadhu Tony · ‎10-21-2012

Introduction

The Cisco IOS Zone Based Firewall is one of the most advanced form of Stateful firewall used in the Cisco IOS devices. The zone based firewall (ZBFW) is the successor of Classic IOS firewall or CBAC (Context-Based Access Control). Cisco first implemented the router-based stateful firewall in CBAC where it used ip inspect command to inspect the traffic in layer 4 and layer 7.

Even though ASA devices are considered as the dedicated firewall devices, Cisco integrated the firewall functionality in the router which in fact will make the firewall a cost effective device. The zone based firewall came up with many more features that is not available in CBAC. The ZBFW mainly deals with the security zones, where we can assign the router interfaces to various security zones and control the traffic between the zones. Also the traffic will be dynamically inspected as it passes through the zones. In addition to all the features which is available in classic IOS firewall, Zone based firewall will support Application inspection and control for HTTP, POP3, Sun RPC, IM Applications and P2P File sharing.

For advanced configuration of IOS Zone Based Firewall refer http://yadhutony.blogspot.in/2013/08/zone-based-firewall-advanced_4036.html

Zone Based Firewall Vs CBAC

CBAC	Zone Based Firewall
Interface Based Configuration	Zone Based Configuration
Controls Inbound and Outbound access on an interface	Controls Bidirectional access between zones.
Uses inspect statements and stateful ACLs	Uses Class-Based Policy language
-Not supported-	Support Application Inspection and Control
Support from IOS Release 11.2	Support from IOS Release 12.4 (6) T

This document will guide you to configure a basic Zone Based Policy Firewall in an IOS router. Here I am going to divide the entire configuration into logical sets and finally will combine them to the get the full configuration.

ZBFW Configuration Procedure

The below are the configuration tasks that you need to follow:

Configure Zones
Assign Router Interfaces to zones
Create Zone Pairs
Configure Interzone Access Policy (Class Maps & Policy Maps)
Apply Policy Maps to Zone Pairs

Configuration Scenario

Figure 1.

In this example we have three zones.

Inside Zone - Private LAN
DMZ Zone - DMZ hosts
Outside Zone - Internet

Here I am defining a rule set for our ZBFW:

1. From Inside to Outside -http,icmp and pop3 is allowed

2. From Outside to Inside -icmp is allowed

3. From Inside to DMZ -http and icmp is allowed

4. From Outside to DMZ -http is allowed

Default Rules of Zone Based Firewall

Interzone communication is Denied, traffic will be denied among the interfaces that are in the different zones unless we specify a firewall policy.
Intrazone communication is Allowed, traffic will flow implicitly among the interfaces that are in the same zone.
All traffic to Self zone is Allowed

Self Zone is created automatically by the router while we create the other zones in a Zone Based Firewall.

Task 1 : Configure Zones

In this example (refer Figure 1) we have three zones. Inside ,Outside, DMZ.

To configure zones in a router, connect the router via putty or console, switch to the global configuration mode and type the command as below:

Router(config)#zone security INSIDE

Router(config)#zone security OUTSIDE

Router(config)#zone security DMZ

Task 2 : Assign Router Interfaces to Zones

We have to assign the router interface to a particular zone. Here I am going to assign Gigabyte Ethernet 0/0 to INSIDE zone , Ge0/1 to OUTSIDE zone and Ge0/2 to DMZ zone.

To achieve this we have to go to the particular interface and attach that interface to the zone.Type the command as below:

Router(config)#interface gigabitEthernet 0/0

Router(config-if)#zone-member security INSIDE

Router(config)#interface gigabitEthernet 0/1

Router(config-if)#zone-member security OUTSIDE

Router(config)#interface gigabitEthernet 0/2

Router(config-if)#zone-member security DMZ

Now if you try to ping a zone from another zone the traffic will be denied because of the default firewall policy.

Task 3 : Create Zone Pairs

Zone pairs are created to connect the zones. If you want to make two zones to communicate you have to create Zone pairs. DO NOT create zone pairs for non-communicating zones. In our scenario the traffic flows between :

INSIDE to OUTSIDE
OUTSIDE to INSIDE
OUTSIDE to DMZ
INSIDE to DMZ

So we need to create four zone pairs. To create zone pairs the command is as follows.

Router(config)#zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE

Router(config)#zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE

Router(config)#zone-pair security OUT-TO-DMZ source OUTSIDE destination DMZ

Router(config)#zone-pair security IN-TO-DMZ source INSIDE destination DMZ

Task 4 : Configure Interzone Access Policy

Interzone Access policy is the key part of a Zone based firewall where we classify the traffic and apply the firewall policies. Class map and Policy map configurations are carried out during this task.

Class Maps : This will classify the traffic

Policy Maps : This will decide the 'fate' of the traffic

Class Map Configuration

Class map sort the traffic based on the following criteria 1.) Access-group 2.) Protocol 3.) A subordinate class map. In our scenario I am sorting the traffic based on access group. So first we need to create an ACL and associate it with the class map.

a.) Class Map for INSIDE-TO-OUTSIDE

Router(config)#ip access-list extended INSIDE-TO-OUTSIDE

Router(config-ext-nacl)#permit tcp 172.17.0.0 0.0.255.255 any eq www

Router(config-ext-nacl)#permit tcp 172.17.0.0 0.0.255.255 any eq pop3

Router(config-ext-nacl)#permit icmp 172.17.0.0 0.0.255.255 any

Router(config)#class-map type inspect match-all INSIDE-TO-OUTSIDE-CLASS

Router(config-cmap)#match access-group name INSIDE-TO-OUTSIDE

or

[ you can group the protocols as below:

class-map type inspect match-any INSIDE-TO-OUTSIDE-CLASS

description Allowed_Protocol_From_INSIDE_to_OUTSIDE

match protocol https

match protocol dns

match protocol udp

match protocol tcp

match protocol pop3

match protocol smtp

match protocol icmp ]

b.) Class Map for OUTSIDE-TO-INSIDE

Router(config)ip access-list extended OUTSIDE-TO-INSIDE

Router(config-ext-nacl)#permit icmp any 172.17.0.0 0.0.255.255

Router(config)#class-map type inspect match-all OUTSIDE-TO-INSIDE-CLASS

Router(config)#match access-group name OUTSIDE-TO-INSIDE

c.) Class Map for OUTSIDE-TO-DMZ

Router(config)#ip access-list extended OUTSIDE-TO-DMZ

Router(config-ext-nacl)#permit tcp any 192.168.1.0 0.0.0.255 eq www

Router(config)#class-map type inspect match-all OUTSIDE-TO-DMZ-CLASS

Router(config)#match access-group name OUTSIDE-TO-DMZ

d.) Class Map for INSIDE-TO-DMZ

Router(config)#ip access-list extended INSIDE-TO-DMZ

Router(config-ext-nacl)#permit tcp 172.17.0.0 0.0.255.255 192.168.1.0 0.0.0.255 eq www

Router(config-ext-nacl)#permit icmp 172.17.0.0 0.0.255.255 192.168.1.0 0.0.0.255

Router(config)#class-map type inspect match-all INSIDE-TO-DMZ-CLASS

Router(config-cmap)#match access-group name INSIDE-TO-DMZ

Policy-Map Configuration

Policy-Maps will apply the firewall policy to the class map that is configured previously. Three actions can be taken aganist the traffic with the policy-map configuration:

Inspect : Dynamically inspect the traffic.
Drop : Drop the traffic
Pass : Simply forward the traffic.

There will be a drop policy, by default, at the end of all policy maps.

a.) Policy-map for INSIDE-TO-OUTSIDE

Router(config)#policy-map type inspect INSIDE-TO-OUTSIDE-POLICY

Router(config-pmap)#class type inspect INSIDE-TO-OUTSIDE-CLASS

Router(config-pmap)#inspect

Router(config-pmap)#class class-default

Router(config-pmap)#drop log

b.) Policy-map for OUTSIDE-TO-INSIDE

Router(config)#policy-map type inspect OUTSIDE-TO-INSIDE-POLICY

Router(config-pmap)#class type inspect OUTSIDE-TO-INSIDE-CLASS

Router(config-pmap)#pass

Router(config-pmap)#class class-default

Router(config-pmap)#drop log

c.) Policy-map for OUTSIDE-TO-DMZ

Router(config)#policy-map type inspect OUTSIDE-TO-DMZ-POLICY

Router(config-pmap)#class type inspect OUTSIDE-TO-DMZ-CLASS

Router(config-pmap)#inspect

Router(config-pmap)#class class-default

Router(config-pmap)#drop log

d.) Policy-map for INSIDE-TO-DMZ

Router(config)#policy-map type inspect INSIDE-TO-DMZ-POLICY

Router(config-pmap)#class type inspect INDISE-TO-DMZ-CLASS

Router(config-pmap)#pass

Router(config-pmap)#class class-default

Router(config-pmap)#drop log

Task 5 : Apply policy maps to zone pairs

Now we have to attach the policy maps to the zone pairs that we have already created. The command is as follows:

Router(config)#zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE

Router(config-sec-zone-pair)#service-policy type inspect INSIDE-TO-OUTSIDE-POLICY

Router(config)#zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE

Router(config-sec-zone-pair)#service-policy type inspect OUTSIDE-TO-INSIDE-POLICY

Router(config)#zone-pair security OUT-TO-DMZ source OUTSIDE destination DMZ

Router(config-sec-zone-pair)#service-policy type inspect OUTSIDE-TO-DMZ-POLICY

Router(config)#zone-pair security IN-TO-DMZ source INSIDE destination DMZ

Router(config-sec-zone-pair)#service-policy type inspect INSIDE-TO-DMZ-POLICY

There we finish the basic configuration of a zone based firewall.

Troubleshooting

You can use the below commands to perform some basic troubleshooting and verification.

a.) Show commands

show class-map type inspect

show policy-map type inspect

show zone-pair security

b.) Debug Commands

debug policy-firewall detail

debug policy-firewall events

debug policy-firewall protocol tcp

debug policy-firewall protocol udp

Advanced Zone Based Firewall Configuration

Here you can find some examples of advanced Zone Based Firewall configuration.

1. Advanced Zone Based Firewall Configuration : http://yadhutony.blogspot.in/2013/08/zone-based-firewall-advanced_4036.html

2. IOS Content Filtering : http://yadhutony.blogspot.in/2013/02/cisco-ios-local-content-filtering.html

3. P2P and IM Application control : http://yadhutony.blogspot.in/2012/11/how-to-block-p2p-traffic-on-cisco-router.html

You can visit http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_zbf/configuration/15-1s/sec-zone-pol-fw.html for more details.

Thank you for viewing this document.

Hamid Amir · ‎02-13-2014

Hi Tony

yes i can get internet when i added permit ip any any to access-list even without using class-map and policy-map.

my project is to remove tcp ,udp protocal and just added the access-list (port forwarding) for iphone viber.

Thank you very much for your help.

Kind Regards

Hamid

Arjun Chaudhari · ‎12-11-2018

I have a cisco 1841 router, it has basically two ports Fa 0/0 and Fa0/1, Don't have a DMZ port so how can I configure Zone based security in the rtr. FA 0/0 is used for WAN (ISP) and FA 0/1 Used for LAN(192.168.0.0/24)

Jamie_90 · ‎04-28-2019

Thank you

FraserJ · ‎08-22-2021

Hi Tony thanks for explaining this. Very concise.

stevenclark612 · ‎08-26-2023

Please give Advice. I am trying to learning. ZNFW and 4 port EWIC Switch Module

I can not get the switch module to work. Please help.

Building configuration...

Current configuration : 15772 bytes
!
! Last configuration change at 11:45:04 EDT Sat Aug 26 2023 by sclark
! NVRAM config last updated at 11:36:33 EDT Sat Aug 26 2023 by sclark
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ROUTER-001
!
boot-start-marker
boot-end-marker
!
!
no logging console
enable secret 5
enable password
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login local_access local
aaa authorization auth-proxy default local
!
!
!
!
!
aaa session-id common
bsd-client server url https://cloudsso.cisco.com/as/token.oauth2
memory-size iomem 25
clock timezone EST -5 0
clock summer-time EDT recurring
!
!
!
!
!
!
!
!
!
!
!
ip dhcp excluded-address 10.0.100.1
ip dhcp excluded-address 10.0.154.1
ip dhcp excluded-address 10.0.254.1
ip dhcp excluded-address 172.16.32.1
ip dhcp excluded-address 192.168.50.1
ip dhcp excluded-address 192.168.51.1
ip dhcp excluded-address 10.0.100.1 10.0.100.50
ip dhcp excluded-address 10.0.100.250 10.0.100.254
ip dhcp excluded-address 10.0.154.1 10.0.154.50
ip dhcp excluded-address 10.0.154.250 10.0.154.254
ip dhcp excluded-address 10.0.254.1 10.0.254.50
ip dhcp excluded-address 10.0.254.250 10.0.254.254
ip dhcp excluded-address 172.16.32.1 172.16.32.50
ip dhcp excluded-address 172.16.32.250 172.16.32.254
ip dhcp excluded-address 192.168.50.1 192.168.50.50
ip dhcp excluded-address 192.168.50.250 192.168.50.254
ip dhcp excluded-address 192.168.51.1 192.168.51.50
ip dhcp excluded-address 192.168.51.250 192.168.51.254
!
ip dhcp pool dot1Q-Native_VLAN-1
import all
network 10.0.100.0 255.255.255.0
default-router 10.0.100.1
dns-server 208.67.222.222 208.67.220.220
domain-name cgnc.us
!
ip dhcp pool VLAN-154
import all
network 10.0.154.0 255.255.255.0
default-router 10.0.154.1
dns-server 208.67.222.222 208.67.220.220
domain-name cgnc.us
!
ip dhcp pool VLAN-254
import all
network 10.0.254.0 255.255.255.0
default-router 10.0.254.1
dns-server 208.67.222.222 208.67.220.220
domain-name cgnc.us
!
ip dhcp pool VLAN-1
import all
network 172.16.32.0 255.255.255.0
default-router 172.16.32.1
dns-server 208.67.222.222 208.67.220.220
domain-name cgnc.us
!
!
!
no ip domain lookup
ip domain name CGNC.LOCAL
ip name-server 208.67.222.222
ip name-server 208.67.220.220
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
cts logging verbose
license udi pid CISCO2951/K9 sn FJC1924A0WP
!
!
username password 0
!
redundancy
!
!
!
!
!
track 1 ip sla 20 reachability
!
ip ssh time-out 60
ip ssh authentication-retries 4
ip ssh port 2001 rotary 1
ip ssh version 1
ip ssh pubkey-chain
username sclark
!
class-map type inspect match-any CATEGORY_INTER-PROCESS-RPC
match protocol sunrpc
class-map type inspect match-any CATEGORY_VOICE-AND-VIDEO
match protocol h323
match protocol isakmp
match protocol mgcp
match protocol pptp
match protocol rtsp
match protocol sip
match protocol sip-tls
match protocol skinny
class-map type inspect match-any CATEGORY_EMAIL
match protocol imap
match protocol msexch-routing
match protocol pop3
match protocol qmtp
match protocol smtp
class-map type inspect match-any CATEGORY_CONSUMER-STREAMING
match protocol appleqtc
match protocol netshow
match protocol realmedia
match protocol vdolive
class-map type inspect match-any CATEGORY_FILE-SHARING
match protocol cifs
match protocol ftp
match protocol nfs
match protocol tftp
class-map type inspect match-any CATEGORY_DATABASE
match protocol dbase
match protocol ms-sql-m
match protocol mysql
match protocol net8-cman
match protocol oraclenames
match protocol rdb-dbs-disp
match protocol sql-net
match protocol sqlserv
match protocol sqlsrv
class-map type inspect match-any CATEGORY_BACKUP-AND-STORAGE
match protocol iscsi
class-map type inspect match-any CATEGORY_BROWSING
match protocol http
class-map type inspect match-any WAN-TO-LAN-CLASS
description Allowed_Protocol_From_WAN-TO-LAN
match protocol snmp
match protocol icmp
match protocol ntp
match protocol echo
match protocol dns
match protocol sip
match protocol sip-tls
class-map type inspect match-any CATEGORY_OTHER_1
match protocol 802-11-iapp
match protocol ace-svr
match protocol aol
match protocol biff
match protocol bootpc
match protocol bootps
match protocol cddbp
match protocol cisco-net-mgmt
match protocol cisco-svcs
match protocol citriximaclient
match protocol clp
match protocol creativepartnr
match protocol creativeserver
match protocol dbcontrol_agent
match protocol ddns-v3
match protocol discard
match protocol entrust-svc-hdlr
match protocol entrust-svcs
match protocol fcip-port
match protocol ftps
match protocol gdoi
match protocol giop
match protocol gopher
match protocol gtpv0
match protocol gtpv1
match protocol h225ras
match protocol h323-annexe
match protocol h323-nxg
match protocol hsrp
match protocol https
match protocol ica
match protocol icabrowser
match protocol ident
match protocol igmpv3lite
match protocol imap3
match protocol imaps
match protocol ipass
match protocol orasrv
match protocol pcanywheredata
match protocol pcanywherestat
match protocol pop3s
match protocol r-winsock
match protocol realsecure
match protocol router
match protocol rsvd
match protocol rsvp-encap
match protocol rtc-pm-port
match protocol send
match protocol sms
match protocol snmptrap
match protocol oem-agent
match protocol oracle
match protocol oracle-em-vp
match protocol ipsec-msft
match protocol ipx
match protocol ircs
match protocol ircu
match protocol iscsi-target
match protocol kermit
match protocol ldap-admin
match protocol ldaps
match protocol lotusmtap
match protocol lotusnote
match protocol microsoft-ds
match protocol ms-cluster-net
match protocol ms-dotnetster
match protocol ms-sna
match protocol ms-sql
match protocol msnmsgr
match protocol msrpc
match protocol msrpc-smb-netbios
match protocol n2h2server
match protocol netstat
match protocol nntp
class-map type inspect match-any CATEGORY_OTHER_2
match protocol ssp
match protocol streamworks
match protocol stun
match protocol sxp
match protocol syslog-conn
match protocol tacacs-ds
match protocol tarantella
match protocol tcp
match protocol telnets
match protocol tr-rsrb
match protocol ttc
match protocol udp
match protocol vqp
match protocol webster
match protocol who
match protocol winmsgr
match protocol wins
match protocol x11
match protocol ymsgr
class-map type inspect match-any CATEGORY_NET-ADMIN
match protocol bgp
match protocol cisco-fna
match protocol cisco-sys
match protocol cisco-tdp
match protocol cisco-tna
match protocol daytime
match protocol dhcp-failover
match protocol dns
match protocol dnsix
match protocol echo
match protocol exec
match protocol finger
match protocol hp-alarm-mgr
match protocol hp-collector
match protocol hp-managed-node
match protocol icmp
match protocol kerberos
match protocol l2tp
match protocol ldap
match protocol login
match protocol ncp
match protocol netbios-dgm
match protocol netbios-ns
match protocol netbios-ssn
match protocol ntp
match protocol pwdgen
match protocol radius
match protocol rsvp_tunnel
match protocol rtelnet
match protocol shell
match protocol snmp
match protocol socks
match protocol ssh
match protocol sshell
match protocol syslog
match protocol tacacs
match protocol telnet
match protocol time
match protocol timed
match protocol uucp
match protocol xdmcp
class-map type inspect match-any CATEGORY_BUSINESS-AND-PRODUCTIVITY-TOOLS
match protocol citrix
class-map type inspect match-any CATEGORY_INSTANT-MESSAGING
match protocol icq
match protocol irc
match protocol irc-serv
class-map type inspect match-any Inside->>Outside-Application_App
match class-map CATEGORY_VOICE-AND-VIDEO
match class-map CATEGORY_EMAIL
match class-map CATEGORY_CONSUMER-STREAMING
match class-map CATEGORY_FILE-SHARING
match class-map CATEGORY_INSTANT-MESSAGING
match class-map CATEGORY_BROWSING
match class-map CATEGORY_DATABASE
match class-map CATEGORY_BACKUP-AND-STORAGE
match class-map CATEGORY_BUSINESS-AND-PRODUCTIVITY-TOOLS
match class-map CATEGORY_INTER-PROCESS-RPC
match class-map CATEGORY_NET-ADMIN
match class-map CATEGORY_OTHER_1
match class-map CATEGORY_OTHER_2
class-map type inspect match-any Outside->>Inside-Application_App
match class-map CATEGORY_VOICE-AND-VIDEO
match class-map CATEGORY_CONSUMER-STREAMING
match class-map WAN-TO-LAN-CLASS
class-map type inspect match-all Inside->>Outside-Application
description application
match access-group name Inside->>Outside-Application_ACL
match class-map Inside->>Outside-Application_App
class-map type inspect match-all Outside->>Inside-Application
description application
match access-group name Outside->>Inside-Application_ACL
match class-map Outside->>Inside-Application_App
!
policy-map type inspect LAN-TO-WAN-POLICY
class type inspect CATEGORY_VOICE-AND-VIDEO
inspect
class type inspect CATEGORY_EMAIL
inspect
class type inspect CATEGORY_CONSUMER-STREAMING
inspect
class type inspect CATEGORY_FILE-SHARING
inspect
class type inspect CATEGORY_INSTANT-MESSAGING
inspect
class type inspect CATEGORY_BROWSING
inspect
class type inspect CATEGORY_DATABASE
inspect
class type inspect CATEGORY_BACKUP-AND-STORAGE
inspect
class type inspect CATEGORY_BUSINESS-AND-PRODUCTIVITY-TOOLS
inspect
class type inspect CATEGORY_INTER-PROCESS-RPC
inspect
class type inspect CATEGORY_NET-ADMIN
inspect
class type inspect CATEGORY_OTHER_1
inspect
class type inspect CATEGORY_OTHER_2
inspect
class class-default
drop log
policy-map type inspect WAN-TO-LAN-POLICY
class type inspect WAN-TO-LAN-CLASS
inspect
class class-default
drop log
!
zone security WAN
zone security LAN
zone security VPN
zone security DMZ
zone-pair security WAN-TO-LAN source WAN destination LAN
service-policy type inspect WAN-TO-LAN-POLICY
zone-pair security LAN-TO-WAN source LAN destination WAN
service-policy type inspect LAN-TO-WAN-POLICY
!
!
!
!
!
!
!
!
!
!
interface Port-channel1
description TRUNK-VLANS
no ip address
ip nat inside
ip virtual-reassembly in
zone-member security LAN
no mop enabled
!
interface Port-channel1.1
description VLAN-1-Native
encapsulation dot1Q 1 native
ip address 10.0.100.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security LAN
!
interface Port-channel1.154
description VLAN-154
encapsulation dot1Q 154
ip address 10.0.154.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security LAN
!
interface Port-channel1.254
description VLAN-254
encapsulation dot1Q 254
ip address 10.0.254.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security LAN
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description LACP/LAG-GROUP
no ip address
ip nat inside
ip virtual-reassembly in
zone-member security LAN
duplex full
speed 1000
channel-group 1
no mop enabled
!
interface GigabitEthernet0/1
description LACP/LAG-GROUP
no ip address
ip nat inside
ip virtual-reassembly in
zone-member security LAN
duplex full
speed 1000
channel-group 1
no mop enabled
!
interface GigabitEthernet0/2
description LACP/LAG-GROUP
no ip address
ip nat inside
ip virtual-reassembly in
zone-member security LAN
duplex full
speed 1000
channel-group 1
no mop enabled
!
interface GigabitEthernet0/0/0
description ISP-001
ip address dhcp hostname ROUTER-001
ip nat outside
ip virtual-reassembly in
zone-member security WAN
duplex full
speed 1000
!
interface GigabitEthernet0/1/0
description ISP-002
ip address dhcp hostname ROUTER-001
ip nat outside
ip virtual-reassembly in
zone-member security WAN
duplex full
speed 1000
!
interface GigabitEthernet0/3/0
description Onboard-LAN
switchport trunk allowed vlan 1,2,1002-1005
switchport mode trunk
no ip address
duplex full
speed 1000
!
interface GigabitEthernet0/3/1
description Onboard-LAN
switchport trunk allowed vlan 1,2,1002-1005
switchport mode trunk
no ip address
duplex full
speed 1000
!
interface GigabitEthernet0/3/2
description Onboard-LAN
switchport trunk allowed vlan 1,2,1002-1005
switchport mode trunk
no ip address
duplex full
speed 1000
!
interface GigabitEthernet0/3/3
description Onboard-LAN
switchport trunk allowed vlan 1,2,1002-1005
switchport mode trunk
no ip address
duplex full
speed 1000
!
interface Vlan1
description VLAN-1
ip address pool VLAN-1
ip nat inside
ip virtual-reassembly in
zone-member security LAN
!
router rip
version 2
network 10.0.0.0
network 172.0.0.0
no auto-summary
!
no ip forward-protocol nd
!
ip http server
ip http port 8080
no ip http secure-server
!
ip nat inside source list Hosts-Ports interface GigabitEthernet0/0/0 overload
ip nat inside source route-map RM-NAT-ISP01 interface GigabitEthernet0/0/0 overl oad
ip nat inside source route-map RM-NAT-ISP02 interface GigabitEthernet0/1/0 overl oad
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 47.7.240.1 track 1
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1/0 192.168.1.1 253
ip route 8.8.8.8 255.255.255.255 GigabitEthernet0/0/0 47.7.240.1
!
ip access-list standard ACL-DNAT
permit 10.0.100.0 0.0.0.255
permit 10.0.154.0 0.0.0.255
permit 10.0.254.0 0.0.0.255
permit 172.16.32.0 0.0.0.255
!
ip access-list extended Hosts-Ports
permit udp any any eq 7351
permit tcp any any eq 7734
permit tcp any any eq 7752
permit tcp any any range 60000 61000
permit udp any any eq snmp
permit udp any any eq snmptrap
permit udp any eq snmptrap any
permit tcp any any range 9998 9999
permit tcp any any eq 6970
permit udp any any range 7076 7077
permit udp any any range 9078 9079
permit tcp any any eq 15063
permit tcp any any eq 15064
permit udp any any eq 15064
permit udp any any eq 15063
permit tcp any any eq 5060
permit tcp any any eq 5061
permit tcp any any eq 5062
permit udp any any eq 5060
permit udp any any eq 5061
permit udp any any eq 5062
permit tcp any any eq 8883
permit udp any any eq ntp
permit tcp any any eq 554
permit udp any any eq 554
permit tcp any any range 2195 2196
permit tcp any any range 5228 5230
permit udp any any eq 5223
permit tcp any any eq 8557
permit tcp any any eq 9002
permit tcp any any eq 19302
permit udp any any eq 9350
permit udp any eq snmp any
permit udp any any range 16500 65000
permit icmp any any
permit gre any any
!
ip sla 20
icmp-echo 8.8.8.8 source-interface GigabitEthernet0/0/0
timeout 6000
frequency 10
ip sla schedule 20 life forever start-time now
logging trap notifications
logging host 10.0.100.25
!
route-map RM-NAT-ISP02 permit 10
match ip address ACL-DNAT
match interface GigabitEthernet0/1/0
!
route-map RM-NAT-ISP01 permit 10
match ip address ACL-DNAT
match interface GigabitEthernet0/0/0
!
!
snmp-server community public RO
snmp-server community private RW
snmp-server location Taylorsville
snmp-server contact stevenclark612@icloud.com
no snmp-server enable traps entity-sensor threshold
snmp-server host 10.0.100.25 version 2c private
snmp-server host 10.0.100.25 version 2c public
!
!
!
control-plane
!
!
!
line con 0
exec-timeout 0 0
login authentication local_access
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 23 in
privilege level 15
password 7
login authentication local_access
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp master
ntp update-calendar
ntp server 129.6.15.32
ntp server 129.6.15.26
ntp server 129.6.15.27
!
end

stevenclark612 · ‎08-26-2023

I was adding my spin on ZBFW let me know if this is ok.

Also, I need someway for this ACL to work for during wan failover

When on primary I am ok, but on secondary my cameras are blocked.

This is the ACL List below.

ip access-list extended Hosts-Ports ip access-list extended Hosts-Ports
permit udp any any eq 7351
permit tcp any any eq 7734
permit tcp any any eq 7752
permit tcp any any range 60000 61000
permit udp any any eq snmp
permit udp any any eq snmptrap
permit udp any eq snmptrap any
permit tcp any any range 9998 9999
permit tcp any any eq 6970
permit udp any any range 7076 7077
permit udp any any range 9078 9079
permit tcp any any eq 15063
permit tcp any any eq 15064
permit udp any any eq 15064
permit udp any any eq 15063
permit tcp any any eq 5060
permit tcp any any eq 5061
permit tcp any any eq 5062
permit udp any any eq 5060
permit udp any any eq 5061
permit udp any any eq 5062
permit tcp any any eq 8883
permit udp any any eq ntp
permit tcp any any eq 554
permit udp any any eq 554
permit tcp any any range 2195 2196
permit tcp any any range 5228 5230
permit udp any any eq 5223
permit tcp any any eq 8557
permit tcp any any eq 9002
permit tcp any any eq 19302
permit udp any any eq 9350
permit udp any eq snmp any
permit udp any any range 16500 65000
permit icmp any any
permit gre any any