Zone-Based Firewall Cisco Configuration and Verification

For our zone-based firewall Cisco configuration, we will use the topology below. We have three routers here, the ISP router, our zone-based firewall (ZBFirewall), and the LAN router (Router). We will create two zones, the OUTSIDE security zone which includes the public ISP connectivity, and the INSIDE security zone which includes the traffic going towards our private LAN.

Cisco Zone Based Firewall


Zone Configuration

After configuring the interfaces and the routes, first, we have to create the security zones on ZBFirewall, the zone-based firewall Cisco router. We will set the security zone names as OUTSIDE and INSIDE.

ZBFirewall(config)#zone security OUTSIDE
ZBFirewall(config)#zone security INSIDE


Then, assign the interfaces to the zone they belong to. Interface G0/0/0 is connected to the ISP, so it belongs to the OUTSIDE zone and G0/0/1 is connected to the LAN Router at the INSIDE zone.

ZBFirewall(config)#interface G0/0/0
ZBFirewall(config-if)#zone-member security OUTSIDE
ZBFirewall(config)#interface G0/0/01
ZBFirewall(config-if)#zone-member security INSIDE


Now, we have to configure two zone pairs. Our first security zone pair name is IN-to-OUT, that’s for the traffic from INSIDE going to OUTSIDE. The next one is OUT-to-IN for the traffic OUTSIDE going to INSIDE. Optionally, we can add a description for the zone pair. This is helpful when there are lots of zone pairs.

ZBFirewall(config)#zone-pair security IN-to-OUT source INSIDE destination OUTSIDE
ZBFirewall(config-sec-zone-pair)#description INSIDE TO OUTSIDE TRAFFIC
ZBFirewall(config)#zone-pair security OUT-to-IN source OUTSIDE destination INSIDE
ZBFirewall(config-sec-zone-pair)#description OUTSIDE TO INSIDE TRAFFIC


To verify the configured zones, we can use the ‘show zone security‘ command. You can see that the self zone is defined automatically.

ZBFirewall#show zone security
zone self
Description: System defined zone

Member Interfaces:

Member Interfaces:


To check the configured zone pairs, we can use the ‘show zone-pair security‘ command:

ZBFirewall#show zone-pair security
Zone-pair name IN-to-OUT
Source-Zone INSIDE Destination-Zone OUTSIDE
service-policy not configured

Zone-pair name OUT-to-IN
Source-Zone OUTSIDE Destination-Zone INSIDE
service-policy not configured


If we try sending traffic between the zones, it will fail by default. That is because we have to configure security policies to decide what will happen to the traffic. You can see below that if we ping the LAN Router at from the ISP router, it fails.

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
Success rate is 0 percent (0/5)


Security Policy Configuration

The next thing we have to do is to configure the security policies. The class-map is used to classify the traffic and it is configured by using the command ‘class-map type inspect‘. You can see below the keywords that we can use.

ZBFirewall(config)#class-map type inspect ?
WORD class-map name
match-all Logical-AND all matching statements under this classmap
match-any Logical-OR all matching statements under this classmap


The ‘match-all‘ keyword requires all of the conditions listed in the class-map to match the network traffic. The ‘match-any‘ keyword on the other hand requires only one of the conditions in the class-map to qualify. If no keyword is specified, the ‘match-all‘ keyword is used by default.


For our example, we’ll create a security policy that will allow ICMP traffic from the INSIDE to the OUTSIDE security zone. We’ll give it a class-map name of ICMP, then we will set the class-map to match the ICMP protocol.

ZBFirewall(config)#class-map type inspect ICMP
ZBFirewall(config-cmap)#match protocol icmp


Now, we have to configure an inspection policy map with the name IN-OUT-ICMP. Then, we have to create policy criteria and define the class maps using the command ‘class type inspect <class-map name>‘.

ZBFirewall(config)#policy-map type inspect IN-OUT-ICMP
ZBFirewall(config-pmap)#class type inspect ICMP


In our example configuration above, we used the ‘inspect‘ firewall action. We have to specify the firewall policy action to the class-map which is specified in the policy map. There are three firewall actions that we can apply to the traffic:

  • Pass – forwards traffic from the source to the destination in one direction. A second policy is needed for the return traffic.
  • Drop – discards traffic that matches the class map.
  • Inspect – allows state-based traffic control. Permits and inspects traffic so that return traffic is allowed without needing a second policy.


Next, let’s apply the policy-map IN-OUT-ICMP to the zone pair IN-to-OUT using the ‘service-policy‘ command.

ZBFirewall(config)#zone-pair security IN-to-OUT source INSIDE destination
ZBFirewall(config-sec-zone-pair)#service-policy type inspect IN-OUT-ICMP


To verify, if we ping to the ISP router at from the LAN Router, it will succeed.

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/0 ms


But if we ping to the LAN Router at from the ISP router, then it will fail as expected.

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
Success rate is 0 percent (0/5)


The inspection policy maps can be verified with the ‘show policy-map type inspect zone-pair‘ command.

ZBFirewall#show policy-map type inspect zone-pair sessions

policy exists on zp IN-to-OUT
Zone-pair: IN-to-OUT

Service-policy inspect : IN-OUT-ICMP

Class-map: ICMP (match-all)
Match: protocol icmp

Class-map: class-default (match-any)
Match: any
Drop (default action)
0 packets, 0 bytes

Download our Free CCNA Study Guide PDF for complete notes on all the CCNA 200-301 exam topics in one book.

We recommend the Cisco CCNA Gold Bootcamp as your main CCNA training course. It’s the highest rated Cisco course online with an average rating of 4.8 from over 30,000 public reviews and is the gold standard in CCNA training: