Firewalling, Security

Cisco IOS Security

René Jorissen on June 24, 2008 0 Comments • Tags: #cisco #classic #firewalling #ios #zonebased

The first session I attended is about Deploying IOS Security. The session is about using the Cisco IOS as firewall to protect branch offices. We discussed normal classic firewalling and zone-based firewalling. I normally use classing firewalling, but I guess I have to try zone-based firewalling in the future. The advantage of zone-based firewalling is that you can add more than one interface into a zone and create policies between the zones. This is useful when configuring a branch router where the users need Internet access or when configuring a wired and wireless configuration with bridging.

A configuration example of zone-based firewalling is shown below:

class-map type inspect match-all web-dmz
  match protocol http
  match access-group 199


access-list 199 permit tcp any host
policy-map type inspect firewall-policy
  class type inspect web-dmz


zone security private
zone security public
zone security dmz


zone-pair security zone-policy source public destination dmz
  service-policy type inspect firewall-policy
interface fastethernet 0
description public interface
zone-member security public


interface fastethernet 1
description dmz interface
zone-member security dmz

The Cisco IOS has also capabilities to be used for IPS (Intrusion Prevention System). When configuring IPS the use of Cisco SDM comes in handy. More tools for configuring routers could be Cisco Configuration Professional or Cisco Security Manager.

The session was very useful and I am sure that I will try some configuration examples in the near future, which I, of course, will post on the blog.

The following two tabs change content below.

René Jorissen

Co-owner and Solution Specialist at 4IP Solutions
René Jorissen works as Solution Specialist for 4IP in the Netherlands. Network Infrastructures are the primary focus. René works with equipment of multiple vendors, like Cisco, Aruba Networks, FortiNet, HP Networking, Juniper Networks, RSA SecurID, AeroHive, Microsoft and many more. René is Aruba Certified Edge Expert (ACEX #26), Aruba Certified Mobility Expert (ACMX #438), Aruba Certified ClearPass Expert (ACCX #725), Aruba Certified Design Expert (ACDX #760), CCNP R&S, FCNSP and Certified Ethical Hacker (CEF) certified. You can follow René on Twitter and LinkedIn.

Latest posts by René Jorissen (see all)

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.