Table of Contents
Advertisement
Chapter 34
Zone-Based Policy Firewall
Zone Pairs
Zone Pair
LAN-out
LAN-in
Bkup-out
Bkup-in
Add or Edit a Zone Pair
OL-4015-12
A zone-pair allows you to specify a unidirectional firewall policy between two
security zones. The direction of the traffic is specified by specifying a source and
destination
security
zone.The same zone cannot be defined as both the source and
the destination.
If you want traffic to flow in both directions between two zones, you must create
a zone pair for each direction. If you want traffic to flow freely among all
interfaces, each interface must be configured in a zone.
The following table shows an example of four zone-pairs.
Source
zone-VLAN1
zone-FE1
self
zone-BRI0
LAN-out and LAN-in are zone-pairs configured for traffic flowing between the
LAN interface, VLAN1, and the FastEthernet 1 interface. Each zone-pair is
controlled by a separate policy. Bkup-out and Bkup-in are configured for traffic
generated by the router. The same policy controls traffic sent from zone-BRI0 as
traffic sent by the router, represented by the self zone.
Click Add to create a zone-pair.
Click Edit to change the policy associated with a zone pair.
Click Delete to remove a zone pair.
To configure a new zone pair, provide a name for the zone pair, a source zone from
which traffic will originate, a destination zone to which traffic is to be sent, and
the policy that is to determine which traffic can be sent across the zones. The
source zone and destination zone lists contain the zones configured on the router
and the self zone. The self zone can be used when you are configuring zone pairs
Cisco Router and Security Device Manager 2.5 User's Guide
Destination
zone-FE1
zone-VLAN1
zone-BRI0
self
Zone Pairs
Policy
inspection-policymap-a
inspection-policymap-b
inspection-policymap-c
inspection-policymap-c
34-5
Advertisement
Table of Contents
Troubleshooting
