Dual Stack Policy Rules on Cisco IOS Zone-Based Firewall

The Cisco Zone-based firewall was derived from the old “firewall feature set” and allows the administrator to define firewall rules based on zones, where each zone may contain one or more logical interfaces. Using Cisco’s zone-based firewall isn’t as easy as many other solutions (e.g. Juniper SRX, Cisco ASA), and recently I needed to configure one which was to pass both IPv4 and IPv6 services. Here’s an example of how it’s done.

Some of the difficulties arise from the fact that you still need to define access-lists along with class and policy objects. Once you’ve got a template and some examples done, then it gets a lot easier. This would be a great candidate for an automation solution such as using Ansible to generate and update the policy. Maybe at some stage in the future I’ll post the Ansible solution, but for now it’s done by hand – mostly because I’ve yet to meet anyone using IOS ZBFW at such a scale that automation would be beneficial.

In the example below, I have got an IOS router at the edge of a typical network which is performing IPv4 NAT behind a single public IPv4 address configured on it’s Dialer1 interface. The router is routing public IPv6.

The internal IPv4 address for the internal SMTP and HTTP server will be

IPv6 is also enabled and a /64 public subnet is routing through without NAT (of course). The requirement is that we want to allow incoming HTTP, HTTPS, and SMTP from all Internet hosts to servers on the inside network for both IPv4 and IPv6.

Here’s the example:

Some things to note here:

  • I always create extended access lists for incoming services. This gives me the flexibility to deny specific hosts access to the service, or other refinements, if I need to in the future without messing around with the policy map.
  • I’ve had issues with the SMTP inspection cutting off Emails – particularly those with fairly large document attachments. This causes the postfix server and the sending client to go into a crazy sort of retry loop. If you have problems then remove the statement match protocol smtp from both of the smtp class maps.
  • Re-ordering the rules in the policy map is really a major pain. There’s no simple way of doing it apart from copying the whole policy map into a text editor, making the changes, and then deleting the current and posting the updated one back in. An unfortunate side-effect of doing this is that the policy map will get removed from the zone-pair service-policy definition, and that will need to be re-entered as well:

    Watch out if your management access to the device is also going though that policy map and zone pair.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">