Several steps are required to complete the configuration. Although the sequence of tasks that follows is not
important, some tasks depend on each other. For example, class-map must be configured before it can be
used in the policy-map. Similarly, the policy-map cannot be assigned to a zone-pair before configuring the
policy-map itself, and so on.
The following tasks are required to complete the ZFW configuration using the CPL:
Define zones
Define zone-pairs
Define class-map(s) that identify the traffic that must have policy applied as it traverses a zone-pair
Define a policy-map to apply action to the traffic in a class-map
Apply a policy-map to a zone-pair
Assign interface(s) to zones
Note
By default, traffic between the zones is blocked unless an explicit policy dictates the permission.
Based on Figure 5-8, Example 5-7 shows a very basic ZFW configuration that uses the new CPL command set in
two zones.
Figure 5-8. Basic ZFW for Two-Zone Setup
Example 5-7. Basic ZFW Configuration Using CPL
Code View:
class-map type inspect match-any myclass
match protocol tcp
match protocol udp
match protocol icmp
!
policy-map type inspect mypolicy
class type inspect myclass
inspect
!
zone security private
zone security public
!
zone-pair security mypair source private destination public
service-policy type inspect mypolicy
!
Interface FastEthernet0/0
zone-member security private
!
interface FastEthernet0/1
zone-member security public
!
Application Inspection and Control (AIC)
In addition to the extensive ZFW features and capabilities, ZFW extends the function of application inspection
and control (AIC) engine by providing additional capabilities to the ZFW.
Pages:
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241