Filter
Top Products
34-3
Cisco Router and Security Device Manager 2.5 User’s Guide
OL-4015-12
Chapter 34 Zone-Based Policy Firewall
Zone Window
Add or Edit a Zone
To add a new zone, also called a security zone, enter a zone name, and choose the
interfaces that are to be included in the zone. The Interface list displays the names
of available interfaces. Because physical interfaces can be placed in only one
zone, they do not appear in the list if they have already been placed in a zone.
Virtual interfaces, such as Dialer interfaces or Virtual Template interfaces can be
placed in multiple zones and will always appear in the list.
Note • Traffic flowing to or from this interface is governed by the policy map
associated with the zone.
• An interface that you associate with this zone may be used for a site-to-site
VPN, DMVPN, Easy VPN, SSL VPN or other type of connection whose
traffic might be blocked by a firewall. When you associate an interface with
a zone in this dialog, SDM does not create any passthrough ACL to permit
such traffic. You can configure the necessary passthrough for the policy map
two ways.
–
Go to Configure > Firewall and ACL > Edit Firewall Policy > Rule for
New Traffic. In the displayed dialog, provide the source and destination
IP address information, and the type of traffic that must be allowed to
pass through the firewall. In the Action field, select Permit ACL.
–
Go to Configure > C3PL > Policy Map > Protocol Inspection. Provide
a protocol inspection policy map that will allow the necessary traffic to
pass through the firewall.
After a zone has been created, you can change the interfaces associated with the
zone, but you cannot change the name of the zone.
Zone-Based Policy General Rules
Router network interfaces’ membership in zones is subject to several rules
governing interface behavior, as is the traffic moving between zone member
interfaces:
• A zone must be configured before interfaces can be assigned to the zone.