Chapter 34 Zone-Based Policy Firewall
Zone Window
34-4
Cisco Router and Security Device Manager 2.5 User’s Guide
OL-4015-12
• An interface can be assigned to only one security zone.
• All traffic to/from a given interface is implicitly blocked when the interface
is assigned to a zone, excepting traffic to/from other interfaces in the same
zone, and traffic to any interface on the router.
• Traffic is implicitly allowed to flow by default among interfaces that are
members of the same zone.
• To permit traffic to/from a zone member interface, a policy allowing or
inspecting traffic must be configured between that zone and any other zone.
• The self zone is the only exception to the default deny-all policy. All traffic
to any router interface is allowed until traffic is explicitly denied.
• Traffic cannot flow between a zone member interface and any interface that
is not a zone member.
• Pass, inspect, and drop actions can only be applied between two zones.
• Interfaces that have not been assigned to a zone function as classical router
ports and might still use classical stateful inspection/CBAC configuration.
• If it is required that an interface on the box not be part of the zoning/firewall
policy, it might still be necessary to put that interface in a zone and configure
a pass all policy (sort of a dummy policy) between that zone and any other
zone to which traffic flow is desired.
• From the preceding it follows that, if traffic is to flow among all the interfaces
in a router, all the interfaces must be part of the zoning model (each interface
must be a member of one zone or another).
• The only exception to the preceding deny by default approach is the traffic
to/from the router, which will be permitted by default. An explicit policy can
be configured to restrict such traffic.
This set of rules was taken from The Zone-Based Policy Firewall Design Guide
available at the following link:
http://www.cisco.com/en/US/products/ps6350/products_feature_guide09186a00
8072c6e3.html