Filter
Top Products
34-5
Cisco Router and Security Device Manager 2.5 User’s Guide
OL-4015-12
Chapter 34 Zone-Based Policy Firewall
Zone Pairs
Zone Pairs
A zone-pair allows you to specify a unidirectional firewall policy between two
security zones. The direction of the traffic is specified by specifying a source and
destination security zone.The same zone cannot be defined as both the source and
the destination.
If you want traffic to flow in both directions between two zones, you must create
a zone pair for each direction. If you want traffic to flow freely among all
interfaces, each interface must be configured in a zone.
The following table shows an example of four zone-pairs.
LAN-out and LAN-in are zone-pairs configured for traffic flowing between the
LAN interface, VLAN1, and the FastEthernet 1 interface. Each zone-pair is
controlled by a separate policy. Bkup-out and Bkup-in are configured for traffic
generated by the router. The same policy controls traffic sent from zone-BRI0 as
traffic sent by the router, represented by the self zone.
Click Add to create a zone-pair.
Click Edit to change the policy associated with a zone pair.
Click Delete to remove a zone pair.
Add or Edit a Zone Pair
To configure a new zone pair, provide a name for the zone pair, a source zone from
which traffic will originate, a destination zone to which traffic is to be sent, and
the policy that is to determine which traffic can be sent across the zones. The
source zone and destination zone lists contain the zones configured on the router
and the self zone. The self zone can be used when you are configuring zone pairs
Zone Pair Source Destination Policy
LAN-out zone-VLAN1 zone-FE1 inspection-policymap-a
LAN-in zone-FE1 zone-VLAN1 inspection-policymap-b
Bkup-out self zone-BRI0 inspection-policymap-c
Bkup-in zone-BRI0 self inspection-policymap-c