**Create a Zone-Based Policy Firewall** 1. Creating the security zones R3(config)# zone security INSIDE R3(config)# zone security CONFROOM R3(config)# zone security INTERNET 2. Creating Security Policies R3(config)# class-map type inspect match-any INSIDE_PROTOCOLS --- class-map name R3(config-cmap)# match protocol tcp R3(config-cmap)# match protocol udp R3(config-cmap)# match protocol icmp R3(config)# class-map type inspect match-any CONFROOM_PROTOCOLS --- class-map name R3(config-cmap)# match protocol http R3(config-cmap)# match protocol https R3(config-cmap)# match protocol dns R3(config)# policy-map type inspect INSIDE_TO_INTERNET --- policy-map name R3(config-pmap)# class type inspect INSIDE_PROTOCOLS R3(config-pmap-c)# inspect R3(config)# policy-map type inspect CONFROOM_TO_INTERNET --- policy-map name R3(config-pmap)# class type inspect CONFROOM_PROTOCOLS R3(config-pmap-c)# inspect 3. Create the Zone Pairs R3(config)# zone-pair security INSIDE_TO_INTERNET source INSIDE destination INTERNET R3(config)# zone-pair security CONFROOM_TO_INTERNET source CONFROOM destination INTERNET 4. Applying Security Policies R3(config)# zone-pair security INSIDE_TO_INTERNET R3(config-sec-zone-pair)# service-policy type inspect INSIDE_TO_INTERNET R3(config)# zone-pair security CONFROOM_TO_INTERNET R3(config-sec-zone-pair)# service-policy type inspect CONFROOM_TO_INTERNET 5. Assign Interfaces to the Proper Security Zones R3(config)# interface g0/0 R3(config-if)# zone-member security CONFROOM R3(config)# interface g0/1 R3(config-if)# zone-member security INSIDE R3(config)# interface s0/0/1 R3(config-if)# zone-member security INTERNET Multiple Interfaces under the Same Zone R3(config)# policy-map type inspect inside R3(config-pmap)# class class-default R3(config-pmap-c)# pass R3(config)# zone-pair security INSIDE source INSIDE destination INSIDE R3(config-sec-zone-pair)# service-policy type inspect inside Verify R3# show zone-pair security R3# show policy-map type inspect zone-pair R3# show zone security #show zone security zone CONFROOM Member Interfaces: Ethernet0/0 zone INSIDE Member Interfaces: Ethernet0/1 zone INTERNET Member Interfaces: Ethernet0/2 #show zone-pair security Zone-pair name INSIDE_TO_INTERNET Source-Zone INSIDE Destination-Zone INTERNET service-policy INSIDE_TO_INTERNET Zone-pair name CONFROOM_TO_INTERNET Source-Zone CONFROOM Destination-Zone INTERNET service-policy CONFROOM_TO_INTERNET -------------------------------------------------------- #show policy-map type inspect zone-pair policy exists on zp INSIDE_TO_INTERNET Zone-pair: INSIDE_TO_INTERNET Service-policy inspect : INSIDE_TO_INTERNET Class-map: INSIDE_PROTOCOLS (match-any) Match: protocol tcp Match: protocol udp Match: protocol icmp policy exists on zp CONFROOM_TO_INTERNET Zone-pair: CONFROOM_TO_INTERNET Service-policy inspect : CONFROOM_TO_INTERNET Class-map: CONFROOM_PROTOCOLS (match-any) Match: protocol http Match: protocol https Match: protocol dns --------------------------------------------------------