Service Policies
A service policy is applied to a zone pair. The zone pair represents a unidirectional flow of traffic between two zones. A specific zone pair can have only a single service policy assigned to it. Because the zone pair is unidirectional, the policy map applied to the zone pair (using the service-policy command) applies to traffic initiated in one zone going to the other zone in one direction. If reply traffic is desired, the inspect action in the policy map should be applied, which will allow stateful inspection, and the reply traffic from the servers will be dynamically allowed (because of the stateful database being referenced).
When a router receives a packet, it normally makes a routing decision and then forwards that packet on its way. If ZBF is configured, the router may or may not forward the packet, based on the stateful table and the policies that are in place. Table 15-3 describes the flow of traffic (packets) being routed between interfaces in various zones, depending on the configuration. This is a good table to commit to memory; it will assist anyone troubleshooting ZBFs. Ingress refers to a packet going into an interface of the router, and egress refers to a packet that is being sent out of an interface of the router.
If there is a zone pair that identifies traffic between two zones, and the policy is not applied to the zone pair, the default behavior is to drop traffic as if no zone pair even existed.
Before we go any further, I want to show you a configuration that includes the following ZBF components:
Zones
Interfaces that are members of zones
Class maps that identify traffic
Policy maps that use class maps to identify traffic and then specify the actions which should take place
Zone pairs, which identify a unidirectional traffic flow, beginning from devices in one zone and being routed out an interface in a second zone
Service policy, which associates a policy map with a zone pair
Now that you know all the pieces, it is time to take a look at the commands for the policy of allowing users on the inside to access the Internet (as shown earlier in Figure 15-1). Example 15-1 both shows and explains this.
Example 15-1 Components That Make Up the ZBF
! The class map "classifies" or "identifies" the traffic
! In this example, this class map will match on either TELNET traffic or
! any type of ICMP traffic
R3(config)# class-map type inspect match-any MY-CLASS-MAP
R3(config-cmap)# match protocol telnet
R3(config-cmap)# match protocol icmp
R3(config-cmap)# exit
! The policy map calls on a specific class map that it wants to use
! to identify which traffic the policy applies to, and then specifies the
! policy action. In this example, it is to inspect the traffic
R3(config)# policy-map type inspect MY-POLICY-MAP
R3(config-pmap)# class type inspect MY-CLASS-MAP
R3(config-pmap-c)# inspect
R3(config-pmap-c)# exit
R3(config-pmap)# exit
! Next we create the security zones, they can be named whatever you want to
! name them. In this example, I named them inside and outside.
R3(config)# zone security inside
R3(config-sec-zone)# exit
R3(config)# zone security outside
R3(config-sec-zone)# exit
! Create the zone-pair, specifying the zones and the direction (from where
! to where)
R3(config)# zone-pair security in-to-out source inside destination outside
! Use the service-policy command in zone-pair configuration mode to apply
! the policy map you want to use for traffic that matches this zone-pair
R3(config-sec-zone-pair)# service-policy type inspect MY-POLICY-MAP
R3(config-sec-zone-pair)# exit
! Configure the interfaces, so they become members of the respective zones
R3(config)# interface GigabitEthernet3/0
R3(config-if)# description Belongs to outside zone
R3(config-if)# zone-member security outside
R3(config-if)# exit
R3(config)# interface GigabitEthernet1/0
R3(config-if)# description Belongs to inside zone
R3(config-if)# zone-member security inside
R3(config-if)# exit
R3(config)#
The preceding policy performs stateful inspection for traffic from the inside users for traffic going to the Internet if that traffic is Telnet traffic (which is TCP port 23) or is Internet Control Message Protocol (ICMP) traffic. ACLs can be used by the class map for matching and generic protocol matches such as User Datagram Protocol (UDP) or Transfer Control Protocol (TCP). Application-specific matching adds the ability for the firewall to detect additional communication channels that may be initialized by the outside devices, such as in the case of inspecting FTP, where the server may initiate the data connection on a port mutually agreed to by the client and the FTP server.