Back to Dashboard
Module 40
Firewall Technologies
β Previous Module
Next Module β
# π CCNA 200-301 - Video 40: Firewall Technologies ## Deep Study Notes --- ## π Learning Objectives By the end of this video, you should understand: - What firewalls are and why they're used - Types of firewalls (Packet Filtering, Stateful, Application, Next-Generation) - Firewall architectures (Router-based, Appliance, Virtual) - Zone-Based Policy Firewall (ZBF) - Access Control Lists (ACLs) as basic firewalls - Firewall design and placement - Firewall verification and troubleshooting --- ## π§ Core Concepts ### 1. What is a Firewall? **Definition:** A firewall is a network security device that monitors and controls incoming and outgoing network traffic based on predetermined security rules, establishing a barrier between trusted internal networks and untrusted external networks. **Analogy:** Think of a firewall like a security checkpoint at an airport. Everyone and everything trying to enter must pass through screening. Some people are allowed in, some are denied based on rules (ticket, ID, etc.). The checkpoint also inspects bags (packet inspection) for prohibited items. ``` βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β FIREWALL CONCEPT β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β β β WITHOUT FIREWALL: β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β β β β Internal Network Internet β β β β βββββββββββββββββββ βββββββββββββββββββ β β β β β β β β β β β β β Trusted βββββββββββΊβ Untrusted β β β β β β Network β β Network β β β β β β β β β β β β β βββββββββββββββββββ βββββββββββββββββββ β β β β β β β β No protection - all traffic allowed in both directions β β β β β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β WITH FIREWALL: β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β β β β Internal Network Firewall Internet β β β β βββββββββββββββββββ βββββββββββ βββββββββββββββββββ β β β β β β β β β β β β β β β Trusted βββββββββ Firewallββββββββββ Untrusted β β β β β β Network β β β β Network β β β β β β β βββββββββββ β β β β β β βββββββββββββββββββ βββββββββββββββββββ β β β β β β β β Firewall controls traffic: β β β β β’ Blocks unauthorized inbound traffic β β β β β’ Allows authorized outbound traffic β β β β β’ Inspects packets β β β β β’ Logs activity β β β β β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ``` --- ### 2. Firewall Types ``` βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β FIREWALL TYPES β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β β β TYPE 1: PACKET FILTERING FIREWALL (Stateless) β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β’ Examines each packet independently β β β β β’ Based on: Source IP, Destination IP, Port, Protocol β β β β β’ No state awareness β β β β β’ Example: ACLs on routers β β β β β’ Pros: Fast, low overhead β β β β β’ Cons: Cannot detect application-layer attacks β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β TYPE 2: STATEFUL FIREWALL β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β’ Tracks connection state (state table) β β β β β’ Knows if packet is part of established connection β β β β β’ Allows return traffic automatically β β β β β’ Example: Cisco ASA, Zone-Based Policy Firewall β β β β β’ Pros: More secure, easier to configure β β β β β’ Cons: More resource intensive β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β TYPE 3: APPLICATION LAYER FIREWALL (Proxy) β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β’ Inspects traffic at application layer (HTTP, FTP, etc.) β β β β β’ Can block specific application commands β β β β β’ Example: Web Application Firewall (WAF) β β β β β’ Pros: Deep inspection, application awareness β β β β β’ Cons: Slower, higher overhead β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β TYPE 4: NEXT-GENERATION FIREWALL (NGFW) β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β’ Combines stateful inspection with application awareness β β β β β’ Intrusion Prevention System (IPS) β β β β β’ Threat intelligence β β β β β’ User identity awareness β β β β β’ Example: Cisco Firepower, Palo Alto Networks β β β β β’ Pros: Comprehensive security β β β β β’ Cons: Expensive, complex β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ``` --- ### 3. Firewall Architectures ``` βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β FIREWALL ARCHITECTURES β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β β β ARCHITECTURE 1: Router-Based Firewall (ACL) β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β β β β Internal ββββ Router (with ACLs) ββββ Internet β β β β β β β β β’ Basic packet filtering β β β β β’ Stateless β β β β β’ Low cost (no additional hardware) β β β β β’ Limited security β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β ARCHITECTURE 2: Dedicated Firewall Appliance β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β β β β Internal ββββ Switch ββββ Firewall ββββ Router ββββ Internet β β β β β β β β β’ Stateful inspection β β β β β’ High performance β β β β β’ Dedicated hardware β β β β β’ Example: Cisco ASA, Firepower β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β ARCHITECTURE 3: Virtual Firewall β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β β β β Virtual Machine ββββ vSwitch ββββ Virtual Firewall ββββ Physical β β β β β β β β β’ Runs in virtual environment β β β β β’ Scales with virtual infrastructure β β β β β’ Example: Cisco ASAv, virtual Firepower β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β ARCHITECTURE 4: Cloud Firewall (FWaaS) β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β β β β Internal ββββ Internet ββββ Cloud Firewall ββββ Cloud Resources β β β β β β β β β’ Firewall as a Service β β β β β’ No hardware to manage β β β β β’ Example: AWS Security Groups, Azure Firewall β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ``` --- ### 4. Zone-Based Policy Firewall (ZBF) **Definition:** Zone-Based Policy Firewall is Cisco IOS feature that groups interfaces into zones and applies policies between zones, providing stateful firewall functionality on routers. ``` βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β ZONE-BASED POLICY FIREWALL β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β β β ZONE CONCEPT: β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β β β β βββββββββββββββββββ βββββββββββββββββββ β β β β β INSIDE ZONE β β OUTSIDE ZONE β β β β β β (Trusted) β β (Untrusted) β β β β β β β β β β β β β β Gi0/1 β β Gi0/0 β β β β β β 192.168.1.1 β β 203.0.113.1 β β β β β ββββββββββ¬βββββββββ ββββββββββ¬βββββββββ β β β β β β β β β β β βββββββββββββββββββ β β β β β βββββββββββ Router ββββββββββββ β β β β β β β β β β β ZBF Policy: β β β β β β INSIDE β OUTSIDE β β β β β β OUTSIDE β INSIDE β β β β β βββββββββββββββββββ β β β β β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β ZBF ADVANTAGES: β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β’ Stateful inspection β β β β β’ Zone-based policies (simpler than interface ACLs) β β β β β’ Supports inspection of multiple protocols (HTTP, FTP, SMTP) β β β β β’ Application inspection β β β β β’ QoS integration β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ``` **ZBF Configuration:** ```cisco ! Step 1: Define zones Router(config)# zone security INSIDE Router(config)# zone security OUTSIDE Router(config)# zone security DMZ ! Step 2: Define class maps (traffic classification) Router(config)# class-map type inspect match-any HTTP-TRAFFIC Router(config-cmap)# match protocol http Router(config-cmap)# match protocol https Router(config-cmap)# exit Router(config)# class-map type inspect match-any ICMP-TRAFFIC Router(config-cmap)# match protocol icmp Router(config-cmap)# exit ! Step 3: Define policy maps (actions) Router(config)# policy-map type inspect INSIDE-TO-OUTSIDE Router(config-pmap)# class type inspect HTTP-TRAFFIC Router(config-pmap-c)# inspect Router(config-pmap-c)# exit Router(config-pmap)# class type inspect ICMP-TRAFFIC Router(config-pmap-c)# inspect Router(config-pmap-c)# exit Router(config-pmap)# class class-default Router(config-pmap-c)# drop Router(config-pmap-c)# exit ! Step 4: Define zone pairs and apply policy Router(config)# zone-pair security ZP-INSIDE-OUTSIDE source INSIDE destination OUTSIDE Router(config-sec-zone-pair)# service-policy type inspect INSIDE-TO-OUTSIDE ! Step 5: Assign interfaces to zones Router(config)# interface GigabitEthernet0/1 Router(config-if)# zone-member security INSIDE Router(config-if)# exit Router(config)# interface GigabitEthernet0/0 Router(config-if)# zone-member security OUTSIDE Router(config-if)# exit ``` --- ### 5. ACLs as Basic Firewalls **Standard ACL Firewall:** ```cisco ! Block specific host from accessing network access-list 10 deny host 192.168.1.100 access-list 10 permit any interface GigabitEthernet0/0 ip access-group 10 in ``` **Extended ACL Firewall:** ```cisco ! Allow internal users to access web servers (only HTTP/HTTPS) access-list 100 permit tcp 192.168.1.0 0.0.0.255 any eq 80 access-list 100 permit tcp 192.168.1.0 0.0.0.255 any eq 443 access-list 100 deny ip any any interface GigabitEthernet0/0 ip access-group 100 in ``` **ACL Limitations:** - Stateless (each packet evaluated independently) - No application awareness - Difficult to manage complex rules - No state table for return traffic --- ### 6. Cisco Firewall Products | Product | Type | Use Case | |---------|------|----------| | **Cisco ASA** | Stateful Firewall | Small to medium business, branch offices | | **Cisco Firepower** | NGFW (Next-Gen) | Enterprise, advanced threat protection | | **Cisco IOS ZBF** | Software Firewall | Integrated on routers, branch offices | | **Cisco Meraki MX** | Cloud-Managed Firewall | Distributed sites, SD-WAN | | **Cisco ASAv** | Virtual Firewall | Virtualized environments | ``` βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β CISCO FIREWALL PRODUCT LINE β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β ENTERPRISE (Firepower) β β β β β’ NGFW capabilities β β β β β’ IPS, AMP, URL filtering β β β β β’ High throughput β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β β βΌ β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β MID-RANGE (ASA) β β β β β’ Stateful inspection β β β β β’ VPN concentrator β β β β β’ Reliable, proven β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β β βΌ β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β SMALL BUSINESS (Meraki, IOS ZBF) β β β β β’ Cloud-managed β β β β β’ Integrated with router β β β β β’ Cost-effective β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ``` --- ### 7. Firewall Deployment Models ``` βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β FIREWALL DEPLOYMENT MODELS β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β β β MODEL 1: Two-Legged (Simple) β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β β β β Internal Network ββββ Firewall ββββ Internet β β β β β β β β β’ Basic protection β β β β β’ No DMZ β β β β β’ Best for small networks β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β MODEL 2: Three-Legged (With DMZ) β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β β β β Internal Network βββββ β β β β β β β β β ββββΌβββ β β β β βFirewallβ β β β β ββββ¬βββ β β β β β β β β β DMZ (Public Servers)ββ β β β β β β β β β’ Separate network for public servers β β β β β’ Better security β β β β β’ Standard for business networks β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β MODEL 3: Screened Subnet (Multiple DMZs) β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β β β β Internal Network ββββ Firewall 1 ββββ DMZ (Web) ββββ Firewall 2 β β β β β β β β β DMZ (Database) β β β β β β β β β’ Multiple layers of security β β β β β’ Defense in depth β β β β β’ Used in high-security environments β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ``` --- ### 8. Firewall Rules and Policies **Common Firewall Rules:** | Rule | Source | Destination | Service | Action | Reason | |------|--------|-------------|---------|--------|--------| | 1 | Internal | Internet | HTTP, HTTPS | Allow | Web browsing | | 2 | Internal | Internet | DNS | Allow | Name resolution | | 3 | Internal | Internal | Any | Allow | Internal communication | | 4 | Internet | Internal | Any | Deny | No inbound from internet | | 5 | Internet | DMZ | HTTP, HTTPS | Allow | Public web access | | 6 | DMZ | Database | SQL | Allow | Web to database | **Rule Best Practices:** - Most specific rules first - Deny all at the end (implicit deny) - Group similar rules - Use object groups for organization --- ### 9. Firewall Verification Commands | Command | Purpose | |---------|---------| | `show access-lists` | Display ACL rules (router-based firewall) | | `show policy-map type inspect` | Display ZBF policy | | `show zone security` | Display configured zones | | `show zone-pair security` | Display zone pair policies | | `show firewall` | Display firewall status (ASA) | | `show running-config | section firewall` | Display firewall configuration | **ZBF Verification:** ```cisco Router# show zone security zone INSIDE Description: Trusted internal network Member interfaces: GigabitEthernet0/1 zone OUTSIDE Description: Untrusted external network Member interfaces: GigabitEthernet0/0 Router# show zone-pair security zone-pair ZP-INSIDE-OUTSIDE source: INSIDE destination: OUTSIDE service-policy type inspect INSIDE-TO-OUTSIDE Router# show policy-map type inspect INSIDE-TO-OUTSIDE policy-map type inspect INSIDE-TO-OUTSIDE class HTTP-TRAFFIC inspect class ICMP-TRAFFIC inspect class class-default drop ``` --- ### 10. Firewall Troubleshooting | Problem | Symptom | Solution | |---------|---------|----------| | **Traffic Blocked** | Users cannot access internet | Check firewall rules, verify zone assignments | | **Application Not Working** | Specific app fails | Check if protocol inspection is required | | **High CPU** | Slow performance | Review rule count, enable logging selectively | | **VPN Issues** | VPN users cannot connect | Verify firewall allows VPN protocols (ESP, UDP 500, 4500) | | **DMZ Issues** | Public server inaccessible | Check NAT and firewall rules for inbound traffic | **Troubleshooting Commands:** ```cisco ! Check firewall hits Router# show access-lists Router# show policy-map type inspect ! Test connectivity Router# ping 8.8.8.8 source 192.168.1.1 ! Debug firewall events (use carefully) Router# debug ip inspect Router# debug policy-map type inspect ! Check NAT for firewall Router# show ip nat translations ``` --- ### 11. Firewall Best Practices ``` βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β FIREWALL BEST PRACTICES β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β β β 1. DEFAULT DENY β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β’ Start with deny all, then allow specific traffic β β β β β’ Implicit deny at end of all rule sets β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β 2. LEAST PRIVILEGE β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β’ Allow only necessary traffic β β β β β’ Use specific source/destination/ports β β β β β’ Avoid "any" when possible β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β 3. DEFENSE IN DEPTH β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β’ Multiple layers of security β β β β β’ Firewall + IPS + endpoint protection β β β β β’ DMZ for public-facing servers β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β 4. LOGGING AND MONITORING β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β’ Enable logging for denied traffic β β β β β’ Monitor failed attempts β β β β β’ Review logs regularly β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β 5. REGULAR REVIEW β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β’ Review firewall rules quarterly β β β β β’ Remove unused rules β β β β β’ Document rule purpose β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β 6. CHANGE MANAGEMENT β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β’ Document all firewall changes β β β β β’ Test rules before production β β β β β’ Have rollback plan β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ``` --- ## π§ Complete Configuration Examples ### Lab 1: Router ACL Firewall **Topology:** ``` Internal Network (192.168.1.0/24) ββββ Router ββββ Internet ``` **Router Configuration:** ```cisco hostname Router ! ! Allow internal users to access internet access-list 100 permit tcp 192.168.1.0 0.0.0.255 any eq 80 access-list 100 permit tcp 192.168.1.0 0.0.0.255 any eq 443 access-list 100 permit udp 192.168.1.0 0.0.0.255 any eq 53 access-list 100 permit icmp 192.168.1.0 0.0.0.255 any ! ! Deny all other traffic access-list 100 deny ip any any ! ! Apply to inside interface interface GigabitEthernet0/0 ip address 192.168.1.1 255.255.255.0 ip access-group 100 in ! ! Default route to internet ip route 0.0.0.0 0.0.0.0 203.0.113.1 ! end ``` --- ### Lab 2: Zone-Based Policy Firewall **Topology:** ``` Inside (192.168.1.0/24) ββββ Router ββββ Outside (Internet) β β DMZ (10.1.1.0/24) ``` **Router Configuration:** ```cisco hostname Router ! ! Create zones zone security INSIDE zone security OUTSIDE zone security DMZ ! ! Class maps for traffic classification class-map type inspect match-any WEB-TRAFFIC match protocol http match protocol https ! class-map type inspect match-any DNS-TRAFFIC match protocol dns ! class-map type inspect match-any ICMP-TRAFFIC match protocol icmp ! ! Policy for INSIDE to OUTSIDE policy-map type inspect INSIDE-TO-OUTSIDE class type inspect WEB-TRAFFIC inspect class type inspect DNS-TRAFFIC inspect class type inspect ICMP-TRAFFIC inspect class class-default drop ! ! Policy for OUTSIDE to DMZ (web servers) policy-map type inspect OUTSIDE-TO-DMZ class type inspect WEB-TRAFFIC inspect class class-default drop ! ! Zone pairs zone-pair security ZP-INSIDE-OUTSIDE source INSIDE destination OUTSIDE service-policy type inspect INSIDE-TO-OUTSIDE ! zone-pair security ZP-OUTSIDE-DMZ source OUTSIDE destination DMZ service-policy type inspect OUTSIDE-TO-DMZ ! ! Assign interfaces to zones interface GigabitEthernet0/0 zone-member security INSIDE ! interface GigabitEthernet0/1 zone-member security OUTSIDE ! interface GigabitEthernet0/2 zone-member security DMZ ! end ``` --- ### Lab 3: DMZ with Web Server Access **Topology:** ``` Inside (192.168.1.0/24) β Firewall β ββββββ΄βββββ β β Internet DMZ (10.1.1.0/24) Web Server (10.1.1.10) ``` **Firewall Configuration:** ```cisco hostname Firewall ! ! Zones zone security INSIDE zone security OUTSIDE zone security DMZ ! ! Web traffic class class-map type inspect match-any WEB match protocol http match protocol https ! ! Inside to outside policy policy-map type inspect INSIDE-TO-OUTSIDE class WEB inspect class class-default drop ! ! Outside to DMZ policy (allow web to DMZ) policy-map type inspect OUTSIDE-TO-DMZ class WEB inspect class class-default drop ! ! Inside to DMZ policy (allow internal to DMZ) policy-map type inspect INSIDE-TO-DMZ class WEB inspect class class-default drop ! ! Zone pairs zone-pair security ZP-INSIDE-OUTSIDE source INSIDE destination OUTSIDE service-policy type inspect INSIDE-TO-OUTSIDE ! zone-pair security ZP-OUTSIDE-DMZ source OUTSIDE destination DMZ service-policy type inspect OUTSIDE-TO-DMZ ! zone-pair security ZP-INSIDE-DMZ source INSIDE destination DMZ service-policy type inspect INSIDE-TO-DMZ ! ! Interface assignments interface GigabitEthernet0/0 zone-member security INSIDE ip address 192.168.1.1 255.255.255.0 ! interface GigabitEthernet0/1 zone-member security OUTSIDE ip address 203.0.113.1 255.255.255.0 ! interface GigabitEthernet0/2 zone-member security DMZ ip address 10.1.1.1 255.255.255.0 ! ! NAT for internal users ip nat inside source list 10 interface GigabitEthernet0/1 overload access-list 10 permit 192.168.1.0 0.0.0.255 ! ! Static NAT for web server ip nat inside source static 10.1.1.10 203.0.113.10 ! end ``` --- ## β Exam Tips (For CCNA 200-301) | Topic | What Cisco Tests | |-------|------------------| | **Firewall Types** | Packet filtering, stateful, application, NGFW | | **ZBF** | Zones, zone pairs, class maps, policy maps | | **ACL Firewall** | Basic stateless filtering | | **DMZ** | Demilitarized zone for public servers | | **Stateful Inspection** | Tracks connection state, allows return traffic | | **Defense in Depth** | Multiple layers of security | ### Common Exam Scenarios: **Scenario 1:** "A router needs to allow internal users to browse the internet but block all inbound traffic. Which firewall method should be used?" - **Answer:** ACLs or ZBF with stateful inspection **Scenario 2:** "What is the purpose of a DMZ?" - **Answer:** Provides a separate network for public-facing servers, isolating them from internal network **Scenario 3:** "Which firewall type tracks connection state and automatically allows return traffic?" - **Answer:** Stateful firewall ### Mnemonics: **Firewall Types:** **"P.S.A.N." - Packet, Stateful, Application, NGFW** - **P**acket Filtering: Stateless, packet-by-packet - **S**tateful: Tracks connections - **A**pplication: Deep inspection - **N**GFW: Next-Generation **ZBF Components:** **"Z.C.P.Z." - Zones, Class Maps, Policy Maps, Zone Pairs** - **Z**ones: Security boundaries - **C**lass Maps: Traffic classification - **P**olicy Maps: Actions on traffic - **Z**one Pairs: Connect zones with policies --- ## π Summary (1-Minute Revision) ``` FIREWALL TECHNOLOGIES: FIREWALL TYPES: βββ Packet Filtering: Stateless (ACLs) βββ Stateful: Tracks connections (ASA, ZBF) βββ Application: Deep inspection (Proxy) βββ NGFW: Integrated IPS, URL filtering (Firepower) ZONE-BASED POLICY FIREWALL (ZBF): βββ Zones: Security boundaries (INSIDE, OUTSIDE, DMZ) βββ Class Maps: Traffic classification (HTTP, ICMP) βββ Policy Maps: Actions (inspect, drop) βββ Zone Pairs: Connect zones with policies βββ Interface Assignment: zone-member security FIREWALL DEPLOYMENT: βββ Two-Legged: Internal + Internet βββ Three-Legged: Internal + DMZ + Internet βββ Screened Subnet: Multiple DMZs CISCO FIREWALL PRODUCTS: βββ ASA: Stateful firewall, VPN βββ Firepower: NGFW, IPS, AMP βββ IOS ZBF: Integrated on routers βββ Meraki MX: Cloud-managed βββ ASAv: Virtual firewall VERIFICATION: βββ show access-lists βββ show policy-map type inspect βββ show zone security βββ show zone-pair security BEST PRACTICES: βββ Default deny βββ Least privilege βββ Defense in depth βββ Regular review βββ Change management ``` --- ## π§ͺ Practice Questions **1. Which firewall type tracks connection state and automatically allows return traffic?** - A) Packet Filtering - B) Stateful Firewall - C) Proxy Firewall - D) ACL <details> <summary>Answer</summary> <b>B) Stateful Firewall</b> - Stateful firewalls maintain connection tables and allow return traffic automatically. </details> **2. What is the purpose of a DMZ?** - A) Isolate public-facing servers from internal network - B) Increase network speed - C) Provide backup connectivity - D) Store user credentials <details> <summary>Answer</summary> <b>A) Isolate public-facing servers from internal network</b> - DMZ provides a buffer zone between internal and external networks. </details> **3. Which Cisco product is a Next-Generation Firewall (NGFW)?** - A) Cisco ASA - B) Cisco Firepower - C) Cisco IOS - D) Cisco Meraki <details> <summary>Answer</summary> <b>B) Cisco Firepower</b> - Firepower is Cisco's NGFW platform with IPS and threat intelligence. </details> **4. Which command assigns an interface to a security zone in ZBF?** - A) `zone-member security` - B) `security-zone` - C) `interface zone` - D) `zone interface` <details> <summary>Answer</summary> <b>A) `zone-member security`</b> - This command assigns an interface to a security zone. </details> **5. What is the key difference between stateless and stateful firewalls?** - A) Stateful firewalls are faster - B) Stateful firewalls track connection state - C) Stateless firewalls encrypt traffic - D) Stateless firewalls are more secure <details> <summary>Answer</summary> <b>B) Stateful firewalls track connection state</b> - Stateful firewalls maintain connection tables for better security. </details> **6. What does "inspect" action do in ZBF policy?** - A) Blocks traffic - B) Allows stateful inspection of traffic - C) Logs traffic only - D) Redirects traffic <details> <summary>Answer</summary> <b>B) Allows stateful inspection of traffic</b> - Inspect action enables stateful firewall inspection. </details> **7. Which firewall deployment model includes a separate network for public servers?** - A) Two-Legged - B) Three-Legged (with DMZ) - C) Screened Subnet - D) Both B and C <details> <summary>Answer</summary> <b>D) Both B and C</b> - Three-Legged and Screened Subnet models include DMZ. </details> **8. What is the default behavior of a firewall if no rules match?** - A) Allow all - B) Deny all - C) Ask user - D) Log only <details> <summary>Answer</summary> <b>B) Deny all</b> - Firewalls have an implicit deny at the end of rule sets. </details> **9. Which component in ZBF defines the traffic to be inspected?** - A) Zone - B) Class Map - C) Policy Map - D) Zone Pair <details> <summary>Answer</summary> <b>B) Class Map</b> - Class maps define which traffic to match. </details> **10. What is defense in depth?** - A) Single security layer - B) Multiple layers of security - C) Deep packet inspection - D) Defense against depth attacks <details> <summary>Answer</summary> <b>B) Multiple layers of security</b> - Defense in depth uses multiple security controls. </details> **11. Which command displays ZBF policy information?** - A) `show policy-map type inspect` - B) `show firewall` - C) `show access-lists` - D) `show zone` <details> <summary>Answer</summary> <b>A) `show policy-map type inspect`</b> - Displays ZBF policy configuration. </details> **12. What is the purpose of a zone pair in ZBF?** - A) Define zones - B) Connect source and destination zones with a policy - C) Assign interfaces - D) Classify traffic <details> <summary>Answer</summary> <b>B) Connect source and destination zones with a policy</b> - Zone pairs define traffic direction and apply policies. </details> --- ## π Next Steps After completing Video 40, you should be ready for: - **Video 41:** QoS (Quality of Service) Overview - **Video 42:** Queuing Mechanisms **Lab Practice:** 1. Configure ACL-based firewall on router 2. Configure ZBF with INSIDE, OUTSIDE zones 3. Test inbound and outbound traffic 4. Configure DMZ with web server 5. Verify firewall rules with show commands 6. Troubleshoot blocked traffic --- **Ready for Video 41?** Share the link or say "next" and I'll continue with QoS (Quality of Service) Overview. I'll continue with **Video 41: QoS (Quality of Service) Overview** based on the standard CCNA 200-301 curriculum. ---