Scenario:
You have been given the task of performing initial zone-based policy firewall configurations. You
will need to create zones, assign the zones to specific interfaces, and create zone pairs to allow
for traffic flow between interfaces. You will also need to define a zone-based policy firewall and
assign the policy to the zone pair. To access the router console ports, refer to the exhibit, click the
router for access, and perform the following tasks.
Note that when performing the configuration, you should use the exact names highlighted in bold
below:
Globally create zones and label them with the following names:
OUTSIDE
IHSIDE
Assign interfaces to zones as indicated in the exhibit
Create a zone pair for traffic flowing from the inside to outside zones named IH-TO-OUT –
Define a zone-based firewall policy named IH-TO-OUT-POLICY
Use the “match protocol” classification option to statefully inspect HTTP traffic and drop all other
traffic
Use a class-map named HTTP_POLICY
Apply zone-based firewall policy IN-TO-OUT-POLICY to the zone pair
Answer:
Explanation:
First we divide the networks into 2 zones: Inside and Outside.
Router(config)#zone security INSIDE
Router(config)#zone security OUTSIDE
Router(config)#interface fa0/0/1
Router(config-if)#no shutdown
Router(config-if)#zone-member security INSIDE
Router(config)#interface fa0/0/0
Router(config-if)#no shutdown
Router(config-if)#zone-member security OUTSIDE
Router(config)#class-map type inspect match-any HTTP_POLICYRouter(config-cmap)#match protocol http
Router(config)#policy-map type inspect IN-TO-OUT-POLICY
Router(config-pmap)#class type inspect HTTP_POLICY
Router(config-pmap-c)#inspect
Router(config)#zone-pair security IN-TO-OUT-POLICY source INSIDE destination OUTSIDE
Router(config-sec-zone-pair)#service-policy type inspect IN-TO-OUT-POLICY