Filtering traffic between the transit zones
The first step in setting up zone-based traffic filtering is to create zone policies, as shown in the following example. To create the zone policies, perform the following steps in configuration mode.
Step | Command |
---|---|
Create the configuration node for the DMZ and give a description for the zone. |
|
Add the interface contained in the DMZ. |
|
Create the configuration node for the private zone and give a description for the zone. |
|
Add one of the interfaces contained in the private zone. |
|
Add the other interface contained in the private zone. |
|
Create the configuration node for the public zone and give a description for the zone. |
|
Add the interface contained in the public zone. |
|
Commit the configuration. |
|
Show the configuration. |
|
At this point, while traffic can flow freely within a zone, no traffic flows between zones. All traffic flowing from one zone to another is dropped. For example, because the dp0p1p1 and dp0p1p2 interfaces lie in the same zone (private), traffic between these interfaces flows freely. However, traffic from dp0p1p2 to dp0p1p3 (which lies in the DMZ) is dropped.
The next step, shown in the following example, is to create firewall rule sets to allow traffic between zones. The first rule set allows all traffic to the public zone. To configure this rule set, perform the following steps in configuration mode.
Step | Command |
---|---|
Create the configuration node for the to_public rule set and give a description for the rule set. |
|
Create a rule to accept all traffic sent to the public zone. |
|
Commit the configuration. |
|
Show the firewall configuration. |
|