Basic Zone Based Firewall


Being a full-time Cisco Network Engineer you decide to implement a new router at your home network. You heard good stories about Zone Based Firewalls so you decide to beef up your home security. Let’s see what you can do…


  • All IP addresses have been configured for you, every router has a loopback interface:
    Router LAN: L0: /24
    Router FIREWALL:L0: /24
    Router INTERNET: L0: /24 and L1: /24
  • Static routes have been configured for you, there is full connectivity between the routers.
  • Router INTERNET has the following services configured: SSH, TELNET, DNS, HTTP and HTTPS.
  • Router FIREWALL has the following services configured: SSH and TELNET.
  • Username: gns3vault
  • Password: gns3vault
  • Create 2 security zones called “LAN” and “INTERNET” on router FIREWALL.
  • Place the corresponding interfaces into the correct zones.
  • Create the correct class-map, policy-map and zone-pair so traffic from LAN to INTERNET is allowed, including the return traffic.
  • Traffic from INTERNET to LAN should be blocked.
  • Increase security by only allowing HTTP, ICMP and HTTPS traffic from LAN to INTERNET.
  • Test this by using telnet from router LAN to router INTERNET, this should be blocked.


The security between your LAN and the INTERNET is looking good, but users from the LAN are still able to telnet or ssh into your Firewall. Even worse, people from the Internet can telnet or ssh into your firewall as well! Time to protect your firewall…

  • Connections from the INTERNET should only be able to ping to router FIREWALL. Use “Zone Self” to achieve this.
  • Users from the LAN should only be able to SSH into router FIREWALL, Telnet should be blocked. Use “Zone Self” to achieve this.




Video Solution:

Configuration Files

You need to register to download the GNS3 topology file. (Registration is free!)

Once you are logged in you will find the configuration files right here.

Opt In Image
Do you want your CCNA or CCNP Certificate?

The How to Master series helps you to understand complex topics like spanning-tree, VLANs, trunks, OSPF, EIGRP, BGP and more.

Written by René Molenaar - CCIE #41726

You May Also Like

About the Author: Rene Molenaar

René - CCIE #41726 is the creator of where he shares CCNA, CCNP and CCIE R&S labs. He also blogs about networking on


  1. Very nicely done.Hope you put out some more of this with different scenario. Great job Rene.

  2. Great Lab, thank you Rene!

    I have one further question, I have added SSH access from Internet to Firewall, at first I got the following error message:

    %Protocol ssh configured in class-map Internet_to_Self_Class cannot be configured for the self zone. Please remove the protocol and retry

    After changing the policy-map from "inspect" to "pass" I was able to add SSH access to the class-map.

    Is this just an issue in GNS3 or do I have to use "pass" on real world gear as well? How about GRE and ISAKMP, use "pass" as well?

    1. In this case you don’t need zone-based. Just enter the line vty 0 4 and type transport has preferred ssh.

      Very simple!

  3. Rene … you are doing awesome work….. How much you are helping people somewhat beyond imagination…. We hardly learn anything without practice..Tons of Thanks from core of my heart..:D:)

  4. Rene,

    Great tutorial. I did this using CCP for my study for the CCNA Security exam.

    Thank you,


  5. The link for the final configs is the same as the start link download.

Comments are closed.