Step 1 |
enable
Example:
|
Enables
privileged EXEC mode.
|
Step 2 |
configure
terminal
Example:
Device# configure terminal
|
Enters global
configuration mode.
|
Step 3 |
class-map type inspect
match-any
class-map-name
Example:
Device(config)# class-map type inspect match-any cmap-l4-Protocol
|
Defines the
class on which an action is to be performed and enters policy-map class
configuration mode.
|
Step 4 | match protocol
protocol-name
Example:
Device(config-cmap)# match protocol tcp
|
Configures a
match criterion for a class map on the basis of the specified protocol.
|
Step 5 | exit
Example:
Device(config-cmap)# exit
|
Exits
policy-map class configuration mode and returns to global configuration mode.
|
Step 6 |
parameter-map type inspect
global
Example:
Device(config)# parameter-map type inspect global
|
Defines a
global inspect parameter map and enters parameter-map type inspect
configuration mode.
|
Step 7 |
redundancy
Example:
Device(config-profile)# redundancy
|
Enables
firewall high availability.
|
Step 8 | exit
Example:
Device(config-profile)# exit
|
Exits
parameter-map type inspect configuration mode and returns to global
configuration mode.
|
Step 9 | policy-map type inspect
policy-map-name
Example:
Device(config)# policy-map type inspect pmap-l4-Protocols
|
Creates a
protocol-specific inspect type policy map and enters policy-map configuration
mode.
|
Step 10 | class type inspect
class-map-name
Example:
Device(config-pmap)# class type inspect cmap-l4-Protocol
|
Defines the
class on which an action is to be performed and enters policy-map class
configuration mode.
|
Step 11 | inspect
Example:
Device(config-pmap-c)# inspect
|
Enables
stateful packet inspection.
|
Step 12 | exit
Example:
Device(config-pmap-c)# exit
|
Exits
policy-map class configuration mode and returns to policy-map configuration
mode.
|
Step 13 | class class-default
Example:
Device(config-pmap)# class class-default
|
Configures the
default class on which an action is to be performed and enters policy-map class
configuration mode.
|
Step 14 | drop
Example:
Device(config-pmap-c)# drop
|
Drops packets
that are sent to a device.
|
Step 15 | exit
Example:
Device(config-pmap-c)# exit
|
Exits
policy-map class configuration mode and returns to policy-map configuration
mode.
|
Step 16 | exit
Example:
Device(config-pmap)# exit
|
Exits
policy-map configuration mode and returns to global configuration mode.
|
Step 17 | zone security
zone-name
Example:
Device(config)# zone security TWAN
|
Creates a
security zone and enters security zone configuration mode.
|
Step 18 | exit
Example:
Device(config-sec-zone)# exit
|
Exits
security zone configuration mode and returns to global configuration mode.
|
Step 19 | zone security
zone-name
Example:
Device(config)# zone security DATA
|
Creates a
security zone and enters security zone configuration mode.
|
Step 20 | exit
Example:
Device(config-sec-zone)# exit
|
Exits
security zone configuration mode and returns to global configuration mode.
|
Step 21 | zone-pair security
zone-pair-name
source
zone-name
destination
zone-name
Example:
Device(config)# zone-pair security zp-TWAN-DATA source TWAN destination data
|
Creates a
zone pair to which interfaces can be assigned and enters security zone-pair
configuration mode.
|
Step 22 | service-policy type inspect
policy-map-name
Example:
Device(config-sec-zone-pair)# service-policy type inspect pmap-l4-Protocols
|
Attaches a
firewall policy map to a zone pair.
|
Step 23 | exit
Example:
Device(config-sec-zone)# exit
|
Exits
security zone-pair configuration mode and returns to global configuration mode.
|
Step 24 | zone-pair security
zone-pair-name
source
zone-name
destination
zone-name
Example:
Device(config)# zone-pair security zp-DATA-TWAN source DATA destination TWAN
|
Creates a zone
pair to which interfaces can be assigned and enters security zone-pair
configuration mode.
|
Step 25 | service-policy type inspect
policy-map-name
Example:
Device(config-sec-zone-pair)# service-policy type inspect pmap-l4-Protocols
|
Attaches a
firewall policy map to a zone pair.
|
Step 26 | exit
Example:
Device(config-sec-zone-pair)# exit
|
Exits
security zone pair configuration mode and returns to global configuration mode.
|
Step 27 | interface
type
number
Example:
Device(config)# interface gigabitethernet 0/0/0
|
Configures an
IP address for the subinterface.
|
Step 28 | ip address
ip-address mask
Example:
Device(config-subif)# ip address 10.1.1.1 255.255.255.0
|
Configures an
IP address for the subinterface.
|
Step 29 | encapsulation dot1q
vlan-id
Example:
Device(config-subif)# encapsulation dot1q 2
|
Sets the
encapsulation method used by the interface.
|
Step 30 | zone-member security
security-zone-name
Example:
Device(config-subif)# zone-member security private
|
Configures
the interface as a zone member.
-
For the
security-zone-name argument, you must configure
one of the zones that you had configured by using the
zone security
command.
-
When an
interface is in a security zone, all traffic to and from that interface (except
traffic going to the device or initiated by the device) is dropped by default.
To permit traffic through an interface that is a zone member, you must make
that zone part of a zone pair to which you apply a policy. If the policy
permits traffic (via
inspect or
inspect
actions), traffic can flow through the interface.
|
Step 31 | end
Example:
Device(config-sec-zone-pair)# end
|
Exits
security zone pair configuration mode and returns to privileged EXEC mode.
|
Step 32 | show policy-firewall session zone-pair ha
Example:
Device# show policy-firewall session zone-pair ha
|
(Optional)
Displays the firewall HA sessions pertaining to a zone pair.
|
Step 33 | debug policy-firewall ha
Example:
Device# debug policy-firewall ha
|
(Optional)
Displays messages about firewall events.
|