21-5
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter21 Managing Zone-based Firewall Rules
Understanding the Zone-based Firewall Rules
Understanding the Relationship Between Services and Protocols in Zone-based Firewall Rules,
page 21-10
General Recommendations for Zone-based Firewall Rules, page 21-11
Developing and Applying Zone-based Firewall Rules, page 21-12
The Self Zone
The router itself is defined as a separate security zone, with the fixed name Self, and since IOS firewalls
support examination of traffic (TCP, UDP and H.323 only) that terminates or originates on the router
(together known as “local” traffic), incoming and outgoing router traffic can be subject to rules in the
same way as routed inter-zone traffic.
When an interface is assigned to a zone, the hosts connected to that interface are included in that zone.
By default, traffic is allowed to flow between interfaces that are members of the same zone, while a
default “deny-all” policy is applied to traffic moving between zones.
However, traffic flowing directly between other zones and the router’s IP interfaces (the Self zone) is
implicitly allowed. This ensures that connectivity to the router’s management interfaces is maintained
when a zone firewall configuration is applied to the router.
This also means that traffic flowing to and from the IP addresses of the router’s interfaces is not initially
controlled by zone policies. If you wish to control traffic moving between the router interfaces and other
zones, you must apply rules that block or allow this local traffic.
When configuring the rules for the Self zone, consider the following:
All IP addresses configured on the router belong to the Self zone, regardless of interface zone
membership.
Traffic to and from the Self zone is unrestricted until you configure explicit rules to the contrary.
That is, when you configure a zone-based firewall rule that includes the Self zone, traffic between
the Self zone and the other zone is immediately restricted in both directions. For example, if you
define a rule affecting traffic from the “Private” zone to the Self zone, the router cannot originate
any traffic to the Private zone until you define one or more rules for Self to Private.
Traffic between the router itself and other zones that are not included in the Self-zone rules remains
unaffected.
The Inspect action is not allowed in rules that apply to the Self zone.
When configuring restrictions on inbound Self-zone traffic, consider the necessary outbound traffic
(including the routing and network management protocols). For example, if you restrict inbou nd traffic
from a zone to the router itself, the routing protocols could stop working on all interfaces belonging to
that zone.
Related Topics
Understanding the Zone-based Firewall Rules, page 21-3
Using VPNs with Zone-based Firewall Policies
Recent enhancements to the IP Security (IPsec) VPN implementation simplify firewall policy
configuration for VPN connectivity. IPSec Virtual Tunnel Interface (VTI) and GRE+IPSec allow the
confinement of VPN site-to-site and client connections to a specific security zone by placing the tunnel