R4(config)#license boot module c2900 technology-package securityk9 //yes , 저장후 리로드
!zone 생성
R4(config)#zone security INSIDE
R4(config-sec-zone)#exit
R4(config)#zone security OUTSIDE
R4(config-sec-zone)#exit
!인터페이스 할당
R4(config)#int g0/0
R4(config-if)#zone-member security OUTSIDE
R4(config-if)#int g0/1
R4(config-if)#zone-member security OUTSIDE
R4(config-if)#int g0/2
R4(config-if)#zone-member security INSIDE
//in-out//
R4(config)#zone-pair security IN-OUT source INSIDE destination OUTSIDE
R4(config)#ip access-list extended ZFW
R4(config-ext-nacl)#permit ip any any
R4(config)#class-map type inspect IN-OUT-C
R4(config-cmap)#match access-group name ZFW
R4(config)#policy-map type inspect IN-OUT-P
R4(config-pmap)#class type inspect IN-OUT-C
R4(config-pmap-c)#inspect
R4(config)#zone-pair security IN-OUT source INSIDE destination OUTSIDE
R4(config-sec-zone-pair)#service-policy type inspect IN-OUT-P
//out-in//
R4(config)#zone-pair security OUT-IN source OUTSIDE destination INSIDE
R4(config)#class-map type inspect match-any OUT-IN-C
R4(config-cmap)#match protocol dns
R4(config-cmap)#match protocol ntp
R4(config-cmap)#match protocol smtp
R4(config-cmap)#match protocol pop3
R4(config-cmap)#match protocol ftp
R4(config-cmap)#match protocol http
R4(config)#policy-map type inspect OUT-IN-P
R4(config-pmap)#class OUT-IN-C
R4(config-pmap-c)#inspect
R4(config-pmap-c)#class class-default
R4(config-pmap-c)#drop
R4(config)#zone-pair security OUT-IN source OUTSIDE destination INSIDE
R4(config-sec-zone-pair)#service-policy type inspect OUT-IN-P
https://byeong9935.tistory.com/3