Yes, it seems to be correct logic, but there is a catch.
Our configuration guides do not state it explicitly, but zone pairs are always uni-directional. If you check Fundamentals Configuration Guide for your router, you will see in the "Security zone configuration example" there is one feature called ASPF. It is not very obvious from the first glance why it is there in the zone pair configuration, so let me try to explain.
If you create just one zone-pair with source 'trust' and destination 'untrust' having an ACL applied, this will regulate ONLY traffic from 'trust' to 'untrust' zone, but not the one from 'untrust' to 'trust'. So if you ping a server on the Internet ('untrust') from a PC in 'trust' zone, then ICMP requests will be allowed (trust->untrust), but replies will be blocked, as 'untrust'->'trust' policy is not defined and traffic is discarded. Of course we can configure untrust->trust zone pair, but for many applications having two zone-pairs configs between each zone pair in order to regulate traffic in both direction is an akward solution. Here comes ASPF which basically is a stateful packet inspection and connection tracking mechanism. (FYI - There is predefined ASPF policy '1' and it inspects FTP packets and packets of all transport layer protocols, but it does not perform ICMP error message check or the TCP SYN packet check. but you can create more specific policies if you wish.)
So instead of having two zone-pairs - trust->untrust and untrust->trust, you can have only trust->untrust with ASPF applied. Of course you still need permissive ACL as well, because ASPF just tracks connections, but does not deny or permit traffic. So how it works - all outgoing packets from 'trust' to 'untrust' will be allowed by the ACL AND inspected by ASPF. ASPF will create state records for each allowed connection in the connection tracking database and when host on 'untrust' side will reply, this traffic will be allowed to the 'trust' zone, because firewall already knows it is just a reply to a traffic initiated (and allowed) from 'trust' zone. This is why in configuration examples you have ASPF.
However, if you want to be able to initiate traffic from 'untrust' to the 'trust' zone, like to have management access from the Internet to the router, then you will need to create zone pair with source 'untrust' and destination 'trust' and apply an ACL that will allow SSH/Telnet/HTTPS.
Summarizing:
So, to enable the zone firewall I need to do the following:
Add interface GigabitEthernet0/0 (WAN) to the untrust zone
YES
Add interface Vlan-interface1 (LAN) to the trust zone
CORRECT
Add a zone pair to allow traffic between the two
Sure, but it is more like this:
- Option A. You need to block all incoming traffic from 'untrust' to 'trust' if that is not a response to a traffic initiated previously from the 'trust' zone. In this case create 'zone-pair security source trust destination untrust', assign to it an ACL with 'rule permit ip' and assign ASPF policy 'aspf apply policy 1'. If you want custom policy, create it and then apply instead of '1'
- Option B. You need to block all incoming traffic from 'untrust' to 'trust' if that is not a response to a traffic initiated previously from the 'trust' zone, but there is one exception - incoming SSH/Telnet traffic must be allowed.
- Step 1. In this case create 'zone-pair security source trust destination untrust', assign to it an ACL with 'rule permit ip' and assign ASPF policy 'aspf apply policy 1'. If you want custom policy, create it and then apply instead of '1'
- Step 2. create 'zone-pair security source untrust destination trust', assign an ACL to the zone-pair that will permit explicitly the desired management protocol/-s.
Hope this helps!