RE: zone based firewall

You asked about allowing Internet traffic inbound without initiating traffic
from the inside.

You need to create a policy just as you did with inside to internet, just
with the specific traffic you want to allow inbound.

Zone-based firewalling is really pretty simple once you get it working and
understand how it works.

Tony Schaffran

Sr. Network Consultant

CCIE #11071

CCNP, CCNA, CCDA,

NNCDS, NNCSS, CNE, MCSE

cconlinelabs.com

Your #1 choice for online Cisco rack rentals.

From: Fake Name [mailto:fname84_at_gmail.com]
Sent: Wednesday, August 26, 2009 6:46 AM
To: groupstudy_at_cconlinelabs.com
Cc: Cisco certification
Subject: Re: zone based firewall

so you mean like this?

class-map type inspect match-any inspecttraffic
 match protocol tcp
 match protocol udp
 match protocol icmp
!
!
policy-map type inspect inspect-private-to-internet
 class type inspect inspecttraffic
  inspect

policy-map type inspect inspect-private-to-dmz
 class type inspect inspecttraffic
  inspect

policy-map type inspect inspect-dmz-to-internet
 class type inspect inspecttraffic
  inspect

 class class-default
  drop

zone security private
zone security internet
zone security dmz
zone-pair security private-internet source private destination internet
 service-policy type inspect inspect-private-to-internet
zone-pair security private-dmz source private destination dmz
 service-policy type inspect inspect-private-to-dmz
zone-pair security dmz-internet source dmz destination internet
 service-policy type inspect inspect-dmz-to-internet

On Wed, Aug 26, 2009 at 9:38 AM, Tony Schaffran (GS)
<groupstudy_at_cconlinelabs.com> wrote:

You need to setup a separate policy for inbound traffic from the internet
and then configure your zone-pair from internet to dmz and internet to
inside as well if you want traffic to be allowed from the internet.

Tony Schaffran
Sr. Network Consultant
CCIE #11071
CCNP, CCNA, CCDA,
NNCDS, NNCSS, CNE, MCSE
 
cconlinelabs.com <http://cconlinelabs.com/>
Your #1 choice for online Cisco rack rentals.

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Fake
Name
Sent: Tuesday, August 25, 2009 8:53 PM
To: Cisco certification
Subject: zone based firewall

I have done the following configuration for the zone based firewall for 3
interfaces. A private, dmz, and internet interface. I am seeking that the
private interface can talk through the dmz and internet interface and
traffic be inspected. The dmz interface can talk through the internet
interface and traffic be inspected. If a host from the dmz interface needs
to reach a host on the inside interface without any initiating traffic
coming from the inside there must be an acl statement. If a host from the
outside interface needs to reach a host on the inside interface or dmz
interface without any initiating traffic coming from the inside there must
be an acl statement.

Can anyone spot my configuration mistake?

class-map type inspect match-any inspecttraffic
 match protocol tcp
 match protocol udp
 match protocol icmp
 match protocol ssh
 match protocol ftp
 match protocol imap
 match protocol http
 match protocol https
 match protocol dns

policy-map type inspect inspecttrafficpolicy
 class type inspect inspecttraffic
 inspect

zone security private
zone security internet
zone security dmz

zone-pair security private-internet source private destination internet
 service-policy type inspect inspecttrafficpolicy

zone-pair security private-dmz source private destination dmz
 service-policy type inspect inspecttrafficpolicy

zone-pair security dmz-internet source dmz destination internet
 service-policy type inspect inspecttrafficpolicy

!
interface FastEthernet0/0
 zone-member internet
!
interface FastEthernet0/1
 zone-member private

int vlan 150
zone-member dmz

Blogs and organic groups at http://www.ccie.net <http://www.ccie.net/>
Received on Wed Aug 26 2009 - 07:08:48 ART