RE: zone based firewall

Here is a link that explains everything you are trying to accomplish.

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note0918
6a00808bc994.shtml

Tony Schaffran
Sr. Network Consultant
CCIE #11071
CCNP, CCNA, CCDA,
NNCDS, NNCSS, CNE, MCSE
 
cconlinelabs.com
Your #1 choice for online Cisco rack rentals.
 

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Fake
Name
Sent: Wednesday, August 26, 2009 7:06 AM
To: groupstudy_at_cconlinelabs.com
Cc: Cisco certification
Subject: Re: zone based firewall

hmm tried that and still does not work...

is there any good show commands that can be used to figure out what's
happening...all I know is show zone security and it shows all the interfaces
are in proper zones.

On Wed, Aug 26, 2009 at 9:46 AM, Fake Name <fname84_at_gmail.com> wrote:

> so you mean like this?
>
> class-map type inspect match-any inspecttraffic
> match protocol tcp
> match protocol udp
> match protocol icmp
> !
> !
> policy-map type inspect inspect-private-to-internet
> class type inspect inspecttraffic
> inspect
> policy-map type inspect inspect-private-to-dmz
> class type inspect inspecttraffic
> inspect
> policy-map type inspect inspect-dmz-to-internet
> class type inspect inspecttraffic
> inspect
> class class-default
> drop
> zone security private
> zone security internet
> zone security dmz
> zone-pair security private-internet source private destination internet
> service-policy type inspect inspect-private-to-internet
> zone-pair security private-dmz source private destination dmz
> service-policy type inspect inspect-private-to-dmz
> zone-pair security dmz-internet source dmz destination internet
> service-policy type inspect inspect-dmz-to-internet
>
> On Wed, Aug 26, 2009 at 9:38 AM, Tony Schaffran (GS) <
> groupstudy_at_cconlinelabs.com> wrote:
>
>> You need to setup a separate policy for inbound traffic from the internet
>> and then configure your zone-pair from internet to dmz and internet to
>> inside as well if you want traffic to be allowed from the internet.
>>
>> Tony Schaffran
>> Sr. Network Consultant
>> CCIE #11071
>> CCNP, CCNA, CCDA,
>> NNCDS, NNCSS, CNE, MCSE
>>
>> cconlinelabs.com
>> Your #1 choice for online Cisco rack rentals.
>>
>>
>>
>> -----Original Message-----
>> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
>> Fake
>> Name
>> Sent: Tuesday, August 25, 2009 8:53 PM
>> To: Cisco certification
>> Subject: zone based firewall
>>
>> I have done the following configuration for the zone based firewall for 3
>> interfaces. A private, dmz, and internet interface. I am seeking that
>> the
>> private interface can talk through the dmz and internet interface and
>> traffic be inspected. The dmz interface can talk through the internet
>> interface and traffic be inspected. If a host from the dmz interface
>> needs
>> to reach a host on the inside interface without any initiating traffic
>> coming from the inside there must be an acl statement. If a host from
the
>> outside interface needs to reach a host on the inside interface or dmz
>> interface without any initiating traffic coming from the inside there
must
>> be an acl statement.
>>
>> Can anyone spot my configuration mistake?
>>
>>
>>
>>
>> class-map type inspect match-any inspecttraffic
>> match protocol tcp
>> match protocol udp
>> match protocol icmp
>> match protocol ssh
>> match protocol ftp
>> match protocol imap
>> match protocol http
>> match protocol https
>> match protocol dns
>>
>> policy-map type inspect inspecttrafficpolicy
>> class type inspect inspecttraffic
>> inspect
>>
>> zone security private
>> zone security internet
>> zone security dmz
>>
>> zone-pair security private-internet source private destination internet
>> service-policy type inspect inspecttrafficpolicy
>>
>>
>> zone-pair security private-dmz source private destination dmz
>> service-policy type inspect inspecttrafficpolicy
>>
>> zone-pair security dmz-internet source dmz destination internet
>> service-policy type inspect inspecttrafficpolicy
>>
>>
>> !
>> interface FastEthernet0/0
>> zone-member internet
>> !
>> interface FastEthernet0/1
>> zone-member private
>>
>> int vlan 150
>> zone-member dmz
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Wed Aug 26 2009 - 07:11:05 ART