Re: zone based firewall from Fake Name on 2009-08-26 (Ccielab archives 08/2009)

From: Fake Name <fname84_at_gmail.com>
Date: Wed, 26 Aug 2009 10:13:00 -0400

Ah Im sorry I must have miss spoke. I want to deny traffic coming in from
the internet zone without being initiated from the inside zone without
having an acl entry. With the current config traffic is not able to pass
from the private zone to the internet zone and be allowed back so I am just
trying to figure out what I did wrong

On Wed, Aug 26, 2009 at 10:08 AM, Tony Schaffran (GS) <
groupstudy_at_cconlinelabs.com> wrote:

> You asked about allowing Internet traffic inbound without initiating
> traffic from the inside.
>
>
>
> You need to create a policy just as you did with inside to internet, just
> with the specific traffic you want to allow inbound.
>
>
>
> Zone-based firewalling is really pretty simple once you get it working and
> understand how it works.
>
>
>
> Tony Schaffran
>
> Sr. Network Consultant
>
> CCIE #11071
>
> CCNP, CCNA, CCDA,
>
> NNCDS, NNCSS, CNE, MCSE
>
>
>
> cconlinelabs.com
>
> Your #1 choice for online Cisco rack rentals.
>
>
>
>
>
> *From:* Fake Name [mailto:fname84_at_gmail.com]
> *Sent:* Wednesday, August 26, 2009 6:46 AM
> *To:* groupstudy_at_cconlinelabs.com
> *Cc:* Cisco certification
> *Subject:* Re: zone based firewall
>
>
>
> so you mean like this?
>
>
>
> class-map type inspect match-any inspecttraffic
> match protocol tcp
> match protocol udp
> match protocol icmp
> !
> !
> policy-map type inspect inspect-private-to-internet
> class type inspect inspecttraffic
> inspect
>
> policy-map type inspect inspect-private-to-dmz
> class type inspect inspecttraffic
> inspect
>
> policy-map type inspect inspect-dmz-to-internet
> class type inspect inspecttraffic
> inspect
>
> class class-default
> drop
>
> zone security private
> zone security internet
> zone security dmz
> zone-pair security private-internet source private destination internet
> service-policy type inspect inspect-private-to-internet
> zone-pair security private-dmz source private destination dmz
> service-policy type inspect inspect-private-to-dmz
> zone-pair security dmz-internet source dmz destination internet
> service-policy type inspect inspect-dmz-to-internet
>
> On Wed, Aug 26, 2009 at 9:38 AM, Tony Schaffran (GS) <
> groupstudy_at_cconlinelabs.com> wrote:
>
> You need to setup a separate policy for inbound traffic from the internet
> and then configure your zone-pair from internet to dmz and internet to
> inside as well if you want traffic to be allowed from the internet.
>
> Tony Schaffran
> Sr. Network Consultant
> CCIE #11071
> CCNP, CCNA, CCDA,
> NNCDS, NNCSS, CNE, MCSE
>
> cconlinelabs.com
> Your #1 choice for online Cisco rack rentals.
>
>
>
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> Fake
> Name
> Sent: Tuesday, August 25, 2009 8:53 PM
> To: Cisco certification
> Subject: zone based firewall
>
> I have done the following configuration for the zone based firewall for 3
> interfaces. A private, dmz, and internet interface. I am seeking that the
> private interface can talk through the dmz and internet interface and
> traffic be inspected. The dmz interface can talk through the internet
> interface and traffic be inspected. If a host from the dmz interface needs
> to reach a host on the inside interface without any initiating traffic
> coming from the inside there must be an acl statement. If a host from the
> outside interface needs to reach a host on the inside interface or dmz
> interface without any initiating traffic coming from the inside there must
> be an acl statement.
>
> Can anyone spot my configuration mistake?
>
>
>
>
> class-map type inspect match-any inspecttraffic
> match protocol tcp
> match protocol udp
> match protocol icmp
> match protocol ssh
> match protocol ftp
> match protocol imap
> match protocol http
> match protocol https
> match protocol dns
>
> policy-map type inspect inspecttrafficpolicy
> class type inspect inspecttraffic
> inspect
>
> zone security private
> zone security internet
> zone security dmz
>
> zone-pair security private-internet source private destination internet
> service-policy type inspect inspecttrafficpolicy
>
>
> zone-pair security private-dmz source private destination dmz
> service-policy type inspect inspecttrafficpolicy
>
> zone-pair security dmz-internet source dmz destination internet
> service-policy type inspect inspecttrafficpolicy
>
>
> !
> interface FastEthernet0/0
> zone-member internet
> !
> interface FastEthernet0/1
> zone-member private
>
> int vlan 150
> zone-member dmz
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Wed Aug 26 2009 - 10:13:00 ART

This archive was generated by hypermail 2.2.0 : Tue Sep 01 2009 - 05:43:57 ART