Re: zone based firewall from Anthony Sequeira on 2009-08-26 (Ccielab archives 08/2009)

From: Anthony Sequeira <asequeira_at_ine.com>
Date: Wed, 26 Aug 2009 10:14:43 -0400

show policy-map type inspect zone-pair

Warmest Regards,

Anthony J. Sequeira, CCIE #15626
http://www.INE.com

Test your Core Knowledge today!
Q: What authentication option may be used with EIGRP?
A: MD5
More Info: http://www.cisco.com/en/US/docs/ios/12_0/np1/configuration/guide/1ceigrp.html#wp4759

On Aug 26, 2009, at 10:06 AM, Fake Name wrote:

> hmm tried that and still does not work...
>
> is there any good show commands that can be used to figure out what's
> happening...all I know is show zone security and it shows all the
> interfaces
> are in proper zones.
>
> On Wed, Aug 26, 2009 at 9:46 AM, Fake Name <fname84_at_gmail.com> wrote:
>
>> so you mean like this?
>>
>> class-map type inspect match-any inspecttraffic
>> match protocol tcp
>> match protocol udp
>> match protocol icmp
>> !
>> !
>> policy-map type inspect inspect-private-to-internet
>> class type inspect inspecttraffic
>> inspect
>> policy-map type inspect inspect-private-to-dmz
>> class type inspect inspecttraffic
>> inspect
>> policy-map type inspect inspect-dmz-to-internet
>> class type inspect inspecttraffic
>> inspect
>> class class-default
>> drop
>> zone security private
>> zone security internet
>> zone security dmz
>> zone-pair security private-internet source private destination
>> internet
>> service-policy type inspect inspect-private-to-internet
>> zone-pair security private-dmz source private destination dmz
>> service-policy type inspect inspect-private-to-dmz
>> zone-pair security dmz-internet source dmz destination internet
>> service-policy type inspect inspect-dmz-to-internet
>>
>> On Wed, Aug 26, 2009 at 9:38 AM, Tony Schaffran (GS) <
>> groupstudy_at_cconlinelabs.com> wrote:
>>
>>> You need to setup a separate policy for inbound traffic from the
>>> internet
>>> and then configure your zone-pair from internet to dmz and
>>> internet to
>>> inside as well if you want traffic to be allowed from the internet.
>>>
>>> Tony Schaffran
>>> Sr. Network Consultant
>>> CCIE #11071
>>> CCNP, CCNA, CCDA,
>>> NNCDS, NNCSS, CNE, MCSE
>>>
>>> cconlinelabs.com
>>> Your #1 choice for online Cisco rack rentals.
>>>
>>>
>>>
>>> -----Original Message-----
>>> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On
>>> Behalf Of
>>> Fake
>>> Name
>>> Sent: Tuesday, August 25, 2009 8:53 PM
>>> To: Cisco certification
>>> Subject: zone based firewall
>>>
>>> I have done the following configuration for the zone based
>>> firewall for 3
>>> interfaces. A private, dmz, and internet interface. I am seeking
>>> that
>>> the
>>> private interface can talk through the dmz and internet interface
>>> and
>>> traffic be inspected. The dmz interface can talk through the
>>> internet
>>> interface and traffic be inspected. If a host from the dmz
>>> interface
>>> needs
>>> to reach a host on the inside interface without any initiating
>>> traffic
>>> coming from the inside there must be an acl statement. If a host
>>> from the
>>> outside interface needs to reach a host on the inside interface or
>>> dmz
>>> interface without any initiating traffic coming from the inside
>>> there must
>>> be an acl statement.
>>>
>>> Can anyone spot my configuration mistake?
>>>
>>>
>>>
>>>
>>> class-map type inspect match-any inspecttraffic
>>> match protocol tcp
>>> match protocol udp
>>> match protocol icmp
>>> match protocol ssh
>>> match protocol ftp
>>> match protocol imap
>>> match protocol http
>>> match protocol https
>>> match protocol dns
>>>
>>> policy-map type inspect inspecttrafficpolicy
>>> class type inspect inspecttraffic
>>> inspect
>>>
>>> zone security private
>>> zone security internet
>>> zone security dmz
>>>
>>> zone-pair security private-internet source private destination
>>> internet
>>> service-policy type inspect inspecttrafficpolicy
>>>
>>>
>>> zone-pair security private-dmz source private destination dmz
>>> service-policy type inspect inspecttrafficpolicy
>>>
>>> zone-pair security dmz-internet source dmz destination internet
>>> service-policy type inspect inspecttrafficpolicy
>>>
>>>
>>> !
>>> interface FastEthernet0/0
>>> zone-member internet
>>> !
>>> interface FastEthernet0/1
>>> zone-member private
>>>
>>> int vlan 150
>>> zone-member dmz
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Wed Aug 26 2009 - 10:14:43 ART

This archive was generated by hypermail 2.2.0 : Tue Sep 01 2009 - 05:43:57 ART