RE: [Junk released by Allow List] Re: zone based firewall

Your zone config looks good.

I saw in your previous configs that you had some nat and other things going
on that may be interfering with your results.

You may want to try to simplify to see what is causing your issue.

Tony Schaffran

Sr. Network Consultant

CCIE #11071

CCNP, CCNA, CCDA,

NNCDS, NNCSS, CNE, MCSE

cconlinelabs.com

Your #1 choice for online Cisco rack rentals.

From: Fake Name [mailto:fname84_at_gmail.com]
Sent: Thursday, August 27, 2009 6:45 AM
To: Anthony Sequeira
Cc: groupstudy_at_cconlinelabs.com; Cisco certification
Subject: [Junk released by Allow List] Re: zone based firewall

hm that's really odd with the current config it does not show the counters
going up from the private to internet zones when I do a constant being to
4.2.2.2 from the inside. I am baffled why it does not catch the traffic but
when I do a show zone security it shows the interfaces in the proper zones.
I have rewritten my zbf config to further break everything out and not
working still

class-map type inspect match-any inspecttraffic-dmz2internet
 match protocol tcp
 match protocol udp
 match protocol icmp

class-map type inspect match-any inspecttraffic-private2internet
 match protocol tcp
 match protocol udp
 match protocol icmp

class-map type inspect match-any inspecttraffic-private2dmz
 match protocol tcp
 match protocol udp
 match protocol icmp

policy-map type inspect inspect-dmz-to-internet
 class type inspect inspecttraffic-dmz2internet
  inspect
 class class-default
  drop
policy-map type inspect inspect-private-to-internet
 class type inspect inspecttraffic-private2internet
  inspect
 class class-default
  drop
policy-map type inspect inspect-private-to-dmz
 class type inspect inspecttraffic-private2dmz
  inspect
 class class-default
  drop
!
zone security private
zone security internet
zone security dmz
zone-pair security private-internet source private destination internet
 service-policy type inspect inspect-private-to-internet
zone-pair security private-dmz source private destination dmz
 service-policy type inspect inspect-private-to-dmz
zone-pair security dmz-internet source dmz destination internet
 service-policy type inspect inspect-dmz-to-internet

!
interface FastEthernet0/0
 zone-member security internet
!
interface FastEthernet0/1
 zone-member security private

int vlan 150
zone-member security dmz

On Wed, Aug 26, 2009 at 10:14 AM, Anthony Sequeira <asequeira_at_ine.com>
wrote:

show policy-map type inspect zone-pair

Warmest Regards,

Anthony J. Sequeira, CCIE #15626
http://www.INE.com <http://www.ine.com/>

Test your Core Knowledge today!
Q: What authentication option may be used with EIGRP?
A: MD5
More Info:
http://www.cisco.com/en/US/docs/ios/12_0/np1/configuration/guide/1ceigrp.htm
l#wp4759

On Aug 26, 2009, at 10:06 AM, Fake Name wrote:

hmm tried that and still does not work...

is there any good show commands that can be used to figure out what's
happening...all I know is show zone security and it shows all the interfaces
are in proper zones.

On Wed, Aug 26, 2009 at 9:46 AM, Fake Name <fname84_at_gmail.com> wrote:

so you mean like this?

class-map type inspect match-any inspecttraffic
match protocol tcp
match protocol udp
match protocol icmp
!
!
policy-map type inspect inspect-private-to-internet
class type inspect inspecttraffic
 inspect
policy-map type inspect inspect-private-to-dmz
class type inspect inspecttraffic
 inspect
policy-map type inspect inspect-dmz-to-internet
class type inspect inspecttraffic
 inspect
class class-default
 drop
zone security private
zone security internet
zone security dmz
zone-pair security private-internet source private destination internet
service-policy type inspect inspect-private-to-internet
zone-pair security private-dmz source private destination dmz
service-policy type inspect inspect-private-to-dmz
zone-pair security dmz-internet source dmz destination internet
service-policy type inspect inspect-dmz-to-internet

 On Wed, Aug 26, 2009 at 9:38 AM, Tony Schaffran (GS) <
groupstudy_at_cconlinelabs.com> wrote:

You need to setup a separate policy for inbound traffic from the internet
and then configure your zone-pair from internet to dmz and internet to
inside as well if you want traffic to be allowed from the internet.

Tony Schaffran
Sr. Network Consultant
CCIE #11071
CCNP, CCNA, CCDA,
NNCDS, NNCSS, CNE, MCSE

cconlinelabs.com <http://cconlinelabs.com/>
Your #1 choice for online Cisco rack rentals.

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
Fake
Name
Sent: Tuesday, August 25, 2009 8:53 PM
To: Cisco certification
Subject: zone based firewall

I have done the following configuration for the zone based firewall for 3
interfaces. A private, dmz, and internet interface. I am seeking that
the
private interface can talk through the dmz and internet interface and
traffic be inspected. The dmz interface can talk through the internet
interface and traffic be inspected. If a host from the dmz interface
needs
to reach a host on the inside interface without any initiating traffic
coming from the inside there must be an acl statement. If a host from the
outside interface needs to reach a host on the inside interface or dmz
interface without any initiating traffic coming from the inside there must
be an acl statement.

Can anyone spot my configuration mistake?

class-map type inspect match-any inspecttraffic
match protocol tcp
match protocol udp
match protocol icmp
match protocol ssh
match protocol ftp
match protocol imap
match protocol http
match protocol https
match protocol dns

policy-map type inspect inspecttrafficpolicy
class type inspect inspecttraffic
inspect

zone security private
zone security internet
zone security dmz

zone-pair security private-internet source private destination internet
service-policy type inspect inspecttrafficpolicy

zone-pair security private-dmz source private destination dmz
service-policy type inspect inspecttrafficpolicy

zone-pair security dmz-internet source dmz destination internet
service-policy type inspect inspecttrafficpolicy

!
interface FastEthernet0/0
zone-member internet
!
interface FastEthernet0/1
zone-member private

int vlan 150
zone-member dmz

Blogs and organic groups at http://www.ccie.net <http://www.ccie.net/>
Received on Thu Aug 27 2009 - 06:48:36 ART