Re: How to test Zone Based FW from ALL From_NJ on 2009-10-23 (Ccielab archives 10/2009)

From: ALL From_NJ <all.from.nj_at_gmail.com>
Date: Fri, 23 Oct 2009 00:00:04 -0400

Gosh darn it ... I do not like that 'self'. I wish to get rid of self. ;-)

Ok, I will have to add another router to the mix ... bummer ... I am trying
to do as much with only two routers.

You rock Joe, many thanks for this man,

Andrew

On Thu, Oct 22, 2009 at 11:56 PM, Joe Astorino <jastorino_at_ipexpert.com>wrote:

> The built in "zone self" allows everything to/from your router by default
> ------Original Message------
> From: ALL From_NJ
> Sender: nobody_at_groupstudy.com
> To: CCIE Groupstudy
> ReplyTo: ALL From_NJ
> Subject: How to test Zone Based FW
> Sent: Oct 22, 2009 11:47 PM
>
> Hey team,
>
> Am using my handy dandy router pair and configured zone based FW ... my
> first time really, I actually think CBAC is extremely easy ... oh well ...
> things change and I need to learn Zone based.
>
> I am pinging from the source interface, loop0, and to the remote router. I
> figured my config would block this, but nope ... the ping worked. Can you
> all please look this over and let me know what I am missing /
> misconfigured? Many TIA.
>
> Also, I read that the default action for the class-default is to drop
> everything. This also does not see to be the case. I am sure I have
> something misconfigured.
> !
> parameter-map type inspect CCIE
> !
> class-map type inspect match-all CCIE
> match protocol http
> !
> class-map type inspect match-all dropicmp
> match protocol icmp
> !
> policy-map type inspect CCIE
> class type inspect CCIE
> inspect
> class type inspect dropicmp
> drop
> class class-default
> !
> zone security outside
> zone security inside
> zone-pair security no-way source inside destination outside
> service-policy type inspect CCIE
> !
> interface Loopback0
> ip address 10.2.2.2 255.255.255.0
> zone-member security inside
> !
> interface FastEthernet0/0
> ip address 12.12.12.2 255.255.255.0
> ip verify unicast source reachable-via any
> zone-member security outside
>
> I am doing a ping from the inside interface to a remote router.
>
> ping 12.12.12.1 source lo0
>
>
> --
> Andrew Lee Lissitz
> all.from.nj_at_gmail.com
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
>
> Regards,
>
> Joe Astorino - CCIE #24347 R&S
> Technical Instructor - IPexpert, Inc.
> Cell: +1.586.212.6107
> Fax: +1.810.454.0130
> Mailto: jastorino_at_ipexpert.com

-- 
Andrew Lee Lissitz
all.from.nj_at_gmail.com
Blogs and organic groups at http://www.ccie.net

Received on Fri Oct 23 2009 - 00:00:04 ART

This archive was generated by hypermail 2.2.0 : Sun Nov 01 2009 - 07:51:00 ART