Zone based firewall - show commands and verification, couple of from ALL From_NJ on 2009-10-23 (Ccielab archives 10/2009)

From: ALL From_NJ <all.from.nj_at_gmail.com>
Date: Fri, 23 Oct 2009 22:53:23 -0400

Hey team,

I actually had to use more than 2 routers ... bummer. Super 'J' (Joe
Astorino) mentioned that you can modify the local 'self' zone, but I decided
to add another router to the mix. Here is the scenario:

R1 - connected to a switch
R2 - connected to a switch
R3 - connected to a switch and pretending to be the outside world.

Without a firewall, I can ping anywhere. I am using static routes for
routing.

When I put up a firewall, I can now drop icmp test traffic based on the
policy-map I configured. I can also toggle this on and off based on my
configs, so this is working.

A couple of questions though team, if you do not mind. I do not like the
doc cd on zone based firewall ... imo, it is a bit hard to follow the way it
is laid out.

1) for the zone pair, when it has you match the source security zone with
the destination, is this the same thing as the 'inside' interface and the
'outside ' interface? I think so, but just want to hear your perspective on
this as it seems that there are some options related to the number of zones
and how one would choose to configure it. I am looking for some pointers
and insight ...

2) the traffic not defined should be placed into the class class-default and
the default action is to drop. Not sure if this is correct ... although the
docs mention this is the case. There should be a default 'catch-all' rule
that says drop ...
2a) - I am able to telnet to R2 from R3 ... even with the zone based
firewall configs ... "me don't likely dis".

3) It appears you can have multiple parameter-maps ... one for each class in
the policy-map. Any thoughts on this?

3) Any good show commands for this? I want to configure this, test it or
observe it to make sure all is well.

4) For now ... I like CBAC better ... although this is most likely related
to me still learning this 'zoning out thing'. I liked using the inspect
commands and access list. This was pretty simple for me to grasp. So much
to learn ...

Lastly, if I do not know this well enough, then I might have to pass on this
section since I do not want to configure something that potentially breaks
another section.

-- 
Andrew Lee Lissitz
all.from.nj_at_gmail.com
Blogs and organic groups at http://www.ccie.net

Received on Fri Oct 23 2009 - 22:53:23 ART

This archive was generated by hypermail 2.2.0 : Sun Nov 01 2009 - 07:51:00 ART