Hi Andrew,
This below link may explain what you asking for the class class-default in
the zone based firewall
http://blog.ioshints.info/2007/02/default-action-in-firewall-policy-maps.html
Also I think you may like this presentation on the cisco website
Thanks
Regards
Anantha Subramanian Natarajan
On Fri, Oct 23, 2009 at 9:53 PM, ALL From_NJ <all.from.nj_at_gmail.com> wrote:
> Hey team,
>
> I actually had to use more than 2 routers ... bummer. Super 'J' (Joe
> Astorino) mentioned that you can modify the local 'self' zone, but I
> decided
> to add another router to the mix. Here is the scenario:
>
> R1 - connected to a switch
> R2 - connected to a switch
> R3 - connected to a switch and pretending to be the outside world.
>
> Without a firewall, I can ping anywhere. I am using static routes for
> routing.
>
> When I put up a firewall, I can now drop icmp test traffic based on the
> policy-map I configured. I can also toggle this on and off based on my
> configs, so this is working.
>
> A couple of questions though team, if you do not mind. I do not like the
> doc cd on zone based firewall ... imo, it is a bit hard to follow the way
> it
> is laid out.
>
> 1) for the zone pair, when it has you match the source security zone with
> the destination, is this the same thing as the 'inside' interface and the
> 'outside ' interface? I think so, but just want to hear your perspective on
> this as it seems that there are some options related to the number of zones
> and how one would choose to configure it. I am looking for some pointers
> and insight ...
>
> 2) the traffic not defined should be placed into the class class-default
> and
> the default action is to drop. Not sure if this is correct ... although
> the
> docs mention this is the case. There should be a default 'catch-all' rule
> that says drop ...
> 2a) - I am able to telnet to R2 from R3 ... even with the zone based
> firewall configs ... "me don't likely dis".
>
> 3) It appears you can have multiple parameter-maps ... one for each class
> in
> the policy-map. Any thoughts on this?
>
> 3) Any good show commands for this? I want to configure this, test it or
> observe it to make sure all is well.
>
> 4) For now ... I like CBAC better ... although this is most likely related
> to me still learning this 'zoning out thing'. I liked using the inspect
> commands and access list. This was pretty simple for me to grasp. So much
> to learn ...
>
> Lastly, if I do not know this well enough, then I might have to pass on
> this
> section since I do not want to configure something that potentially breaks
> another section.
>
> --
> Andrew Lee Lissitz
> all.from.nj_at_gmail.com
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Sat Oct 24 2009 - 08:41:52 ART
This archive was generated by hypermail 2.2.0 : Sun Nov 01 2009 - 07:51:00 ART