Many thanks. The ppt you provide does a very good job at explaining
everything. I also like the config examples at the end.
Odd thing is that I can still telnet to the router from other 'outside'
routers and OSPF / BGP stays up ok. I have been able to block everything
from the outside to the inside though. That much is cool.
I figured that once I applied the security zones, that this would be
sufficient to stop all 'outside' traffic i would also expect all protocols
to go down until I added an access-list. Perhaps something I am missing
Many thanks
Andrew
On Sat, Oct 24, 2009 at 9:41 AM, Anantha Subramanian Natarajan <
anantha.natarajan_at_gravitant.com> wrote:
> Hi Andrew,
>
> This below link may explain what you asking for the class class-default
> in the zone based firewall
>
>
> http://blog.ioshints.info/2007/02/default-action-in-firewall-policy-maps.html
>
> Also I think you may like this presentation on the cisco website
>
>
> http://www.cisco.com/en/US/prod/vpndevc/ps5708/ps5710/ps1018/prod_configuration_example0900aecd804f1776.pdf
>
> Thanks
>
> Regards
> Anantha Subramanian Natarajan
>
> On Fri, Oct 23, 2009 at 9:53 PM, ALL From_NJ <all.from.nj_at_gmail.com>wrote:
>
>> Hey team,
>>
>> I actually had to use more than 2 routers ... bummer. Super 'J' (Joe
>> Astorino) mentioned that you can modify the local 'self' zone, but I
>> decided
>> to add another router to the mix. Here is the scenario:
>>
>> R1 - connected to a switch
>> R2 - connected to a switch
>> R3 - connected to a switch and pretending to be the outside world.
>>
>> Without a firewall, I can ping anywhere. I am using static routes for
>> routing.
>>
>> When I put up a firewall, I can now drop icmp test traffic based on the
>> policy-map I configured. I can also toggle this on and off based on my
>> configs, so this is working.
>>
>> A couple of questions though team, if you do not mind. I do not like the
>> doc cd on zone based firewall ... imo, it is a bit hard to follow the way
>> it
>> is laid out.
>>
>> 1) for the zone pair, when it has you match the source security zone with
>> the destination, is this the same thing as the 'inside' interface and the
>> 'outside ' interface? I think so, but just want to hear your perspective
>> on
>> this as it seems that there are some options related to the number of
>> zones
>> and how one would choose to configure it. I am looking for some pointers
>> and insight ...
>>
>> 2) the traffic not defined should be placed into the class class-default
>> and
>> the default action is to drop. Not sure if this is correct ... although
>> the
>> docs mention this is the case. There should be a default 'catch-all' rule
>> that says drop ...
>> 2a) - I am able to telnet to R2 from R3 ... even with the zone based
>> firewall configs ... "me don't likely dis".
>>
>> 3) It appears you can have multiple parameter-maps ... one for each class
>> in
>> the policy-map. Any thoughts on this?
>>
>> 3) Any good show commands for this? I want to configure this, test it or
>> observe it to make sure all is well.
>>
>> 4) For now ... I like CBAC better ... although this is most likely related
>> to me still learning this 'zoning out thing'. I liked using the inspect
>> commands and access list. This was pretty simple for me to grasp. So
>> much
>> to learn ...
>>
>> Lastly, if I do not know this well enough, then I might have to pass on
>> this
>> section since I do not want to configure something that potentially breaks
>> another section.
>>
>> --
>> Andrew Lee Lissitz
>> all.from.nj_at_gmail.com
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>
-- Andrew Lee Lissitz all.from.nj_at_gmail.com Blogs and organic groups at http://www.ccie.netReceived on Sat Oct 24 2009 - 20:29:20 ART
This archive was generated by hypermail 2.2.0 : Sun Nov 01 2009 - 07:51:00 ART