Never mind ... I have something misconfigured. I just noticed that I am
some how allowing other traffic in ...
On Sat, Oct 24, 2009 at 8:29 PM, ALL From_NJ <all.from.nj_at_gmail.com> wrote:
> Many thanks. The ppt you provide does a very good job at explaining
> everything. I also like the config examples at the end.
>
> Odd thing is that I can still telnet to the router from other 'outside'
> routers and OSPF / BGP stays up ok. I have been able to block everything
> from the outside to the inside though. That much is cool.
>
> I figured that once I applied the security zones, that this would be
> sufficient to stop all 'outside' traffic i would also expect all protocols
> to go down until I added an access-list. Perhaps something I am missing
>
> Many thanks
>
> Andrew
>
>
>
> On Sat, Oct 24, 2009 at 9:41 AM, Anantha Subramanian Natarajan <
> anantha.natarajan_at_gravitant.com> wrote:
>
>> Hi Andrew,
>>
>> This below link may explain what you asking for the class class-default
>> in the zone based firewall
>>
>>
>> http://blog.ioshints.info/2007/02/default-action-in-firewall-policy-maps.html
>>
>> Also I think you may like this presentation on the cisco website
>>
>>
>> http://www.cisco.com/en/US/prod/vpndevc/ps5708/ps5710/ps1018/prod_configuration_example0900aecd804f1776.pdf
>>
>> Thanks
>>
>> Regards
>> Anantha Subramanian Natarajan
>>
>> On Fri, Oct 23, 2009 at 9:53 PM, ALL From_NJ <all.from.nj_at_gmail.com>wrote:
>>
>>> Hey team,
>>>
>>> I actually had to use more than 2 routers ... bummer. Super 'J' (Joe
>>> Astorino) mentioned that you can modify the local 'self' zone, but I
>>> decided
>>> to add another router to the mix. Here is the scenario:
>>>
>>> R1 - connected to a switch
>>> R2 - connected to a switch
>>> R3 - connected to a switch and pretending to be the outside world.
>>>
>>> Without a firewall, I can ping anywhere. I am using static routes for
>>> routing.
>>>
>>> When I put up a firewall, I can now drop icmp test traffic based on the
>>> policy-map I configured. I can also toggle this on and off based on my
>>> configs, so this is working.
>>>
>>> A couple of questions though team, if you do not mind. I do not like the
>>> doc cd on zone based firewall ... imo, it is a bit hard to follow the way
>>> it
>>> is laid out.
>>>
>>> 1) for the zone pair, when it has you match the source security zone with
>>> the destination, is this the same thing as the 'inside' interface and the
>>> 'outside ' interface? I think so, but just want to hear your perspective
>>> on
>>> this as it seems that there are some options related to the number of
>>> zones
>>> and how one would choose to configure it. I am looking for some pointers
>>> and insight ...
>>>
>>> 2) the traffic not defined should be placed into the class class-default
>>> and
>>> the default action is to drop. Not sure if this is correct ... although
>>> the
>>> docs mention this is the case. There should be a default 'catch-all'
>>> rule
>>> that says drop ...
>>> 2a) - I am able to telnet to R2 from R3 ... even with the zone based
>>> firewall configs ... "me don't likely dis".
>>>
>>> 3) It appears you can have multiple parameter-maps ... one for each class
>>> in
>>> the policy-map. Any thoughts on this?
>>>
>>> 3) Any good show commands for this? I want to configure this, test it or
>>> observe it to make sure all is well.
>>>
>>> 4) For now ... I like CBAC better ... although this is most likely
>>> related
>>> to me still learning this 'zoning out thing'. I liked using the inspect
>>> commands and access list. This was pretty simple for me to grasp. So
>>> much
>>> to learn ...
>>>
>>> Lastly, if I do not know this well enough, then I might have to pass on
>>> this
>>> section since I do not want to configure something that potentially
>>> breaks
>>> another section.
>>>
>>> --
>>> Andrew Lee Lissitz
>>> all.from.nj_at_gmail.com
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>
>
>
> --
> Andrew Lee Lissitz
> all.from.nj_at_gmail.com
>
-- Andrew Lee Lissitz all.from.nj_at_gmail.com Blogs and organic groups at http://www.ccie.netReceived on Sat Oct 24 2009 - 20:32:14 ART
This archive was generated by hypermail 2.2.0 : Sun Nov 01 2009 - 07:51:00 ART