Hey dude,
We have a blog up on zone-based firewall you may find interesting! I hope
it helps you out : )
On Sat, Oct 24, 2009 at 8:32 PM, ALL From_NJ <all.from.nj_at_gmail.com> wrote:
> Never mind ... I have something misconfigured. I just noticed that I am
> some how allowing other traffic in ...
>
>
> On Sat, Oct 24, 2009 at 8:29 PM, ALL From_NJ <all.from.nj_at_gmail.com>wrote:
>
>> Many thanks. The ppt you provide does a very good job at explaining
>> everything. I also like the config examples at the end.
>>
>> Odd thing is that I can still telnet to the router from other 'outside'
>> routers and OSPF / BGP stays up ok. I have been able to block everything
>> from the outside to the inside though. That much is cool.
>>
>> I figured that once I applied the security zones, that this would be
>> sufficient to stop all 'outside' traffic i would also expect all protocols
>> to go down until I added an access-list. Perhaps something I am missing
>>
>> Many thanks
>>
>> Andrew
>>
>>
>>
>> On Sat, Oct 24, 2009 at 9:41 AM, Anantha Subramanian Natarajan <
>> anantha.natarajan_at_gravitant.com> wrote:
>>
>>> Hi Andrew,
>>>
>>> This below link may explain what you asking for the class class-default
>>> in the zone based firewall
>>>
>>>
>>> http://blog.ioshints.info/2007/02/default-action-in-firewall-policy-maps.html
>>>
>>> Also I think you may like this presentation on the cisco website
>>>
>>>
>>> http://www.cisco.com/en/US/prod/vpndevc/ps5708/ps5710/ps1018/prod_configuration_example0900aecd804f1776.pdf
>>>
>>> Thanks
>>>
>>> Regards
>>> Anantha Subramanian Natarajan
>>>
>>> On Fri, Oct 23, 2009 at 9:53 PM, ALL From_NJ <all.from.nj_at_gmail.com>wrote:
>>>
>>>> Hey team,
>>>>
>>>> I actually had to use more than 2 routers ... bummer. Super 'J' (Joe
>>>> Astorino) mentioned that you can modify the local 'self' zone, but I
>>>> decided
>>>> to add another router to the mix. Here is the scenario:
>>>>
>>>> R1 - connected to a switch
>>>> R2 - connected to a switch
>>>> R3 - connected to a switch and pretending to be the outside world.
>>>>
>>>> Without a firewall, I can ping anywhere. I am using static routes for
>>>> routing.
>>>>
>>>> When I put up a firewall, I can now drop icmp test traffic based on the
>>>> policy-map I configured. I can also toggle this on and off based on my
>>>> configs, so this is working.
>>>>
>>>> A couple of questions though team, if you do not mind. I do not like
>>>> the
>>>> doc cd on zone based firewall ... imo, it is a bit hard to follow the
>>>> way it
>>>> is laid out.
>>>>
>>>> 1) for the zone pair, when it has you match the source security zone
>>>> with
>>>> the destination, is this the same thing as the 'inside' interface and
>>>> the
>>>> 'outside ' interface? I think so, but just want to hear your perspective
>>>> on
>>>> this as it seems that there are some options related to the number of
>>>> zones
>>>> and how one would choose to configure it. I am looking for some
>>>> pointers
>>>> and insight ...
>>>>
>>>> 2) the traffic not defined should be placed into the class class-default
>>>> and
>>>> the default action is to drop. Not sure if this is correct ... although
>>>> the
>>>> docs mention this is the case. There should be a default 'catch-all'
>>>> rule
>>>> that says drop ...
>>>> 2a) - I am able to telnet to R2 from R3 ... even with the zone based
>>>> firewall configs ... "me don't likely dis".
>>>>
>>>> 3) It appears you can have multiple parameter-maps ... one for each
>>>> class in
>>>> the policy-map. Any thoughts on this?
>>>>
>>>> 3) Any good show commands for this? I want to configure this, test it
>>>> or
>>>> observe it to make sure all is well.
>>>>
>>>> 4) For now ... I like CBAC better ... although this is most likely
>>>> related
>>>> to me still learning this 'zoning out thing'. I liked using the inspect
>>>> commands and access list. This was pretty simple for me to grasp. So
>>>> much
>>>> to learn ...
>>>>
>>>> Lastly, if I do not know this well enough, then I might have to pass on
>>>> this
>>>> section since I do not want to configure something that potentially
>>>> breaks
>>>> another section.
>>>>
>>>> --
>>>> Andrew Lee Lissitz
>>>> all.from.nj_at_gmail.com
>>>>
>>>>
>>>> Blogs and organic groups at http://www.ccie.net
>>>>
>>>> _______________________________________________________________________
>>>> Subscription information may be found at:
>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>
>>
>> --
>> Andrew Lee Lissitz
>> all.from.nj_at_gmail.com
>>
>
>
>
> --
> Andrew Lee Lissitz
> all.from.nj_at_gmail.com
>
-- Regards, Joe Astorino CCIE #24347 (R&S) Sr. Technical Instructor - IPexpert Mailto: jastorino_at_ipexpert.com Telephone: +1.810.326.1444 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA (R&S, Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security & Service Provider) Certification Training with locations throughout the United States, Europe and Australia. Be sure to check out our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com Blogs and organic groups at http://www.ccie.netReceived on Sat Oct 24 2009 - 21:58:15 ART
This archive was generated by hypermail 2.2.0 : Sun Nov 01 2009 - 07:51:00 ART