Have you ever wondered why a firewall has traditionally had very
limited capabilities? If you are on the firewall where are you allowed
to get to in terms of Outside, Inside, and and DMZs? Now take the same
concept to the Router with Zone-Based Firewall Configuration.
That's my thoughts until someone can tell me different and prove it.
It is one of the reasons I have concerns with making a Firewall such
as a PIX or an ASA also do double duty as a VPN. Maybe someone will
show us a better way.
On Sun, Oct 25, 2009 at 12:29 AM, ALL From_NJ <all.from.nj_at_gmail.com> wrote:
> Joe, you rock man. All the help you and others has given me has been
> great. I think I am decent with this now ...
>
> Thanks for the link.
>
> My challenge has been for a while now, how to restrict traffic to the
> router?
>
> Using zone based FW, you can stop traffic going through the router or
> through the zones you create ... pretty cool. Your example and most that I
> have seen include a similar config, and you do a nice job of making it clear
> and easy to understand. Thanks.
>
> But in using these configs, you do not list the built-in zone 'self'. So
> everything will still come and go to and from the router 'itself' as if
> there is no FW ... because there is not ... not yet.
>
> If you create another zone-pair and include the self zone, you can then get
> granular with what you want to limit to and from the router. You hinted at
> this before when you mentioned the self zone. Thanks.
>
> In fact, you can create quite a few zone-pairs, policy-maps, and class-maps
> ... quite a bit of flexibility.
>
> The reason I stayed with this, is that when you are installing a router at a
> customer, you are likely going to configure the firewall for access to the
> router as well. You can use access lists for direct router access, but
> these may circumvent your security depending on if these are set for in our
> outbound. A possible 'gotcha', although even with this said, I like ACLs.
>
>
> HTH and many thanks Joe, Anantha, and team!
>
> Andrew
>
>
>
>
> On Sat, Oct 24, 2009 at 9:58 PM, Joe Astorino <jastorino_at_ipexpert.com>wrote:
>
>> Hey dude,
>>
>> We have a blog up on zone-based firewall you may find interesting! I hope
>> it helps you out : )
>>
>>
>> http://blog.ipexpert.com/2009/09/20/ios-zone-based-firewall-overview-for-ccie-routing-and-switching-40-candidates/
>>
>>
>> On Sat, Oct 24, 2009 at 8:32 PM, ALL From_NJ <all.from.nj_at_gmail.com>wrote:
>>
>>> Never mind ... I have something misconfigured. I just noticed that I am
>>> some how allowing other traffic in ...
>>>
>>>
>>> On Sat, Oct 24, 2009 at 8:29 PM, ALL From_NJ <all.from.nj_at_gmail.com>wrote:
>>>
>>>> Many thanks. The ppt you provide does a very good job at explaining
>>>> everything. I also like the config examples at the end.
>>>>
>>>> Odd thing is that I can still telnet to the router from other 'outside'
>>>> routers and OSPF / BGP stays up ok. I have been able to block everything
>>>> from the outside to the inside though. That much is cool.
>>>>
>>>> I figured that once I applied the security zones, that this would be
>>>> sufficient to stop all 'outside' traffic i would also expect all protocols
>>>> to go down until I added an access-list. Perhaps something I am missing
>>>>
>>>> Many thanks
>>>>
>>>> Andrew
>>>>
>>>>
>>>>
>>>> On Sat, Oct 24, 2009 at 9:41 AM, Anantha Subramanian Natarajan <
>>>> anantha.natarajan_at_gravitant.com> wrote:
>>>>
>>>>> Hi Andrew,
>>>>>
>>>>> This below link may explain what you asking for the class
>>>>> class-default in the zone based firewall
>>>>>
>>>>>
>>>>> http://blog.ioshints.info/2007/02/default-action-in-firewall-policy-maps.html
>>>>>
>>>>> Also I think you may like this presentation on the cisco website
>>>>>
>>>>>
>>>>> http://www.cisco.com/en/US/prod/vpndevc/ps5708/ps5710/ps1018/prod_configuration_example0900aecd804f1776.pdf
>>>>>
>>>>> Thanks
>>>>>
>>>>> Regards
>>>>> Anantha Subramanian Natarajan
>>>>>
>>>>> On Fri, Oct 23, 2009 at 9:53 PM, ALL From_NJ <all.from.nj_at_gmail.com>wrote:
>>>>>
>>>>>> Hey team,
>>>>>>
>>>>>> I actually had to use more than 2 routers ... bummer. Super 'J' (Joe
>>>>>> Astorino) mentioned that you can modify the local 'self' zone, but I
>>>>>> decided
>>>>>> to add another router to the mix. Here is the scenario:
>>>>>>
>>>>>> R1 - connected to a switch
>>>>>> R2 - connected to a switch
>>>>>> R3 - connected to a switch and pretending to be the outside world.
>>>>>>
>>>>>> Without a firewall, I can ping anywhere. I am using static routes for
>>>>>> routing.
>>>>>>
>>>>>> When I put up a firewall, I can now drop icmp test traffic based on the
>>>>>> policy-map I configured. I can also toggle this on and off based on my
>>>>>> configs, so this is working.
>>>>>>
>>>>>> A couple of questions though team, if you do not mind. I do not like
>>>>>> the
>>>>>> doc cd on zone based firewall ... imo, it is a bit hard to follow the
>>>>>> way it
>>>>>> is laid out.
>>>>>>
>>>>>> 1) for the zone pair, when it has you match the source security zone
>>>>>> with
>>>>>> the destination, is this the same thing as the 'inside' interface and
>>>>>> the
>>>>>> 'outside ' interface? I think so, but just want to hear your
>>>>>> perspective on
>>>>>> this as it seems that there are some options related to the number of
>>>>>> zones
>>>>>> and how one would choose to configure it. I am looking for some
>>>>>> pointers
>>>>>> and insight ...
>>>>>>
>>>>>> 2) the traffic not defined should be placed into the class
>>>>>> class-default and
>>>>>> the default action is to drop. Not sure if this is correct ...
>>>>>> although the
>>>>>> docs mention this is the case. There should be a default 'catch-all'
>>>>>> rule
>>>>>> that says drop ...
>>>>>> 2a) - I am able to telnet to R2 from R3 ... even with the zone based
>>>>>> firewall configs ... "me don't likely dis".
>>>>>>
>>>>>> 3) It appears you can have multiple parameter-maps ... one for each
>>>>>> class in
>>>>>> the policy-map. Any thoughts on this?
>>>>>>
>>>>>> 3) Any good show commands for this? I want to configure this, test it
>>>>>> or
>>>>>> observe it to make sure all is well.
>>>>>>
>>>>>> 4) For now ... I like CBAC better ... although this is most likely
>>>>>> related
>>>>>> to me still learning this 'zoning out thing'. I liked using the
>>>>>> inspect
>>>>>> commands and access list. This was pretty simple for me to grasp. So
>>>>>> much
>>>>>> to learn ...
>>>>>>
>>>>>> Lastly, if I do not know this well enough, then I might have to pass on
>>>>>> this
>>>>>> section since I do not want to configure something that potentially
>>>>>> breaks
>>>>>> another section.
>>>>>>
>>>>>> --
>>>>>> Andrew Lee Lissitz
>>>>>> all.from.nj_at_gmail.com
>>>>>>
>>>>>>
>>>>>> Blogs and organic groups at http://www.ccie.net
>>>>>>
>>>>>> _______________________________________________________________________
>>>>>> Subscription information may be found at:
>>>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Andrew Lee Lissitz
>>>> all.from.nj_at_gmail.com
>>>>
>>>
>>>
>>>
>>> --
>>> Andrew Lee Lissitz
>>> all.from.nj_at_gmail.com
>>>
>>
>>
>>
>> --
>> Regards,
>>
>> Joe Astorino CCIE #24347 (R&S)
>> Sr. Technical Instructor - IPexpert
>> Mailto: jastorino_at_ipexpert.com
>> Telephone: +1.810.326.1444
>> Live Assistance, Please visit: www.ipexpert.com/chat
>> eFax: +1.810.454.0130
>>
>> IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA (R&S,
>> Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security & Service
>> Provider) Certification Training with locations throughout the United
>> States, Europe and Australia. Be sure to check out our online communities at
>> www.ipexpert.com/communities and our public website at www.ipexpert.com
>>
>>
>>
>
>
> --
> Andrew Lee Lissitz
> all.from.nj_at_gmail.com
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Sun Oct 25 2009 - 01:00:11 ART
This archive was generated by hypermail 2.2.0 : Sun Nov 01 2009 - 07:51:00 ART