Re: Zone based firewall - show commands and verification, from Anantha Subramanian Natarajan on 2009-10-26 (Ccielab archives 10/2009)

From: Anantha Subramanian Natarajan <anantha.natarajan_at_gravitant.com>
Date: Mon, 26 Oct 2009 08:58:51 -0500

Hi Ryan and All,

Sorry for this off topic question and also taking this thread as an
oppurtunity for the same........Ryan it seems as per your response below,you
are pursuing or finished CCSP and me pursuing CCSP in near
future..........can you please share your experience and mention
the materials you used for the same.

Also specific forums like groupstudy if you used for CCSP.

Thanks

Regards
Anantha Subramanian Natarajan

On Sun, Oct 25, 2009 at 8:40 PM, Ryan West <rwest_at_zyedge.com> wrote:

> no sysopt connection permit-vpn? L2L tunnels by default allow the traffic
> to flow through unfiltered between interesting traffic ACLs. If you turn
> off sysopt you need to allow that traffic through the outside ACL. It's
> funny though, an instructor during a class for the CCSP told that I couldn't
> do that with the command listed above, shouldn't believe everything you
> hear.
>
> I'm not following what you mean by on the firewall, is the large security
> risk for you?
>
> -ryan
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> Johnny B CCIE
> Sent: Sunday, October 25, 2009 1:00 AM
> To: Cisco certification
> Subject: Re: Zone based firewall - show commands and verification, couple
> of questions
>
> Have you ever wondered why a firewall has traditionally had very
> limited capabilities? If you are on the firewall where are you allowed
> to get to in terms of Outside, Inside, and and DMZs? Now take the same
> concept to the Router with Zone-Based Firewall Configuration.
>
> That's my thoughts until someone can tell me different and prove it.
> It is one of the reasons I have concerns with making a Firewall such
> as a PIX or an ASA also do double duty as a VPN. Maybe someone will
> show us a better way.
>
> On Sun, Oct 25, 2009 at 12:29 AM, ALL From_NJ <all.from.nj_at_gmail.com>
> wrote:
> > Joe, you rock man. All the help you and others has given me has been
> > great. I think I am decent with this now ...
> >
> > Thanks for the link.
> >
> > My challenge has been for a while now, how to restrict traffic to the
> > router?
> >
> > Using zone based FW, you can stop traffic going through the router or
> > through the zones you create ... pretty cool. Your example and most that
> I
> > have seen include a similar config, and you do a nice job of making it
> clear
> > and easy to understand. Thanks.
> >
> > But in using these configs, you do not list the built-in zone 'self'. So
> > everything will still come and go to and from the router 'itself' as if
> > there is no FW ... because there is not ... not yet.
> >
> > If you create another zone-pair and include the self zone, you can then
> get
> > granular with what you want to limit to and from the router. You hinted
> at
> > this before when you mentioned the self zone. Thanks.
> >
> > In fact, you can create quite a few zone-pairs, policy-maps, and
> class-maps
> > ... quite a bit of flexibility.
> >
> > The reason I stayed with this, is that when you are installing a router
> at a
> > customer, you are likely going to configure the firewall for access to
> the
> > router as well. You can use access lists for direct router access, but
> > these may circumvent your security depending on if these are set for in
> our
> > outbound. A possible 'gotcha', although even with this said, I like
> ACLs.
> >
> >
> > HTH and many thanks Joe, Anantha, and team!
> >
> > Andrew
> >
> >
> >
> >
> > On Sat, Oct 24, 2009 at 9:58 PM, Joe Astorino <jastorino_at_ipexpert.com
> >wrote:
> >
> >> Hey dude,
> >>
> >> We have a blog up on zone-based firewall you may find interesting! I
> hope
> >> it helps you out : )
> >>
> >>
> >>
> http://blog.ipexpert.com/2009/09/20/ios-zone-based-firewall-overview-for-ccie-routing-and-switching-40-candidates/
> >>
> >>
> >> On Sat, Oct 24, 2009 at 8:32 PM, ALL From_NJ <all.from.nj_at_gmail.com
> >wrote:
> >>
> >>> Never mind ... I have something misconfigured. I just noticed that I
> am
> >>> some how allowing other traffic in ...
> >>>
> >>>
> >>> On Sat, Oct 24, 2009 at 8:29 PM, ALL From_NJ <all.from.nj_at_gmail.com
> >wrote:
> >>>
> >>>> Many thanks. The ppt you provide does a very good job at explaining
> >>>> everything. I also like the config examples at the end.
> >>>>
> >>>> Odd thing is that I can still telnet to the router from other
> 'outside'
> >>>> routers and OSPF / BGP stays up ok. I have been able to block
> everything
> >>>> from the outside to the inside though. That much is cool.
> >>>>
> >>>> I figured that once I applied the security zones, that this would be
> >>>> sufficient to stop all 'outside' traffic i would also expect all
> protocols
> >>>> to go down until I added an access-list. Perhaps something I am
> missing
> >>>>
> >>>> Many thanks
> >>>>
> >>>> Andrew
> >>>>
> >>>>
> >>>>
> >>>> On Sat, Oct 24, 2009 at 9:41 AM, Anantha Subramanian Natarajan <
> >>>> anantha.natarajan_at_gravitant.com> wrote:
> >>>>
> >>>>> Hi Andrew,
> >>>>>
> >>>>> This below link may explain what you asking for the class
> >>>>> class-default in the zone based firewall
> >>>>>
> >>>>>
> >>>>>
> http://blog.ioshints.info/2007/02/default-action-in-firewall-policy-maps.html
> >>>>>
> >>>>> Also I think you may like this presentation on the cisco website
> >>>>>
> >>>>>
> >>>>>
> http://www.cisco.com/en/US/prod/vpndevc/ps5708/ps5710/ps1018/prod_configuration_example0900aecd804f1776.pdf
> >>>>>
> >>>>> Thanks
> >>>>>
> >>>>> Regards
> >>>>> Anantha Subramanian Natarajan
> >>>>>
> >>>>> On Fri, Oct 23, 2009 at 9:53 PM, ALL From_NJ <all.from.nj_at_gmail.com
> >wrote:
> >>>>>
> >>>>>> Hey team,
> >>>>>>
> >>>>>> I actually had to use more than 2 routers ... bummer. Super 'J'
> (Joe
> >>>>>> Astorino) mentioned that you can modify the local 'self' zone, but I
> >>>>>> decided
> >>>>>> to add another router to the mix. Here is the scenario:
> >>>>>>
> >>>>>> R1 - connected to a switch
> >>>>>> R2 - connected to a switch
> >>>>>> R3 - connected to a switch and pretending to be the outside world.
> >>>>>>
> >>>>>> Without a firewall, I can ping anywhere. I am using static routes
> for
> >>>>>> routing.
> >>>>>>
> >>>>>> When I put up a firewall, I can now drop icmp test traffic based on
> the
> >>>>>> policy-map I configured. I can also toggle this on and off based on
> my
> >>>>>> configs, so this is working.
> >>>>>>
> >>>>>> A couple of questions though team, if you do not mind. I do not
> like
> >>>>>> the
> >>>>>> doc cd on zone based firewall ... imo, it is a bit hard to follow
> the
> >>>>>> way it
> >>>>>> is laid out.
> >>>>>>
> >>>>>> 1) for the zone pair, when it has you match the source security zone
> >>>>>> with
> >>>>>> the destination, is this the same thing as the 'inside' interface
> and
> >>>>>> the
> >>>>>> 'outside ' interface? I think so, but just want to hear your
> >>>>>> perspective on
> >>>>>> this as it seems that there are some options related to the number
> of
> >>>>>> zones
> >>>>>> and how one would choose to configure it. I am looking for some
> >>>>>> pointers
> >>>>>> and insight ...
> >>>>>>
> >>>>>> 2) the traffic not defined should be placed into the class
> >>>>>> class-default and
> >>>>>> the default action is to drop. Not sure if this is correct ...
> >>>>>> although the
> >>>>>> docs mention this is the case. There should be a default
> 'catch-all'
> >>>>>> rule
> >>>>>> that says drop ...
> >>>>>> 2a) - I am able to telnet to R2 from R3 ... even with the zone
> based
> >>>>>> firewall configs ... "me don't likely dis".
> >>>>>>
> >>>>>> 3) It appears you can have multiple parameter-maps ... one for each
> >>>>>> class in
> >>>>>> the policy-map. Any thoughts on this?
> >>>>>>
> >>>>>> 3) Any good show commands for this? I want to configure this, test
> it
> >>>>>> or
> >>>>>> observe it to make sure all is well.
> >>>>>>
> >>>>>> 4) For now ... I like CBAC better ... although this is most likely
> >>>>>> related
> >>>>>> to me still learning this 'zoning out thing'. I liked using the
> >>>>>> inspect
> >>>>>> commands and access list. This was pretty simple for me to grasp.
> So
> >>>>>> much
> >>>>>> to learn ...
> >>>>>>
> >>>>>> Lastly, if I do not know this well enough, then I might have to pass
> on
> >>>>>> this
> >>>>>> section since I do not want to configure something that potentially
> >>>>>> breaks
> >>>>>> another section.
> >>>>>>
> >>>>>> --
> >>>>>> Andrew Lee Lissitz
> >>>>>> all.from.nj_at_gmail.com
> >>>>>>
> >>>>>>
> >>>>>> Blogs and organic groups at http://www.ccie.net
> >>>>>>
> >>>>>>
> _______________________________________________________________________
> >>>>>> Subscription information may be found at:
> >>>>>> http://www.groupstudy.com/list/CCIELab.html
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>
> >>>>
> >>>>
> >>>> --
> >>>> Andrew Lee Lissitz
> >>>> all.from.nj_at_gmail.com
> >>>>
> >>>
> >>>
> >>>
> >>> --
> >>> Andrew Lee Lissitz
> >>> all.from.nj_at_gmail.com
> >>>
> >>
> >>
> >>
> >> --
> >> Regards,
> >>
> >> Joe Astorino CCIE #24347 (R&S)
> >> Sr. Technical Instructor - IPexpert
> >> Mailto: jastorino_at_ipexpert.com
> >> Telephone: +1.810.326.1444
> >> Live Assistance, Please visit: www.ipexpert.com/chat
> >> eFax: +1.810.454.0130
> >>
> >> IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA
> (R&S,
> >> Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security &
> Service
> >> Provider) Certification Training with locations throughout the United
> >> States, Europe and Australia. Be sure to check out our online
> communities at
> >> www.ipexpert.com/communities and our public website at www.ipexpert.com
> >>
> >>
> >>
> >
> >
> > --
> > Andrew Lee Lissitz
> > all.from.nj_at_gmail.com
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Mon Oct 26 2009 - 08:58:51 ART

This archive was generated by hypermail 2.2.0 : Sun Nov 01 2009 - 07:51:00 ART