RE: Zone based firewall - show commands and verification,

Anantha,

I got mine four years ago, so the direction has changed a bit since then. The
CCSP then was very SAFE blueprint centric and that was the beast of the exams
you had to take at the time. When I took it, I used the training materials
from the class (knowledge net, I think), Cisco Press, and the SAFE blueprint
docs. I know those are pretty broad strokes, I'll see what I can dig up
though.

-ryan

From: Anantha Subramanian Natarajan [mailto:anantha.natarajan_at_gravitant.com]
Sent: Monday, October 26, 2009 9:59 AM
To: Ryan West
Cc: Johnny B CCIE; Cisco certification
Subject: Re: Zone based firewall - show commands and verification, couple of
questions

Hi Ryan and All,

  Sorry for this off topic question and also taking this thread as an
oppurtunity for the same........Ryan it seems as per your response below,you
are pursuing or finished CCSP and me pursuing CCSP in near future..........can
you please share your experience and mention the materials you used for the
same.

Also specific forums like groupstudy if you used for CCSP.

Thanks

Regards
Anantha Subramanian Natarajan
On Sun, Oct 25, 2009 at 8:40 PM, Ryan West
<rwest_at_zyedge.com<mailto:rwest_at_zyedge.com>> wrote:
no sysopt connection permit-vpn? L2L tunnels by default allow the traffic to
flow through unfiltered between interesting traffic ACLs. If you turn off
sysopt you need to allow that traffic through the outside ACL. It's funny
though, an instructor during a class for the CCSP told that I couldn't do that
with the command listed above, shouldn't believe everything you hear.

I'm not following what you mean by on the firewall, is the large security risk
for you?

-ryan

-----Original Message-----
From: nobody_at_groupstudy.com<mailto:nobody_at_groupstudy.com>
[mailto:nobody_at_groupstudy.com<mailto:nobody_at_groupstudy.com>] On Behalf Of
Johnny B CCIE
Sent: Sunday, October 25, 2009 1:00 AM
To: Cisco certification
Subject: Re: Zone based firewall - show commands and verification, couple of
questions

Have you ever wondered why a firewall has traditionally had very
limited capabilities? If you are on the firewall where are you allowed
to get to in terms of Outside, Inside, and and DMZs? Now take the same
concept to the Router with Zone-Based Firewall Configuration.

That's my thoughts until someone can tell me different and prove it.
It is one of the reasons I have concerns with making a Firewall such
as a PIX or an ASA also do double duty as a VPN. Maybe someone will
show us a better way.

On Sun, Oct 25, 2009 at 12:29 AM, ALL From_NJ
<all.from.nj_at_gmail.com<mailto:all.from.nj_at_gmail.com>> wrote:
> Joe, you rock man. All the help you and others has given me has been
> great. I think I am decent with this now ...
>
> Thanks for the link.
>
> My challenge has been for a while now, how to restrict traffic to the
> router?
>
> Using zone based FW, you can stop traffic going through the router or
> through the zones you create ... pretty cool. Your example and most that I
> have seen include a similar config, and you do a nice job of making it
clear
> and easy to understand. Thanks.
>
> But in using these configs, you do not list the built-in zone 'self'. So
> everything will still come and go to and from the router 'itself' as if
> there is no FW ... because there is not ... not yet.
>
> If you create another zone-pair and include the self zone, you can then get
> granular with what you want to limit to and from the router. You hinted at
> this before when you mentioned the self zone. Thanks.
>
> In fact, you can create quite a few zone-pairs, policy-maps, and class-maps
> ... quite a bit of flexibility.
>
> The reason I stayed with this, is that when you are installing a router at
a
> customer, you are likely going to configure the firewall for access to the
> router as well. You can use access lists for direct router access, but
> these may circumvent your security depending on if these are set for in our
> outbound. A possible 'gotcha', although even with this said, I like ACLs.
>
>
> HTH and many thanks Joe, Anantha, and team!
>
> Andrew
>
>
>
>
> On Sat, Oct 24, 2009 at 9:58 PM, Joe Astorino
<jastorino_at_ipexpert.com<mailto:jastorino_at_ipexpert.com>>wrote:
>
>> Hey dude,
>>
>> We have a blog up on zone-based firewall you may find interesting! I hope
>> it helps you out : )
>>
>>
>>
http://blog.ipexpert.com/2009/09/20/ios-zone-based-firewall-overview-for-ccie
-routing-and-switching-40-candidates/
>>
>>
>> On Sat, Oct 24, 2009 at 8:32 PM, ALL From_NJ
<all.from.nj_at_gmail.com<mailto:all.from.nj_at_gmail.com>>wrote:
>>
>>> Never mind ... I have something misconfigured. I just noticed that I am
>>> some how allowing other traffic in ...
>>>
>>>
>>> On Sat, Oct 24, 2009 at 8:29 PM, ALL From_NJ
<all.from.nj_at_gmail.com<mailto:all.from.nj_at_gmail.com>>wrote:
>>>
>>>> Many thanks. The ppt you provide does a very good job at explaining
>>>> everything. I also like the config examples at the end.
>>>>
>>>> Odd thing is that I can still telnet to the router from other 'outside'
>>>> routers and OSPF / BGP stays up ok. I have been able to block
everything
>>>> from the outside to the inside though. That much is cool.
>>>>
>>>> I figured that once I applied the security zones, that this would be
>>>> sufficient to stop all 'outside' traffic i would also expect all
protocols
>>>> to go down until I added an access-list. Perhaps something I am missing
>>>>
>>>> Many thanks
>>>>
>>>> Andrew
>>>>
>>>>
>>>>
>>>> On Sat, Oct 24, 2009 at 9:41 AM, Anantha Subramanian Natarajan <
>>>> anantha.natarajan_at_gravitant.com<mailto:anantha.natarajan_at_gravitant.com>>
wrote:
>>>>
>>>>> Hi Andrew,
>>>>>
>>>>> This below link may explain what you asking for the class
>>>>> class-default in the zone based firewall
>>>>>
>>>>>
>>>>>
http://blog.ioshints.info/2007/02/default-action-in-firewall-policy-maps.html
>>>>>
>>>>> Also I think you may like this presentation on the cisco website
>>>>>
>>>>>
>>>>>
http://www.cisco.com/en/US/prod/vpndevc/ps5708/ps5710/ps1018/prod_configurati
on_example0900aecd804f1776.pdf
>>>>>
>>>>> Thanks
>>>>>
>>>>> Regards
>>>>> Anantha Subramanian Natarajan
>>>>>
>>>>> On Fri, Oct 23, 2009 at 9:53 PM, ALL From_NJ
<all.from.nj_at_gmail.com<mailto:all.from.nj_at_gmail.com>>wrote:
>>>>>
>>>>>> Hey team,
>>>>>>
>>>>>> I actually had to use more than 2 routers ... bummer. Super 'J' (Joe
>>>>>> Astorino) mentioned that you can modify the local 'self' zone, but I
>>>>>> decided
>>>>>> to add another router to the mix. Here is the scenario:
>>>>>>
>>>>>> R1 - connected to a switch
>>>>>> R2 - connected to a switch
>>>>>> R3 - connected to a switch and pretending to be the outside world.
>>>>>>
>>>>>> Without a firewall, I can ping anywhere. I am using static routes for
>>>>>> routing.
>>>>>>
>>>>>> When I put up a firewall, I can now drop icmp test traffic based on
the
>>>>>> policy-map I configured. I can also toggle this on and off based on
my
>>>>>> configs, so this is working.
>>>>>>
>>>>>> A couple of questions though team, if you do not mind. I do not like
>>>>>> the
>>>>>> doc cd on zone based firewall ... imo, it is a bit hard to follow the
>>>>>> way it
>>>>>> is laid out.
>>>>>>
>>>>>> 1) for the zone pair, when it has you match the source security zone
>>>>>> with
>>>>>> the destination, is this the same thing as the 'inside' interface and
>>>>>> the
>>>>>> 'outside ' interface? I think so, but just want to hear your
>>>>>> perspective on
>>>>>> this as it seems that there are some options related to the number of
>>>>>> zones
>>>>>> and how one would choose to configure it. I am looking for some
>>>>>> pointers
>>>>>> and insight ...
>>>>>>
>>>>>> 2) the traffic not defined should be placed into the class
>>>>>> class-default and
>>>>>> the default action is to drop. Not sure if this is correct ...
>>>>>> although the
>>>>>> docs mention this is the case. There should be a default 'catch-all'
>>>>>> rule
>>>>>> that says drop ...
>>>>>> 2a) - I am able to telnet to R2 from R3 ... even with the zone
based
>>>>>> firewall configs ... "me don't likely dis".
>>>>>>
>>>>>> 3) It appears you can have multiple parameter-maps ... one for each
>>>>>> class in
>>>>>> the policy-map. Any thoughts on this?
>>>>>>
>>>>>> 3) Any good show commands for this? I want to configure this, test it
>>>>>> or
>>>>>> observe it to make sure all is well.
>>>>>>
>>>>>> 4) For now ... I like CBAC better ... although this is most likely
>>>>>> related
>>>>>> to me still learning this 'zoning out thing'. I liked using the
>>>>>> inspect
>>>>>> commands and access list. This was pretty simple for me to grasp. So
>>>>>> much
>>>>>> to learn ...
>>>>>>
>>>>>> Lastly, if I do not know this well enough, then I might have to pass
on
>>>>>> this
>>>>>> section since I do not want to configure something that potentially
>>>>>> breaks
>>>>>> another section.
>>>>>>
>>>>>> --
>>>>>> Andrew Lee Lissitz
>>>>>> all.from.nj_at_gmail.com<mailto:all.from.nj_at_gmail.com>
>>>>>>
>>>>>>
>>>>>> Blogs and organic groups at http://www.ccie.net<http://www.ccie.net/>
>>>>>>
>>>>>>
Received on Mon Oct 26 2009 - 10:04:39 ART