Re: Zone based firewall - show commands and verification, from Anantha Subramanian Natarajan on 2009-10-26 (Ccielab archives 10/2009)

From: Anantha Subramanian Natarajan <anantha.natarajan_at_gravitant.com>
Date: Mon, 26 Oct 2009 09:06:46 -0500

Ryan,

Awesome ,thank you very much for sharing your experience

Regards
Anantha Subramanian Natarajan

On Mon, Oct 26, 2009 at 9:04 AM, Ryan West <rwest_at_zyedge.com> wrote:

> Anantha,
>
>
>
> I got mine four years ago, so the direction has changed a bit since then.
> The CCSP then was very SAFE blueprint centric and that was the beast of the
> exams you had to take at the time. When I took it, I used the training
> materials from the class (knowledge net, I think), Cisco Press, and the
SAFE
> blueprint docs. I know those are pretty broad strokes, Ill see what I can
> dig up though.
>
>
>
> -ryan
>
>
>
> *From:* Anantha Subramanian Natarajan [mailto:
> anantha.natarajan_at_gravitant.com]
> *Sent:* Monday, October 26, 2009 9:59 AM
> *To:* Ryan West
> *Cc:* Johnny B CCIE; Cisco certification
>
> *Subject:* Re: Zone based firewall - show commands and verification,
> couple of questions
>
>
>
> Hi Ryan and All,
>
>
>
> Sorry for this off topic question and also taking this thread as an
> oppurtunity for the same........Ryan it seems as per your response
below,you
> are pursuing or finished CCSP and me pursuing CCSP in near
> future..........can you please share your experience and mention
> the materials you used for the same.
>
>
>
> Also specific forums like groupstudy if you used for CCSP.
>
>
>
> Thanks
>
>
>
> Regards
>
> Anantha Subramanian Natarajan
>
> On Sun, Oct 25, 2009 at 8:40 PM, Ryan West <rwest_at_zyedge.com> wrote:
>
> no sysopt connection permit-vpn? L2L tunnels by default allow the traffic
> to flow through unfiltered between interesting traffic ACLs. If you turn
> off sysopt you need to allow that traffic through the outside ACL. It's
> funny though, an instructor during a class for the CCSP told that I
couldn't
> do that with the command listed above, shouldn't believe everything you
> hear.
>
> I'm not following what you mean by on the firewall, is the large security
> risk for you?
>
> -ryan
>
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> Johnny B CCIE
> Sent: Sunday, October 25, 2009 1:00 AM
> To: Cisco certification
> Subject: Re: Zone based firewall - show commands and verification, couple
> of questions
>
> Have you ever wondered why a firewall has traditionally had very
> limited capabilities? If you are on the firewall where are you allowed
> to get to in terms of Outside, Inside, and and DMZs? Now take the same
> concept to the Router with Zone-Based Firewall Configuration.
>
> That's my thoughts until someone can tell me different and prove it.
> It is one of the reasons I have concerns with making a Firewall such
> as a PIX or an ASA also do double duty as a VPN. Maybe someone will
> show us a better way.
>
> On Sun, Oct 25, 2009 at 12:29 AM, ALL From_NJ <all.from.nj_at_gmail.com>
> wrote:
> > Joe, you rock man. All the help you and others has given me has been
> > great. I think I am decent with this now ...
> >
> > Thanks for the link.
> >
> > My challenge has been for a while now, how to restrict traffic to the
> > router?
> >
> > Using zone based FW, you can stop traffic going through the router or
> > through the zones you create ... pretty cool. Your example and most that
> I
> > have seen include a similar config, and you do a nice job of making it
> clear
> > and easy to understand. Thanks.
> >
> > But in using these configs, you do not list the built-in zone 'self'. So
> > everything will still come and go to and from the router 'itself' as if
> > there is no FW ... because there is not ... not yet.
> >
> > If you create another zone-pair and include the self zone, you can then
> get
> > granular with what you want to limit to and from the router. You hinted
> at
> > this before when you mentioned the self zone. Thanks.
> >
> > In fact, you can create quite a few zone-pairs, policy-maps, and
> class-maps
> > ... quite a bit of flexibility.
> >
> > The reason I stayed with this, is that when you are installing a router
> at a
> > customer, you are likely going to configure the firewall for access to
> the
> > router as well. You can use access lists for direct router access, but
> > these may circumvent your security depending on if these are set for in
> our
> > outbound. A possible 'gotcha', although even with this said, I like
> ACLs.
> >
> >
> > HTH and many thanks Joe, Anantha, and team!
> >
> > Andrew
> >
> >
> >
> >
> > On Sat, Oct 24, 2009 at 9:58 PM, Joe Astorino <jastorino_at_ipexpert.com
> >wrote:
> >
> >> Hey dude,
> >>
> >> We have a blog up on zone-based firewall you may find interesting! I
> hope
> >> it helps you out : )
> >>
> >>
> >>
>
http://blog.ipexpert.com/2009/09/20/ios-zone-based-firewall-overview-for-ccie
-routing-and-switching-40-candidates/
> >>
> >>
> >> On Sat, Oct 24, 2009 at 8:32 PM, ALL From_NJ <all.from.nj_at_gmail.com
> >wrote:
> >>
> >>> Never mind ... I have something misconfigured. I just noticed that I
> am
> >>> some how allowing other traffic in ...
> >>>
> >>>
> >>> On Sat, Oct 24, 2009 at 8:29 PM, ALL From_NJ <all.from.nj_at_gmail.com
> >wrote:
> >>>
> >>>> Many thanks. The ppt you provide does a very good job at explaining
> >>>> everything. I also like the config examples at the end.
> >>>>
> >>>> Odd thing is that I can still telnet to the router from other
> 'outside'
> >>>> routers and OSPF / BGP stays up ok. I have been able to block
> everything
> >>>> from the outside to the inside though. That much is cool.
> >>>>
> >>>> I figured that once I applied the security zones, that this would be
> >>>> sufficient to stop all 'outside' traffic i would also expect all
> protocols
> >>>> to go down until I added an access-list. Perhaps something I am
> missing
> >>>>
> >>>> Many thanks
> >>>>
> >>>> Andrew
> >>>>
> >>>>
> >>>>
> >>>> On Sat, Oct 24, 2009 at 9:41 AM, Anantha Subramanian Natarajan <
> >>>> anantha.natarajan_at_gravitant.com> wrote:
> >>>>
> >>>>> Hi Andrew,
> >>>>>
> >>>>> This below link may explain what you asking for the class
> >>>>> class-default in the zone based firewall
> >>>>>
> >>>>>
> >>>>>
>
http://blog.ioshints.info/2007/02/default-action-in-firewall-policy-maps.html
> >>>>>
> >>>>> Also I think you may like this presentation on the cisco website
> >>>>>
> >>>>>
> >>>>>
>
http://www.cisco.com/en/US/prod/vpndevc/ps5708/ps5710/ps1018/prod_configurati
on_example0900aecd804f1776.pdf
> >>>>>
> >>>>> Thanks
> >>>>>
> >>>>> Regards
> >>>>> Anantha Subramanian Natarajan
> >>>>>
> >>>>> On Fri, Oct 23, 2009 at 9:53 PM, ALL From_NJ <all.from.nj_at_gmail.com
> >wrote:
> >>>>>
> >>>>>> Hey team,
> >>>>>>
> >>>>>> I actually had to use more than 2 routers ... bummer. Super 'J'
> (Joe
> >>>>>> Astorino) mentioned that you can modify the local 'self' zone, but I
> >>>>>> decided
> >>>>>> to add another router to the mix. Here is the scenario:
> >>>>>>
> >>>>>> R1 - connected to a switch
> >>>>>> R2 - connected to a switch
> >>>>>> R3 - connected to a switch and pretending to be the outside world.
> >>>>>>
> >>>>>> Without a firewall, I can ping anywhere. I am using static routes
> for
> >>>>>> routing.
> >>>>>>
> >>>>>> When I put up a firewall, I can now drop icmp test traffic based on
> the
> >>>>>> policy-map I configured. I can also toggle this on and off based on
> my
> >>>>>> configs, so this is working.
> >>>>>>
> >>>>>> A couple of questions though team, if you do not mind. I do not
> like
> >>>>>> the
> >>>>>> doc cd on zone based firewall ... imo, it is a bit hard to follow
> the
> >>>>>> way it
> >>>>>> is laid out.
> >>>>>>
> >>>>>> 1) for the zone pair, when it has you match the source security zone
> >>>>>> with
> >>>>>> the destination, is this the same thing as the 'inside' interface
> and
> >>>>>> the
> >>>>>> 'outside ' interface? I think so, but just want to hear your
> >>>>>> perspective on
> >>>>>> this as it seems that there are some options related to the number
> of
> >>>>>> zones
> >>>>>> and how one would choose to configure it. I am looking for some
> >>>>>> pointers
> >>>>>> and insight ...
> >>>>>>
> >>>>>> 2) the traffic not defined should be placed into the class
> >>>>>> class-default and
> >>>>>> the default action is to drop. Not sure if this is correct ...
> >>>>>> although the
> >>>>>> docs mention this is the case. There should be a default
> 'catch-all'
> >>>>>> rule
> >>>>>> that says drop ...
> >>>>>> 2a) - I am able to telnet to R2 from R3 ... even with the zone
> based
> >>>>>> firewall configs ... "me don't likely dis".
> >>>>>>
> >>>>>> 3) It appears you can have multiple parameter-maps ... one for each
> >>>>>> class in
> >>>>>> the policy-map. Any thoughts on this?
> >>>>>>
> >>>>>> 3) Any good show commands for this? I want to configure this, test
> it
> >>>>>> or
> >>>>>> observe it to make sure all is well.
> >>>>>>
> >>>>>> 4) For now ... I like CBAC better ... although this is most likely
> >>>>>> related
> >>>>>> to me still learning this 'zoning out thing'. I liked using the
> >>>>>> inspect
> >>>>>> commands and access list. This was pretty simple for me to grasp.
> So
> >>>>>> much
> >>>>>> to learn ...
> >>>>>>
> >>>>>> Lastly, if I do not know this well enough, then I might have to pass
> on
> >>>>>> this
> >>>>>> section since I do not want to configure something that potentially
> >>>>>> breaks
> >>>>>> another section.
> >>>>>>
> >>>>>> --
> >>>>>> Andrew Lee Lissitz
> >>>>>> all.from.nj_at_gmail.com
> >>>>>>
> >>>>>>
> >>>>>> Blogs and organic groups at http://www.ccie.net
> >>>>>>
> >>>>>>
> _______________________________________________________________________
> >>>>>> Subscription information may be found at:
> >>>>>> http://www.groupstudy.com/list/CCIELab.html
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>
> >>>>
> >>>>
> >>>> --
> >>>> Andrew Lee Lissitz
> >>>> all.from.nj_at_gmail.com
> >>>>
> >>>
> >>>
> >>>
> >>> --
> >>> Andrew Lee Lissitz
> >>> all.from.nj_at_gmail.com
> >>>
> >>
> >>
> >>
> >> --
> >> Regards,
> >>
> >> Joe Astorino CCIE #24347 (R&S)
> >> Sr. Technical Instructor - IPexpert
> >> Mailto: jastorino_at_ipexpert.com
> >> Telephone: +1.810.326.1444
> >> Live Assistance, Please visit: www.ipexpert.com/chat
> >> eFax: +1.810.454.0130
> >>
> >> IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA
> (R&S,
> >> Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security &
> Service
> >> Provider) Certification Training with locations throughout the United
> >> States, Europe and Australia. Be sure to check out our online
> communities at
> >> www.ipexpert.com/communities and our public website at www.ipexpert.com
> >>
> >>
> >>
> >
> >
> > --
> > Andrew Lee Lissitz
> > all.from.nj_at_gmail.com
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Mon Oct 26 2009 - 09:06:46 ART

This archive was generated by hypermail 2.2.0 : Sun Nov 01 2009 - 07:51:00 ART