Re: zone security - part 2 from Chris Proctor on 2011-02-15 (Ccielab archives 02/2011)

From: Chris Proctor <chris_at_cwproctor.net>
Date: Tue, 15 Feb 2011 14:32:33 -0500

I don't know if this has been mentioned before but I just found this
document and I have found it to be really useful.

http://www.cisco.com/en/US/prod/vpndevc/ps5708/ps5710/ps1018/prod_configuration_example0900aecd804f1776.pdf

On 2/14/2011 8:41 AM, Paul Cocker wrote:
> ah! thanks Tyson, weird that the context sensitive help encourages
> impossible configs. i guess its reminder for me to re-read the doc cd
> etc
>
> much appreciated.
> Paul
>
> On 14/02/2011 13:38, Tyson Scott wrote:
>> ZBF Only supports TCP/UDP/ICMP protocols for inspection. You must
>> use the
>> pass option for all other IP based protocols.
>>
>> Regards,
>> Tyson Scott - CCIE #13513 R&S, Security, and SP
>>
>>
>> -----Original Message-----
>> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
>> Radioactive Frog
>> Sent: Monday, February 14, 2011 3:45 AM
>> To: Paul Cocker
>> Cc: ccielab_at_groupstudy.com
>> Subject: Re: zone security - part 2
>>
>>>>>> Apparently the only thing that works is passing (ie not
>>>>>> inspecting) gre
>> traffic in both directions (and also having a pass or inspect rule
>> for the
>> 1723tcp traffic).
>>
>> That is normal, not sure what is your issue.
>> GRE+1723 port needs to be open for PPTP.
>>
>>
>> On Mon, Feb 14, 2011 at 8:20 AM, Paul Cocker<paul.cocker_at_gmx.com>
>> wrote:
>>
>>> Hi,
>>>
>>> Just trying to understand why the following happens.
>>>
>>> Trying to get a PPTP windows client to vpn through a zone based
>>> firewall.
>>>
>>> have an inspect for all traffic from that host, that doesn't work.
>>>
>>> Tried the inspect pptp option, that doens't work.
>>>
>>> Apparently the only thing that works is passing (ie not inspecting)
>>> gre
>>> traffic in both directions (and also having a pass or inspect rule
>>> for the
>>> 1723tcp traffic).
>>>
>>> Any ideas? Or just a bad implementation by cisco of their inspect pptp
>> and
>>> inspect gre on the ZBF?
>>>
>>> Paul
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
> --
> This message was scanned by ESVA and is believed to be clean.
> Click here to report this message as spam.
> https://mail-relay.cwproctor.net/cgi-bin/learn-msg.cgi?id=F35D427DEE.A77E2
>

-- 
Chris Proctor
--
This message was scanned by ESVA and is believed to be clean.
Blogs and organic groups at http://www.ccie.net

Received on Tue Feb 15 2011 - 14:32:33 ART

This archive was generated by hypermail 2.2.0 : Tue Mar 01 2011 - 07:01:50 ART