Re: zone security - part 2

Thanks for the tip Tyson I'll check that out.

As a side point, this zbf thing really seems to have killed my router
(1801). 2 minutes of a bittorrent download* and the thing just
stops communicating with the internet all together. can't ping, nadda.
reboot required. very weird, and not very comforting given i just
recommended this to a customer.

*naturally I'm downloading a linux distro or something else that's legal

On 15/02/2011 21:24, Tyson Scott wrote:
> Looks like a great document but what I stated below isn't in there either.
>
> Remember to use the "ip inspect log drop-pkt" so you can see why protocols
> are being dropped Paul.
>
> Regards,
>
> Tyson Scott - CCIE #13513 R&S, Security, and SP
>
>
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> Chris Proctor
> Sent: Tuesday, February 15, 2011 2:33 PM
> To: ccielab_at_groupstudy.com
> Subject: Re: zone security - part 2
>
> I don't know if this has been mentioned before but I just found this
> document and I have found it to be really useful.
>
> http://www.cisco.com/en/US/prod/vpndevc/ps5708/ps5710/ps1018/prod_configurat
> ion_example0900aecd804f1776.pdf
>
> On 2/14/2011 8:41 AM, Paul Cocker wrote:
>> ah! thanks Tyson, weird that the context sensitive help encourages
>> impossible configs. i guess its reminder for me to re-read the doc cd
>> etc
>>
>> much appreciated.
>> Paul
>>
>> On 14/02/2011 13:38, Tyson Scott wrote:
>>> ZBF Only supports TCP/UDP/ICMP protocols for inspection. You must
>>> use the
>>> pass option for all other IP based protocols.
>>>
>>> Regards,
>>> Tyson Scott - CCIE #13513 R&S, Security, and SP
>>>
>>>
>>> -----Original Message-----
>>> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
>>> Radioactive Frog
>>> Sent: Monday, February 14, 2011 3:45 AM
>>> To: Paul Cocker
>>> Cc: ccielab_at_groupstudy.com
>>> Subject: Re: zone security - part 2
>>>
>>>>>>> Apparently the only thing that works is passing (ie not
>>>>>>> inspecting) gre
>>> traffic in both directions (and also having a pass or inspect rule
>>> for the
>>> 1723tcp traffic).
>>>
>>> That is normal, not sure what is your issue.
>>> GRE+1723 port needs to be open for PPTP.
>>>
>>>
>>> On Mon, Feb 14, 2011 at 8:20 AM, Paul Cocker<paul.cocker_at_gmx.com>
>>> wrote:
>>>
>>>> Hi,
>>>>
>>>> Just trying to understand why the following happens.
>>>>
>>>> Trying to get a PPTP windows client to vpn through a zone based
>>>> firewall.
>>>>
>>>> have an inspect for all traffic from that host, that doesn't work.
>>>>
>>>> Tried the inspect pptp option, that doens't work.
>>>>
>>>> Apparently the only thing that works is passing (ie not inspecting)
>>>> gre
>>>> traffic in both directions (and also having a pass or inspect rule
>>>> for the
>>>> 1723tcp traffic).
>>>>
>>>> Any ideas? Or just a bad implementation by cisco of their inspect pptp
>>> and
>>>> inspect gre on the ZBF?
>>>>
>>>> Paul
>>>>
>>>>
>>>> Blogs and organic groups at http://www.ccie.net
>>>>
>>>> _______________________________________________________________________
>>>> Subscription information may be found at:
>>>> http://www.groupstudy.com/list/CCIELab.html
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>> --
>> This message was scanned by ESVA and is believed to be clean.
>> Click here to report this message as spam.
>> https://mail-relay.cwproctor.net/cgi-bin/learn-msg.cgi?id=F35D427DEE.A77E2

Blogs and organic groups at http://www.ccie.net
Received on Tue Feb 15 2011 - 23:41:34 ART