Re: Zone Based firewall comment from Chris Proctor on 2011-02-28 (Ccielab archives 02/2011)

From: Chris Proctor <chris_at_cwproctor.net>
Date: Mon, 28 Feb 2011 08:38:04 -0500

I'm coming from an ASA/PIX command set mentality for firewalls. I
don't see for the life of me why I have to specify each and every
inspect and ACL pairing instead of the "global policy" setup like on the
ASA.

It really does feel like Dante's trip through hell. Everything is
nested and recursing through potentially thousands of lines of config.

I'd like to know how to do the following (example):

permit access-group inside
match protocol http
match protocol ssh
match protocol telnet
match protocol snmp
match protocol ftp
match protocol icmp
match protocol tcp
match protocol udp
inspect with best inspector for protocol

Can this be done without using more than one class?

Thanks!

On 2/28/2011 6:56 AM, imran ali wrote:
>
>
> On Mon, Feb 28, 2011 at 9:44 AM, Chris Proctor <chris_at_cwproctor.net
> <mailto:chris_at_cwproctor.net>> wrote:
>
> Well, after beating my head against this for awhile I have come to
> three conclusions (call it venting if you will):
> 1.) Security zones are cool
> 2.) Inspect maps are overly complex pieces of crap
>
> cant agree with u here ..did u studied cisoc doc first before jumping
> to any vendor book ?
>
> 3.) Specialized inspect maps are even bigger pieces of crap
>
> partially agree with u
>
> I find myself hoping they won't get too carried away with this
> subject. Working out all of the possible regex's, etc and nesting
> of relationships could easily take me 20 hours for a complex
> enough configuration. Can anyone tell me if I'm wasting my time
> going through the lower levels of hell here?
>
> --
> Chris Proctor
>
>
> --
> This message was scanned by ESVA and is believed to be clean.
>
>
> Blogs and organic groups at http://www.ccie.net <http://www.ccie.net/>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
>
> --
> This message was scanned by ESVA and is believed to be clean.
> Click here to report this message as spam.
> <https://mail-relay.cwproctor.net/cgi-bin/learn-msg.cgi?id=1C77F28006.A5F2C>

-- 
Chris Proctor
--
This message was scanned by ESVA and is believed to be clean.
Blogs and organic groups at http://www.ccie.net

Received on Mon Feb 28 2011 - 08:38:04 ART

This archive was generated by hypermail 2.2.0 : Tue Mar 01 2011 - 07:01:50 ART