Hi Dave,
As per my observation once you add the interface to the zone the transit traffic will not flow throught u can actually see this in the router by using debug ip packet detail . U can see the packets dropped due to inspect. remember to use no ip cef to see the transit traffic.If still the traffic is going it must be issue with code.Its not necessary to create a zone pair. For self zone u can communicate to the router u need to create a self zone pair to deny the traffic . Regards imran On Sat, Oct 24, 2009 at 9:57 PM, <[email protected]>wrote: > Send CCIE_Security mailing list submissions to > [email protected] > > To subscribe or unsubscribe via the World Wide Web, visit > http://onlinestudylist.com/mailman/listinfo/ccie_security > or, via email, send a message with subject or body 'help' to > [email protected] > > You can reach the person managing the list at > [email protected] > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of CCIE_Security digest..." > > > Today's Topics: > > 1. Re: LAb2A Zone Based Firewall (Jamie Brogdon) > 2. Re: EZ VPN on IOS (Shawn Mesiatowsky) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Sat, 24 Oct 2009 12:06:12 -0400 > From: "Jamie Brogdon" <[email protected]> > Subject: Re: [OSL | CCIE_Security] LAb2A Zone Based Firewall > To: "'Paul Stewart'" <[email protected]>, "'Mack, David A \(Dave\)'" > <[email protected]> > Cc: [email protected] > Message-ID: <bb59abdf247a42048885d2983f8c2...@jbroglaptop2> > Content-Type: text/plain; charset="us-ascii" > > Paul, > > > > What code are you running on your routers? We may want to match and see if > the issue follows, since we have seen a couple anomalies on 12.4(15)T1. > > > > Thanks, > Jamie Brogdon, CCIE #6541 (SP and R&S) / JNCIE-M #381 > Verizon Telecom, IP Networks > > > > _____ > > From: [email protected] > [mailto:[email protected]] On Behalf Of Paul > Stewart > Sent: Saturday, October 24, 2009 11:59 AM > To: Mack, David A (Dave) > Cc: [email protected] > Subject: Re: [OSL | CCIE_Security] LAb2A Zone Based Firewall > > > > Interesting. I would always make sure the "ip inspect log drop-pkt" is > running. It is your best friend with cbac or zfw. That will usually > telling you why things aren't passing. With a cursory glance at your > configuration, I'm not sure why counters weren't incrementing. I would > definitely add the command above. Many times, it will give you clues as to > why something is being dropped. Post back and let us know what the issue > was. > > On Sat, Oct 24, 2009 at 11:44 AM, Mack, David A (Dave) <[email protected]> > wrote: > > Paul, > > Thanks for the quick reply! So to get this point I originally did have > zone pairs and service policies. In fact, there were the ones in the PG. > However I could not see the counters increment as traffic passed nor > dis-allowed traffic drop. In the process of debugging I wanted to at least > the default behavior and that is what got me to this point. > > > > This is what I started with: > > > > class-map type inspect match-all IN->OUT-ICMP-REPLY > match access-group name IN->OUT > class-map type inspect match-any IN->OUT-PROTO > match protocol ssh > match protocol http > match protocol https > match protocol dns > match protocol smtp > match protocol bootps > class-map type inspect match-all IN->OUT-ICMP > match access-group name ICMP > class-map type inspect match-all OUT-IN > match access-group name FW-IN > ! > ! > policy-map type inspect FW-OUT->IN > class type inspect OUT-IN > pass > class class-default > drop > policy-map type inspect FW-IN->OUT > class type inspect IN->OUT-PROTO > inspect > class type inspect IN->OUT-ICMP > inspect > class type inspect IN->OUT-ICMP-REPLY > pass > class class-default > pass > ! > zone security INSIDE > zone security OUTSIDE > > zone-pair security IN->OUT source INSIDE destination OUTSIDE > service-policy type inspect FW-IN->OUT > zone-pair security OUT->IN source OUTSIDE destination INSIDE > service-policy type inspect FW-OUT->IN > > > > ip access-list extended FW-IN > permit icmp any any echo > permit icmp any any unreachable > permit udp host 9.9.156.9 eq ntp host 7.7.7.7 eq ntp > permit tcp host 9.9.156.9 gt 1024 host 9.9.156.7 eq bgp > permit tcp host 9.9.156.9 eq bgp host 9.9.156.7 gt 1024 > ip access-list extended ICMP > permit icmp any any echo > ip access-list extended IN->OUT > permit icmp any any echo-reply > > > > So at this point I wondering if ZBFW is totally broken with the HW/SW I am > running? > > > > Thanks! > Dave > > > > > > > > > > > > > > ______________________________________________________________ > David A. Mack (703) 391-7787 (W) > CCIE #6963 (SP and R&S) JNCIE-M #399 CISSP (703) 431-7617 (C) > email: [email protected] > ______________________________________________________________ > "We are now the knights who say... Ping!" > > > > > > > _____ > > > From: Paul Stewart [mailto:[email protected]] > Sent: Saturday, October 24, 2009 11:37 AM > To: Mack, David A (Dave) > Cc: [email protected] > Subject: RE: LAb2A Zone Based Firewall > > Dave, > > I can certainly see your confusion. However, I think that if you just bind > the zones to the interface it will still permit traffic as you indicated. > I > think you would have to create a zone-pair and quite possibly even add a > service-policy before the default behavior changes to the implicit deny. > Last night, I was working around with communications to the "self" zone and > I found that to be the case. HTH, and anyone please correct my thinking if > I am incorrect. > > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > http://onlinestudylist.com/pipermail/ccie_security/attachments/20091024/e6109f7c/attachment-0001.htm > > ------------------------------ > > Message: 2 > Date: Sat, 24 Oct 2009 10:26:32 -0600 > From: Shawn Mesiatowsky <[email protected]> > Subject: Re: [OSL | CCIE_Security] EZ VPN on IOS > To: Paul Stewart <[email protected]> > Cc: "[email protected]" > <[email protected]> > Message-ID: <[email protected]> > Content-Type: text/plain; charset="us-ascii" > > If you want that type of control you should use an Asa as a > termination point for the VPN. You can specify to allow nem in a group > policy. As well, users shoul never have the pass key available to > them. You should be creating a deployment installation file that > already contains the config > > Sent from my iPod > > On Oct 23, 2009, at 8:03 PM, Paul Stewart <[email protected]> wrote: > > > If I define a split tunnel acl on my router, the ASA only seems to > > honor the "remote" side when it builds the SA. The IOS inserts the > > SA into the SADB. Regardless of what you do, it seems to insert the > > inside interface of the ASA. So in theory I could set up a easy vpn > > with intention on it being used in client mode, or on a pc. A user > > could pick up an ASA and configure it to connect in "network > > extension mode". In which case, I have unauthorized SA's being > > added to my router unless I'm missing something (which I probably > > am). It just seems that you could restrict EZ VPN on the router to > > client or nem. It also seems that there would be some way to define > > what are permitted remote networks from the perspective of the IOS > > based EZ VPN Server. Like I said, I am probably missing something. > > > > On Thu, Oct 22, 2009 at 11:30 PM, Tyson Scott <[email protected]> > > wrote: > > Your split tunnel list should be able to define what networks you > > will allow in. > > > > > > > > Regards, > > > > > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > > > > Technical Instructor - IPexpert, Inc. > > > > > > Telephone: +1.810.326.1444 > > Cell: +1.248.504.7309 > > Fax: +1.810.454.0130 > > Mailto: [email protected] > > > > > > > > Join our free online support and peer group communities: > http://www.IPexpert.com/communities > > > > > > > > IPexpert - The Global Leader in Self-Study, Classroom-Based, Video > > On Demand and Audio Certification Training Tools for the Cisco CCIE > > R&S Lab, CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice > > Lab and CCIE Storage Lab Certifications. > > > > > > > > From: [email protected] > > [mailto:[email protected]] On Behalf Of Paul > > Stewart > > Sent: Thursday, October 22, 2009 10:07 PM > > To: [email protected] > > Subject: [OSL | CCIE_Security] EZ VPN on IOS > > > > > > > > I have been messing around with EZ VPN and various configurations. > > With the EZ VPN client in NEM, it inserts the SA's into my router as > > expected. My question is is there a way on the router acting as a > > EZ VPN Server to restrict what SA's can be inserted by an EZ VPN > > client in network extension mode? Just thinking there must be a way > > to prevent NEM from the server, or restrict the SA's that can be > > automatically created on the server by the client. I think there is > > a group-policy for this on the ASA (like nem disable), but I am > > overlooking something similar on the router platform. If anyone > > knows how this is done, let me know. If not, I'll post back when I > > figure it out. > > > > > > _______________________________________________ > > For more information regarding industry leading CCIE Lab training, > > please visit www.ipexpert.com > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > http://onlinestudylist.com/pipermail/ccie_security/attachments/20091024/11585c16/attachment.htm > > End of CCIE_Security Digest, Vol 40, Issue 74 > ********************************************* >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
