because the redirect opens a new tcp session. New tcp session means new session required thru the firewall.
Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Technical Instructor - IPexpert, Inc. Mailto: <mailto:[email protected]> [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: <http://www.ipexpert.com/chat> www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at <http://www.ipexpert.com/communities> www.ipexpert.com/communities and our public website at <http://www.ipexpert.com/> www.ipexpert.com From: [email protected] [mailto:[email protected]] On Behalf Of Sumit Mahla Sent: Monday, May 10, 2010 2:47 PM To: [email protected] Cc: [email protected] Subject: Re: [OSL | CCIE_Security] WEBVPN traffic through th etransparent firewall I tried to configure the scenario.... What i found was if there is an ACL on inside and outside interface of Transparent firewall... then on inside interface we need both http and https ports to be open.. Transparent firewall is not able to sense the http redirection did by WEBVPN ASA server which is at outside of the transparent firewall.... why does it not inspect the http packet and automatically open a https hole in the ACL...? _____ From: [email protected] To: [email protected] Date: Tue, 11 May 2010 00:12:29 +0530 CC: [email protected] Subject: [OSL | CCIE_Security] WEBVPN traffic through th etransparent firewall i mean to say... lets say there is a transparent firewall... on the inside is a client PC.... and on outside there is another ASA(router mode) couple of hops away... the second ASA is WEBVPN server... When we initiate a http request to ASA2.... the http redirect feature redirects the traffic to https Now transparent firewall ASA's inside interface client initiated a http request... so how would it maintain a https session state... _____ From: [email protected] To: [email protected] Subject: RE: [OSL | CCIE_Security] DMVPN and ZONE Based Date: Tue, 11 May 2010 00:06:15 +0530 ok.... I was doing a a MOCK lab.... does a transparent firewall maintains a session state table for https connection as well ? > Date: Mon, 10 May 2010 19:28:53 +0100 > Subject: Re: [OSL | CCIE_Security] DMVPN and ZONE Based > From: [email protected] > To: [email protected] > > Yes > > On 5/10/10, Sumit Mahla <[email protected]> wrote: > > > > are you still online? > > > > > > > >> Date: Mon, 10 May 2010 19:01:43 +0100 > >> From: [email protected] > >> To: [email protected] > >> CC: [email protected]; [email protected] > >> Subject: Re: [OSL | CCIE_Security] DMVPN and ZONE Based > >> > >> Hi Summit, > >> Have a look at this link: > >> http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5710/ps1018/prod _white_paper0900aecd8062a909.html > >> > >> HTH, > >> > >> > >> On 5/5/10, Brandon Carroll <[email protected]> wrote: > >> > The "self" zone is what gives you the capability of controlling traffic > >> > that > >> > is sent to the router, or the traffic the router generates. You can > >> > create > >> > a zone-pair that includes the "self" zone, and that will restrict > >> > traffic to > >> > or from the router itself. Otherwise the router is NOT restricted and > >> > this > >> > applies to traffic that originates from the router as well as traffic > >> > that > >> > is sent to the router. In other words, the self zone is not treated like > >> > other zones. It is not required that you place the self-zone in a zone > >> > pair. Once you do, you will then have to specify what traffic the router > >> > can and cant receive. > >> > > >> > > >> > > >> > Regards, > >> > > >> > Brandon Carroll - CCIE #23837 > >> > Senior Technical Instructor - IPexpert > >> > Mailto: [email protected] > >> > Telephone: +1.810.326.1444 > >> > Live Assistance, Please visit: www.ipexpert.com/chat > >> > eFax: +1.810.454.0130 > >> > > >> > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > >> > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > >> > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > >> > training locations throughout the United States, Europe, South Asia and > >> > Australia. Be sure to visit our online communities at > >> > www.ipexpert.com/communities and our public website at www.ipexpert.com > >> > > >> > > >> > > >> > On May 5, 2010, at 9:18 AM, Tyson Scott wrote: > >> > > >> >> everything is a member of zone self. If traffic originates or > >> >> terminates > >> >> on the router it is considered part of zone self. > >> >> > >> >> Regards, > >> >> > >> >> Tyson Scott - CCIE #13513 R&S, Security, and SP > >> >> Technical Instructor - IPexpert, Inc. > >> >> Mailto: [email protected] > >> >> Telephone: +1.810.326.1444, ext. 208 > >> >> Live Assistance, Please visit: www.ipexpert.com/chat > >> >> eFax: +1.810.454.0130 > >> >> > >> >> IPexpert is a premier provider of Self-Study Workbooks, Video on > >> >> Demand, > >> >> Audio Tools, Online Hardware Rental and Classroom Training for the > >> >> Cisco > >> >> CCIE (R&S, Voice, Security & Service Provider) certification(s) with > >> >> training locations throughout the United States, Europe, South Asia and > >> >> Australia. Be sure to visit our online communities at > >> >> www.ipexpert.com/communities and our public website at www.ipexpert.com > >> >> > >> >> From: [email protected] > >> >> [mailto:[email protected]] On Behalf Of Sumit > >> >> Mahla > >> >> Sent: Wednesday, May 05, 2010 12:07 PM > >> >> To: [email protected] > >> >> Cc: [email protected] > >> >> Subject: Re: [OSL | CCIE_Security] DMVPN and ZONE Based > >> >> > >> >> As said by Bradon.... that interface which are part of a zone can not > >> >> communicate with interface that are not part of any zone... > >> >> > >> >> > >> >> Lets take a scenario....... > >> >> > >> >> Loop0 18.18.18.18/24 and tunnel0 172.16.0.1/24 at R1 in DMVPN with > >> >> eigrp > >> >> 100 being used to advertised.. > >> >> > >> >> and > >> >> > >> >> Loop0 38.38.38.38/24 and tunnel0 172.16.0.3/24 at R3 in DMVPN with > >> >> eigrp > >> >> 100 being used to advertised.. > >> >> > >> >> > >> >> And from R3 we can ping 18.18.18.18 source loop0.... it will ping... > >> >> > >> >> now all the physical interface of R3 router are in one or the other > >> >> zone.... then how come logical interfaces (loopback and tunnel) traffic > >> >> go > >> >> through the physical interface when the logical interfaces are not part > >> >> of > >> >> the zones... > >> >> > >> >> I know it works... but how.... ? > >> >> > >> >> > >> >> Please suggest... > >> >> > >> >> > >> >> Date: Wed, 5 May 2010 21:13:09 +0530 > >> >> Subject: Re: [OSL | CCIE_Security] DMVPN and ZONE Based > >> >> From: [email protected] > >> >> To: [email protected] > >> >> CC: [email protected] > >> >> > >> >> Sumit, I get your question now. > >> >> > >> >> > >> >> Let's consider a router with interface g0/0. Any traffic coming to G0/0 > >> >> from outside and going outside from G0/0 are the self-zone traffics. > >> >> > >> >> If a traffic from L0 or any other interface that comes/routed throught > >> >> G0/0 and then moves out is not self-zone traffic. You need to put the > >> >> interfaces in zones. If there are in two different zones, then you need > >> >> zone-pair. If there in same zone, no zone-pair is required. > >> >> > >> >> > >> >> > >> >> With regards > >> >> Kings > >> >> > >> >> On Wed, May 5, 2010 at 8:49 PM, Kingsley Charles > >> >> <[email protected]> wrote: > >> >> Comments inline... > >> >> > >> >> On Wed, May 5, 2010 at 7:44 PM, Sumit Mahla <[email protected]> > >> >> wrote: > >> >> Kings... > >> >> > >> >> This is not my doubt... I would try to explain... > >> >> > >> >> Question 1... > >> >> > >> >> When we configure DMVPN on a router... we never configure tunnel > >> >> interface > >> >> and the loopbacks which we have advertised in routing protocol in any > >> >> zone.... so these would be termed as self zone traffic.. means router > >> >> generated traffic.... so in that case i read in config guide that you > >> >> need > >> >> to create a zone pair for self zone to outside zone.... but it works > >> >> without doing this.. i do not why ... > >> >> > >> >> > >> >> Self-zone is nothing but the router. Any traffic from the router and to > >> >> the router are considered as self zone traffic. > >> >> > >> >> An interface part of zones can't communicate with interfaces that are > >> >> not part of zones. If you need communication then you should have all > >> >> the > >> >> interfaces in zones and apply policies. > >> >> > >> >> For the the case of DMVPN or any VPN, you need to permit ESP and ISAKMP > >> >> in the "out to self" zone. After decryption, they transvers across > >> >> interfaces. There you need add zone pair for interfaces and a > >> >> policy.for > >> >> it > >> >> > >> >> > >> >> > >> >> > >> >> > >> >> Question 2... This is more important to me... > >> >> > >> >> When we have TEST PC in Inside zone of Zone based firewall and a Eazy > >> >> VPN > >> >> server on the outside zone... then for IPsec traffic... Do we need to > >> >> pass > >> >> the esp and udp 500 packet in both direction or do we need to allow > >> >> entire > >> >> IP protocol... > >> >> > >> >> What would be best in this situation > >> >> > >> >> > >> >> For in to out zone -pair, you can put pass action for class-default of > >> >> the policy map. It will any traffic. > >> >> > >> >> or > >> >> > >> >> Add the following under in-out zone-pair policy > >> >> > >> >> > >> >> access-list permit 123 permit ip any any eq 50 > >> >> > >> >> class-type type inspect esp > >> >> match access-group 123 > >> >> > >> >> policy type inspect esp > >> >> class esp > >> >> pass > >> >> > >> >> > >> >> > >> >> Date: Wed, 5 May 2010 19:20:50 +0530 > >> >> Subject: Re: DMVPN and ZONE Based > >> >> From: [email protected] > >> >> To: [email protected] > >> >> CC: [email protected] > >> >> > >> >> > >> >> There is no restriction for traffic between interfaces that are in same > >> >> zone. If you define separate zones, then you need add policies using > >> >> zone > >> >> pair. > >> >> > >> >> > >> >> (zone in) g0/1 -----router ------ g0/0 (zone out) > >> >> > >> >> For Tunnel 0, lets create a GRE zone. > >> >> > >> >> access-list 123 permit gre any any > >> >> > >> >> class-map type inspect gre > >> >> match acces-group 123 > >> >> > >> >> policy-type type inspect gre > >> >> class gre > >> >> pass > >> >> > >> >> > >> >> zone-pair in - gre > policies to inspect traffic from inside > >> >> zone -pair gre - in > class - default with pass action > >> >> zone-pair gre - out > policy-map gre > >> >> zone-pair out - gre > policy-map gre > >> >> > >> >> > >> >> For your next question, ZFW inspects IP based protocol like tcp, udp, > >> >> icmp > >> >> etc. IPSec, GRE, multicast, broadcast packets can't be inspected by > >> >> ZFW. > >> >> For these, you need add a separate class-map with pass action on both > >> >> direction in-out and out-in. > >> >> > >> >> That's why we use IPSec over TCP when firewall is in between.TCP will > >> >> be > >> >> inspected and ISAKMP which is over UDP 500 is also inspected. > >> >> > >> >> > >> >> > >> >> > >> >> > >> >> With regards > >> >> Kings > >> >> > >> >> > >> >> > >> >> > >> >> On Wed, May 5, 2010 at 6:28 PM, Sumit Mahla <[email protected]> > >> >> wrote: > >> >> And what if we want allow IPsec vpn negotiation through a zone based > >> >> firewall.. > >> >> > >> >> Do we need to pass the IP traffic? or esp and udp only ? > >> >> > >> >> kings.. could you suggest? > >> >> > >> >> From: [email protected] > >> >> To: [email protected] > >> >> Subject: DMVPN and ZONE Based > >> >> Date: Wed, 5 May 2010 17:55:55 +0530 > >> >> > >> >> > >> >> If implementing DMVPN on a Router enabled for Zone based config.... > >> >> then > >> >> do we require loopbacks which are advertised in the routing protocol > >> >> used > >> >> in DMVPN to be configured in some zones? > >> >> > >> >> i mean do the loopbacks and tunnel interface need to be member of any > >> >> zone? > >> >> > >> >> Invest your money wisely post Budget Sign up now. > >> >> All the post budget analysis and implications Sign up now. > >> >> > >> >> > >> >> The battle for the FIH Hockey World Cup Drag n' drop > >> >> > >> >> _______________________________________________ > >> >> For more information regarding industry leading CCIE Lab training, > >> >> please > >> >> visit www.ipexpert.com > >> >> > >> >> > >> >> > >> >> > >> >> The latest auto launches and test drives Drag n' drop > >> >> _______________________________________________ > >> >> For more information regarding industry leading CCIE Lab training, > >> >> please > >> >> visit www.ipexpert.com > >> > > >> > > >> > >> > >> -- > >> Best Regards, > >> > >> Tolulope. > >> _______________________________________________ > >> For more information regarding industry leading CCIE Lab training, please > >> visit www.ipexpert.com > > > > _________________________________________________________________ > > Catch the latest in the world of fashion > > http://lifestyle.in.msn.com/ > > > -- > Best Regards, > > Tolulope. _____ The battle for the FIH Hockey World Cup Drag n' drop <http://specials.msn.co.in/sp10/hockey/index.aspx> _____ Catch the changing security environment Get it now. <http://news.in.msn.com/internalsecurity/> _____ All the post budget analysis and implications Sign up <http://news.in.msn.com/moneyspecial/budget2010/> now.
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
