Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
534
Views
0
Helpful
1
Replies

ZBF questions

Go to solution
mocah
Level 1
Level 1

‎10-29-2008 06:40 AM - edited ‎03-11-2019 07:04 AM

I have a few Cisco routers with Zone Based Firewall configured. Mostly I have followed Cisco documentation and some web examples. Some ZBF rules are not very clear to me:

Router has 3 zones (Private, Internet and self)

1. Preventing IP Spoofing.

If I do not allow any traffic from Internet zone to Private (Self zone allows only SSH connection from internet), do I have to configure IP Spoofing prevention on route direction from Internet --> Private or Internet -> self zone?

2. Network traffic from Self zone To private and vice-versa. Is it wise to allow all traffic to and from self zone to private zone?

3. What does ZBF check if

"parameter-map type inspect krneki"

audit-trail on

alert on"

is configured?

Thank you and kind regards, Marko

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
bwilmoth
Level 5
Level 5

‎11-04-2008 03:09 PM

1) No, there is no need to configure ip spoofing protection if all trafic is denied between the zones, however if any kind of traffic is permitted then the protection is recommended. In your case ip spoofing protection is not required between Internet and Private zones, but is required between Self and Internet zone since SSH is allowed.

2) The type of traffic allowed depends on the security policy or the role for which the zone has been setup. If all traffic is rquired to be permitted then it is better to have only a single zone instead of two seperate zones.

3) Parameter-map type inspect is used to configure an inspect type parameter map for connecting thresholds, timeouts, and other parameters pertaining to the inspect action. The option "alert on" turns on Cisco IOS stateful packet inspection alert messages; and the option "audit-trail on" turns audit trail messages on.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
bwilmoth
Level 5
Level 5

‎11-04-2008 03:09 PM

1) No, there is no need to configure ip spoofing protection if all trafic is denied between the zones, however if any kind of traffic is permitted then the protection is recommended. In your case ip spoofing protection is not required between Internet and Private zones, but is required between Self and Internet zone since SSH is allowed.

2) The type of traffic allowed depends on the security policy or the role for which the zone has been setup. If all traffic is rquired to be permitted then it is better to have only a single zone instead of two seperate zones.

3) Parameter-map type inspect is used to configure an inspect type parameter map for connecting thresholds, timeouts, and other parameters pertaining to the inspect action. The option "alert on" turns on Cisco IOS stateful packet inspection alert messages; and the option "audit-trail on" turns audit trail messages on.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card