I'm very new to the concept of a firewalls. I'm attempting to block specific traffic from the internet into my router and allow only certain traffic out. Each representing the traffic flow. Example of the zone's and zone pairs would be. I'm confused about the SELF zone and if it even comes into play here with the WAN zone.
Internet access comes into interface Gi0/0.
VLANS 1-6 host users who need unfiltered access out to the internet and unfiltered between each other.
VLAN 7 needs specific traffic restricted in from the WAN and other specific traffic filtered out to the WAN.
Some traffic from the LAN to the EDMZ needs to be filtered but any traffic from the EDMZ should get to the LAN.
Using the Zone's and Pairs above (or if any of them can be eliminated) how would I:
1) allow only http and https traffic in to the router from the WAN (WAN/ISP connection on interface Gi0/0). All other traffic should be dropped.
2) allow all traffic out to the WAN in a stateful fashion from the LAN on all VLANS (1,2,3,4,5,6). So my users have access to everything on the internet.
3) allow all traffic between all VLANS (1,2,3,4,5,6). Nothing is filtered.
4) restrict specific traffic into the EDMZ from the WAN.
5) restrict specific traffic from the WAN to the EDM
Just put them in the same zone, this is done last, because if you put things in zones before you make the policys everything will be blocked until you have made them.
4) 4 and 5 sounds exactly the same to me?
Now it depends on if you want to permit specific traffic to the EDMZ/DMZ(?) or if you want to den specific traffic? Sounds like you want to deny specific traffic, but that is not the best way so because then you have no control so I will demonstate the other way around.
class-map type inspect match-any SPECIFIC-TRAFFIC_CMAP ! Make sure to do a match-any if you want more than two protocol to be matched.
Multiple Cisco Security Technologies in a single book : ASA Firepower, WSA, Umbrella, ISE and VPN with 100 percent 100 practical scenarios with 70 Labs to cover important topics of the Cisco SCOR Exam. The best part is ISE with interesting scenarios wi...
Cisco Umbrella is a big DNS service that provides not only the DNS resolution but also if the hosted website is trust or malicious, the idea behind the Layer DNS Security is that the modern attacks uses the DNS in the first step either to redirect the use...
I shared with you this detailed document I created with 27 pages about Cisco ISE Integration With F5 BIG-IP Locar Traffic Manager LTM Load Balancer for Guest Acces.
The method used for Guest Access is the Self-Registration.
Healt Monitor using HTTP...
I created an IPSEC Site to site Tunnel between two ASA Firewalls in EVE-NG topology and i want to plot the IPSEC Site to Site VPN graph on PRTG ? The SNMP Walk command is not getting any output . As the firewall is making SNMP inbound connections with the...
The purpose of this document is to demonstrate how ISE can integrate with an eduroam external server which is a WI-Fi roaming service that provides international access to devices in education, research, and higher education. Students, teachers, and resea...