Solved: IOS zone-based policy firewall on remote access query

yong khang NG · ‎07-03-2012

Hi,

I would like to check out something on IOS zone-based policy firewall.

Say, I got a remote site router using WAN connection to reach HQ router. Business requirement is branch router need to apply IOS zone-based policy firewall.

Here's the network topology and information:

LAN.Inside--[Branch router] --- Internet---- [HQ Router] (network administrator from here would like to SSH2 to Branch router)

- LAN.Inside network 10.171.123.0 / 24

- HQ Router network 10.171.23.0 / 30

My question / concern is

1. I will configure the IOS zone-based on branch router remotely from HQ Router . This is the class-map template

class-map type inspect BranchLAN

match access-group 101

access-list 101 permit ip 10.171.123.0 0.0.0.255 any

Question

A. Is it necesary for me to explicit the access list in order to allow remote SSH session from the HQ Router network?

B. Any command need to specify on the interface configure as zone-member security outside (This is the branch router facing internet interface)

Thanks

Noel

Julio Carvajal · ‎07-13-2012

Hello Yong,

The configuration for a zone-based firewall is quite long but I can ensure that as soon as you see it work you will be impressed

Now lets start with the following:

Is it necesary for me to explicit the access list in order to allow remote SSH session from the HQ Router network?

A/ If you have configured Self-zones yes, if not you should be able to access the outside interface from the outside world.

B. Any command need to specify on the interface configure as zone-member security outside (This is the branch router facing internet interface)

A/ interface gigabithe 0/0

zone-member security outside

I think you should read the following before configuring this as you might be unable to access the device again.

http://nat0.net/cisco-ios-zone-based-policy-firewall/

http://www.cisco.com/en/US/products/ps6441/products_feature_guide09186a008060f6dd.html

CSC it's a free support community take your time to rate all the engineer's responses that help you resolving your problems.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎07-13-2012

Hello Yong,

The configuration for a zone-based firewall is quite long but I can ensure that as soon as you see it work you will be impressed

Now lets start with the following:

Is it necesary for me to explicit the access list in order to allow remote SSH session from the HQ Router network?

A/ If you have configured Self-zones yes, if not you should be able to access the outside interface from the outside world.

B. Any command need to specify on the interface configure as zone-member security outside (This is the branch router facing internet interface)

A/ interface gigabithe 0/0

zone-member security outside

I think you should read the following before configuring this as you might be unable to access the device again.

http://nat0.net/cisco-ios-zone-based-policy-firewall/

http://www.cisco.com/en/US/products/ps6441/products_feature_guide09186a008060f6dd.html

CSC it's a free support community take your time to rate all the engineer's responses that help you resolving your problems.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

yong khang NG · ‎07-13-2012

Hi Julio,

impressive answer. i think i get what you mean anyway

thanks

Noel