Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3478
Views
0
Helpful
5
Replies

Zone based firewall on 800 series router

Go to solution
lcaruso
Level 6
Level 6

‎07-07-2011 08:10 PM - edited ‎03-11-2019 01:56 PM

Hi,

I have the following config on a 887VA. Will this stop all traffic hitting the outside interface?

I want to stop all unsolicted traffic, including icmp echo request, on the outside interface.

No ssl, no snmp, no telnet, no ssh, no icmp, no udp, no tcp, everthing is blocked.

How do I accomplish that?

How do I setup logging so everything that is dropped on the outside interface is logged?

Thanks in advance. 

class-map type inspect match-any in-out
 match protocol tcp
 match protocol udp
 match protocol icmp
!
policy-map type inspect in-out
 class type inspect in-out
  inspect 
 class class-default
  drop
!
zone security internal
zone security external
zone-pair security inout source internal destination external
 service-policy type inspect in-out
interface Vlan3
 ip address 10.3.3.3 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 zone-member security internal
interface BVI1
 mac-address a.b.c
 ip address x.y.z.z 255.255.255.252
 ip nat outside
 ip virtual-reassembly in
 zone-member security external
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
cadet alain
VIP Alumni
VIP Alumni

‎07-08-2011 06:05 AM

Hi,

don't forget this will only take into account traffic going through the router.

If you also want to deny some traffic to the router you'll have to apply a service-policy to the zone-pair source outside destination self

Regards.

Alain.

Don't forget to rate helpful posts.

View solution in original post

0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to lcaruso

‎07-08-2011 10:39 AM

Hi,

1.       No traffic to device itself from outside

with zbf you must assign a policy to zone-pair outside to self with a drop action

or you can assign an ACL inbound on outside interface denying everything

you can also use access-class for vty lines and ACL for SNMP traffic permitting inside only cf 2

2.       Management traffic to device itself from inside

with zbf this is default: all traffic to router(zone self) is permitted

3.       Allow all outbound from inside and statefully allow return packets

stateful means: reflexive ACLs or CBAC or ZBF but I think ZBF is simpler 

4.       Deny all inbound from outside not statefully allowed from inside

this is default with ZBF if no policy with a pass or inspect is applied to the zone-pair

Regards.

Alain.

Don't forget to rate helpful posts.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎07-07-2011 08:40 PM

Yes, that is correct configuration.

As you only configure zone pair from internal to external, all traffic initiated from external to internal will be dropped.

0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni

‎07-08-2011 06:05 AM

Hi,

don't forget this will only take into account traffic going through the router.

If you also want to deny some traffic to the router you'll have to apply a service-policy to the zone-pair source outside destination self

Regards.

Alain.

Don't forget to rate helpful posts.
0 Helpful

Go to solution
lcaruso
Level 6
Level 6
In response to cadet alain

‎07-08-2011 06:44 AM

Thanks. I kind of thought so when an engineer told me he could ping the outside interface.

This router sits outside a firewall. We simply want the router to do NAT and block all traffic to the device itself execpt for managment traffic coming from the inside. So the configuration shown is not needed because the ASA already does traffic inspection.

Said differently, I’ve noticed on the ASA when inspection is turned on that it dramatically slows down speed tests, for example, from 15Mb/s to 10M/s when inspecting all protocols is turned on. So if I turn on inspection on the 887VA, that will further slow things down.

Required security policy

1.       No traffic to device itself from outside

2.       Management traffic to device itself from inside

3.       Allow all outbound from inside and statefully allow return packets

4.       Deny all inbound from outside not statefully allowed from inside

Should I can use the zone based approach to accomplish that or should I just be using access lists?

0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to lcaruso

‎07-08-2011 10:39 AM

Hi,

1.       No traffic to device itself from outside

with zbf you must assign a policy to zone-pair outside to self with a drop action

or you can assign an ACL inbound on outside interface denying everything

you can also use access-class for vty lines and ACL for SNMP traffic permitting inside only cf 2

2.       Management traffic to device itself from inside

with zbf this is default: all traffic to router(zone self) is permitted

3.       Allow all outbound from inside and statefully allow return packets

stateful means: reflexive ACLs or CBAC or ZBF but I think ZBF is simpler 

4.       Deny all inbound from outside not statefully allowed from inside

this is default with ZBF if no policy with a pass or inspect is applied to the zone-pair

Regards.

Alain.

Don't forget to rate helpful posts.
0 Helpful

Go to solution
lcaruso
Level 6
Level 6
In response to cadet alain

‎07-08-2011 01:31 PM

Thanks for taking the time and effort for a detailed reply.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card