07-07-2011 08:10 PM - edited 03-11-2019 01:56 PM
Hi,
I have the following config on a 887VA. Will this stop all traffic hitting the outside interface?
I want to stop all unsolicted traffic, including icmp echo request, on the outside interface.
No ssl, no snmp, no telnet, no ssh, no icmp, no udp, no tcp, everthing is blocked.
How do I accomplish that?
How do I setup logging so everything that is dropped on the outside interface is logged?
Thanks in advance.
class-map type inspect match-any in-out
match protocol tcp
match protocol udp
match protocol icmp
!
policy-map type inspect in-out
class type inspect in-out
inspect
class class-default
drop
!
zone security internal
zone security external
zone-pair security inout source internal destination external
service-policy type inspect in-out
interface Vlan3
ip address 10.3.3.3 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security internal
interface BVI1
mac-address a.b.c
ip address x.y.z.z 255.255.255.252
ip nat outside
ip virtual-reassembly in
zone-member security external
Solved! Go to Solution.
07-08-2011 06:05 AM
Hi,
don't forget this will only take into account traffic going through the router.
If you also want to deny some traffic to the router you'll have to apply a service-policy to the zone-pair source outside destination self
Regards.
Alain.
07-08-2011 10:39 AM
Hi,
1. No traffic to device itself from outside
with zbf you must assign a policy to zone-pair outside to self with a drop action
or you can assign an ACL inbound on outside interface denying everything
you can also use access-class for vty lines and ACL for SNMP traffic permitting inside only cf 2
2. Management traffic to device itself from inside
with zbf this is default: all traffic to router(zone self) is permitted
3. Allow all outbound from inside and statefully allow return packets
stateful means: reflexive ACLs or CBAC or ZBF but I think ZBF is simpler
4. Deny all inbound from outside not statefully allowed from inside
this is default with ZBF if no policy with a pass or inspect is applied to the zone-pair
Regards.
Alain.
07-07-2011 08:40 PM
Yes, that is correct configuration.
As you only configure zone pair from internal to external, all traffic initiated from external to internal will be dropped.
07-08-2011 06:05 AM
Hi,
don't forget this will only take into account traffic going through the router.
If you also want to deny some traffic to the router you'll have to apply a service-policy to the zone-pair source outside destination self
Regards.
Alain.
07-08-2011 06:44 AM
Thanks. I kind of thought so when an engineer told me he could ping the outside interface.
This router sits outside a firewall. We simply want the router to do NAT and block all traffic to the device itself execpt for managment traffic coming from the inside. So the configuration shown is not needed because the ASA already does traffic inspection.
Said differently, I’ve noticed on the ASA when inspection is turned on that it dramatically slows down speed tests, for example, from 15Mb/s to 10M/s when inspecting all protocols is turned on. So if I turn on inspection on the 887VA, that will further slow things down.
Required security policy
1. No traffic to device itself from outside
2. Management traffic to device itself from inside
3. Allow all outbound from inside and statefully allow return packets
4. Deny all inbound from outside not statefully allowed from inside
Should I can use the zone based approach to accomplish that or should I just be using access lists?
07-08-2011 10:39 AM
Hi,
1. No traffic to device itself from outside
with zbf you must assign a policy to zone-pair outside to self with a drop action
or you can assign an ACL inbound on outside interface denying everything
you can also use access-class for vty lines and ACL for SNMP traffic permitting inside only cf 2
2. Management traffic to device itself from inside
with zbf this is default: all traffic to router(zone self) is permitted
3. Allow all outbound from inside and statefully allow return packets
stateful means: reflexive ACLs or CBAC or ZBF but I think ZBF is simpler
4. Deny all inbound from outside not statefully allowed from inside
this is default with ZBF if no policy with a pass or inspect is applied to the zone-pair
Regards.
Alain.
07-08-2011 01:31 PM
Thanks for taking the time and effort for a detailed reply.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide