Is the FW zone that includes all of the Router interfaces IP addresses (even for interfaces not attached to any specific zone).
You must think of the self-zone as the router itself so when we configure a policy including the Self-zone is related to:
-Traffic to the router
-Traffic from the router
So when someone asks the following
What Traffic Should I Consider When I Deal With The Self-Zone?
You should answer:
-Managment plane traffic (SSH,Telnet,etc)
-Control plane traffic(Routing Protocols)
Another common question is:
Why would you even consider to use the Self-Zone?
Well, if you want to protect your network from any kind of attack you configure a FW to prevent attacks from reaching your network but if you leave your router without the Self-Zone anyone could get into the router and change the configuration, open backdoors,etc.
In order to avoid this vulnerabilities using the Self-Zone is a MUST.
By default there is no policies for the Self-Zone so traffic from and to the router will be allowed
You do not have to manually create the Self-Zone. By default it's created, you just need to call it.
As soon as you configure one zone-pair that involves the Self-Zone traffic from any zone to the Self or from the Self to any zone will be filtered
Traffic from a host behind a router interface that does not belong to any ZBFW zone will be allowed to reach the Router IP addresses (Self-Zone)
We cannot Inspect a class-map that we matched via a layer 7 protocol/application (We can only inspect layer 4 class-map matches)
Before version 15.1 OSPF and EIGRP neighbor relationships were allowed without the need of a policy if using the self-zone but after 15.1 we now must PASS this protocols (RIP and BGP as depend of UDP and TCP respectively will always need a policy allowing the traffic if using the self-zone)
For IPSec VPN sessions we only need to PASS the control channel negotiations (Isakmp) so UDP 500 and UDP 4500 if NAT-T is required (As you can see ESP/AH is not required to configure in order to bring the tunnel up.
Hi, We recently installed a patch on both our ISE Wired and Wireless to fix some bugs. During reboot I noticed that Application Server on ISE Wired takes too long to be on running state compared to Wireless when issuing command "show applicatio...
HelloI have MacBook with Mac OS Catalina (10.15.1)When I try ti used AnyConnect 4.8 on my Mac, I enter vpn dress (vpn.s...com) and I have immediately an error message (before identify window) : "Posture assessment failed : unable to download CSD library. ...
Does Cisco ISE 2.6 supports Cisco Nexus 2k, Nexus 3K, Nexus 5K, Nexus 7K and Nexus 9K series of switches? The Compatibility matrix does not show them.
If supported, can you please guide me to the link/documentation please?
Hello, I am trying to setup some Cisco products for the first time and am having trouble and many questions due to my lack of knowledge.I was forwarded an email from the reseller that contains a link to obtain an e-delivery to a PAK file for the Cisc...