Is the FW zone that includes all of the Router interfaces IP addresses (even for interfaces not attached to any specific zone).
You must think of the self-zone as the router itself so when we configure a policy including the Self-zone is related to:
-Traffic to the router
-Traffic from the router
So when someone asks the following
What Traffic Should I Consider When I Deal With The Self-Zone?
You should answer:
-Managment plane traffic (SSH,Telnet,etc)
-Control plane traffic(Routing Protocols)
Another common question is:
Why would you even consider to use the Self-Zone?
Well, if you want to protect your network from any kind of attack you configure a FW to prevent attacks from reaching your network but if you leave your router without the Self-Zone anyone could get into the router and change the configuration, open backdoors,etc.
In order to avoid this vulnerabilities using the Self-Zone is a MUST.
By default there is no policies for the Self-Zone so traffic from and to the router will be allowed
You do not have to manually create the Self-Zone. By default it's created, you just need to call it.
As soon as you configure one zone-pair that involves the Self-Zone traffic from any zone to the Self or from the Self to any zone will be filtered
Traffic from a host behind a router interface that does not belong to any ZBFW zone will be allowed to reach the Router IP addresses (Self-Zone)
We cannot Inspect a class-map that we matched via a layer 7 protocol/application (We can only inspect layer 4 class-map matches)
Before version 15.1 OSPF and EIGRP neighbor relationships were allowed without the need of a policy if using the self-zone but after 15.1 we now must PASS this protocols (RIP and BGP as depend of UDP and TCP respectively will always need a policy allowing the traffic if using the self-zone)
For IPSec VPN sessions we only need to PASS the control channel negotiations (Isakmp) so UDP 500 and UDP 4500 if NAT-T is required (As you can see ESP/AH is not required to configure in order to bring the tunnel up.
Dear All,I need to upgrade ASA 5525-9.4 to 9.8FMC(virtual ) existing version is 5.4.1SFR existing version is 5.4.0 My first question is ,do I have to check the compatibility with ASA version for SRF? Or since ,SRF totally managed by...
Hi,I have 4 x pairs of 2130 with about 18-22 contexts max on them. One pair has consistently hit this bug and there seems to be no way to determine why/how? anyone have had this and what was the cause.
Hello,We have a ESA running 12.5.Our setup is:Incoming mail from Internet are scanned for Spam /AV etc... and with the use of a Message filter are routed (alt-mailhost) to another SMTP host for decrypting if needed.Then email are coming back to the ESA on...
Hello Cisco Community,we have a little problem in our company with sending netflow data from the Cisco Prime NAMs to Stealtwatch. There is any documentation for this topic, but we thought that it should be possible to use the NAMs as exporters for Stealth...