Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IOS zone-based policy firewall on remote access query

Hi,

I would like to check out something on IOS zone-based policy firewall.

Say, I got a remote site router using WAN connection to reach HQ router. Business requirement is branch router need to apply IOS zone-based policy firewall.

Here's the network topology and information:

LAN.Inside--[Branch  router]   --- Internet---- [HQ Router]    (network administrator from  here would like to SSH2 to Branch router)

- LAN.Inside network 10.171.123.0 / 24

- HQ Router network 10.171.23.0 / 30

My question / concern is

1. I will configure the IOS zone-based on branch router remotely from HQ Router . This is the class-map template

class-map type inspect BranchLAN

match access-group 101

access-list 101 permit ip 10.171.123.0 0.0.0.255 any

Question

A. Is it necesary for me to explicit the access list in order to allow remote SSH session from the HQ Router network?

B.  Any command need to specify on the interface configure as zone-member  security outside (This is the branch router facing internet interface)

Thanks

Noel

  • Firewalling
1 ACCEPTED SOLUTION

Accepted Solutions

Re: IOS zone-based policy firewall on remote access query

Hello Yong,

The configuration for a zone-based firewall is quite long but I can ensure that as soon as you see it work you will be impressed

Now lets start with  the following:

Is it necesary for me to explicit the access list in order to allow remote SSH session from the HQ Router network?

A/ If you have configured Self-zones yes, if not you should be able to access the outside interface from the outside world.

B.  Any command need to specify on the interface configure as zone-member  security outside (This is the branch router facing internet interface)

A/ interface gigabithe 0/0

zone-member security outside

I think you should read the following before configuring this as you might be unable to access the device again.

http://nat0.net/cisco-ios-zone-based-policy-firewall/

http://www.cisco.com/en/US/products/ps6441/products_feature_guide09186a008060f6dd.html

CSC it's a free support community take your time to rate all the engineer's responses that help you resolving your problems.

Regards,

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
2 REPLIES

Re: IOS zone-based policy firewall on remote access query

Hello Yong,

The configuration for a zone-based firewall is quite long but I can ensure that as soon as you see it work you will be impressed

Now lets start with  the following:

Is it necesary for me to explicit the access list in order to allow remote SSH session from the HQ Router network?

A/ If you have configured Self-zones yes, if not you should be able to access the outside interface from the outside world.

B.  Any command need to specify on the interface configure as zone-member  security outside (This is the branch router facing internet interface)

A/ interface gigabithe 0/0

zone-member security outside

I think you should read the following before configuring this as you might be unable to access the device again.

http://nat0.net/cisco-ios-zone-based-policy-firewall/

http://www.cisco.com/en/US/products/ps6441/products_feature_guide09186a008060f6dd.html

CSC it's a free support community take your time to rate all the engineer's responses that help you resolving your problems.

Regards,

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

IOS zone-based policy firewall on remote access query

Hi Julio,

impressive answer. i think i get what you mean anyway

thanks

Noel

645
Views
0
Helpful
2
Replies