Need Help with the default Zone Based Security Policy on my 881W
While I'm very familiar with access lists, I'm not familiar at all with Zone Based Security Policies. With that in mind, could somebody give me a verbal desciption of the default Zone Based Security Policy setup on my Cisco 881W router? I've tried to disect it, but am totally lost. Here are the relevant config lines:
class-map type inspect match-any ccp-cls-insp-traffic match protocol cuseeme match protocol dns match protocol ftp match protocol h323 match protocol https match protocol icmp match protocol imap match protocol pop3 match protocol netshow match protocol shell match protocol realmedia match protocol rtsp match protocol smtp extended match protocol sql-net match protocol streamworks match protocol tftp match protocol vdolive match protocol tcp match protocol udp class-map type inspect match-all ccp-insp-traffic match class-map ccp-cls-insp-traffic class-map type inspect match-any ccp-cls-icmp-access match protocol icmp match protocol tcp match protocol udp class-map type inspect match-all ccp-invalid-src match access-group 100 class-map type inspect match-all ccp-icmp-access match class-map ccp-cls-icmp-access class-map type inspect match-all ccp-protocol-http match protocol http ! ! policy-map type inspect ccp-permit-icmpreply class type inspect ccp-icmp-access inspect class class-default pass policy-map type inspect ccp-inspect class type inspect ccp-invalid-src drop log class type inspect ccp-protocol-http inspect class type inspect ccp-insp-traffic inspect class class-default drop policy-map type inspect ccp-permit class class-default drop ! zone security out-zone zone security in-zone zone-pair security ccp-zp-self-out source self destination out-zone service-policy type inspect ccp-permit-icmpreply zone-pair security ccp-zp-in-out source in-zone destination out-zone service-policy type inspect ccp-inspect zone-pair security ccp-zp-out-self source out-zone destination self service-policy type inspect ccp-permit
interface Vlan1 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$ ip address 192.168.1.1 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip nat inside ip virtual-reassembly zone-member security in-zone ip tcp adjust-mss 1412
interface Dialer0 description $FW_OUTSIDE$ ip address negotiated no ip redirects no ip unreachables no ip proxy-arp ip mtu 1452 ip flow ingress ip nat outside ip virtual-reassembly zone-member security out-zone encapsulation ppp dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap callin ppp chap hostname XXXXXXXXX ppp chap password 7 XXXXXXXXX !
In addition to understanding how this is setup on my inside and outside interfaces, I want to add a rule that allows UDP 514 from specific Internet hosts via Dialer0) to the inside of my network in Vlan1. So, any additional comments on that would also be helpful.
3) Once you determine the zone-pair, you would need to determine policy for each of the zone pairing. From the above, the "service-policy" is the policy configuration that is assigned to that zone-pairing.
4) To configure policy, you would need to configure class-map to match the traffic that you would like to allow/inspect. For example: if you would like to allow http access from your internal zone towards the Internet, here is how you would configure it:
access-list 101 permit tcp any any eq 80
class-map type inspect match-any http-class match access-group 101
policy-map type inspect outbound-policy class type inspect http-class inspect
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...