Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Zone-based IOS firewall question

I need to configure a IOS zone based firewall for internal security purposes, so the configuration professional wizard is not much help.   Reviewing the CLI instructions in SNRS course, they say that traffic a firewall interface (self zone) is default allowed unless explictly denied.     Does this apply to loopback and BGP?    I had setup a system  locally, unable to really test, put it into place and could not get anything to work properly.   I ended up removing the firewall config and getting it to work as a router.   I now need to get firewalling working but need to avoid a 250mile drive to fix things if it breaks.   It is using BGP for routing to a MPLS network, and that did not appear to work when I first tried it.

5 REPLIES

Zone-based IOS firewall question

Hello,

By default traffic from the router itself is not restricted, the thing is that as soon as you configure a zone-pair with the Self as one zone you will need to allow traffic based on the router itself as source and destination.

Next time you do it are you going to do it via CLI or CCP?

The thing is that with ccp the self-zone and each of its pairs will be configured by default.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Zone-based IOS firewall question

Right now, CLI.   I have not had good experiences with CCP, I loaded it again on my machine a few days ago and could not get it to load.    Found that I have to install with "Run as Admin" and launch each time as "run as admin"   Then discovery was a problem, get that fixed, click on Firewall  in Configuration and get "Internal error".   Since this is an internal system with a "outside" interface that is teh MPLS connection to the rest of the network and 3 internal interfaces with varying security requirements I was not sure the CCP wizard would be much help.

Zone-based IOS firewall question

Hello,

Yeap, I have heard a lot of problems with ZBFW configuration from CCP, but we are always here to help with that.

Well, if you have any question regarding the CLI configuration let me know.

Regards,

Julio

Do rate all the helpful posts!!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Re: Zone-based IOS firewall question

Is the Self zone now a recommended configuration? The SNRS course I took a couple of years ago said to avoid it.

Also, I have to configure this remotely and the MPLS line is currently my only connection. Is there a simple way to turn on/off the zones so I can set a 15-20 min shutdown in case I mess something up? Or do I need to keep multiple commands out of the startup config?

Thanks for the help.

Re: Zone-based IOS firewall question

Hello,

Is the Self zone now a recommended configuration?   The SNRS course I took a couple of years ago said to avoid it?

A/ I would not say Do NOT use self-zone, because it makes more secure the Router as you are configuring witch kind of access will be allow to and from the router. But it will definetly take more time and a more configuration.

So all depends on how much security do you want to place into your router.

Is there a simple way to turn on/off the zones so I can set a 15-20 min shutdown in case I mess something up?

A/ You can configure all the inspection policies, you can create the security zones and you can even create the zone-pairs but you can leave for the end the most importask: to assign each interface to the security zone ( here is when things can get crazy) but I think the min shutdown will work if you have any issue ( I would use a 5 -10) as the network might  be down if its not properly configured.

If you want you can post the ZBFW configuration as soon as you have it created and then we can analize it for you based on your requirements.

Do rate all the helpful posts!!!

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
247
Views
0
Helpful
5
Replies
CreatePlease to create content