Cisco Support
English
Feedback Help
Cisco Support Community
Register
cancel
turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
bfl1
bfl1
Community Member
‎12-29-2003 12:04 PM
‎12-29-2003 12:04 PM

CTR - Security Zones

1. Threat Response

2. LAN Source = * Destination = Internal IP Subnet

3. DMZ Source -= * Destination = DMZ IP Subnet

4. Ignore Broadcast

5. Internet Source = * Destination = ! Internal IP Subnet

When I test hacks aimed at the DMZ, CTR downgrades and reports the zone as Internet. This IP range is defined in the DMZ and is listed before the Internet zone.

The only way it would not list DMZ addresses as "internet" was to list the Internet Zone ast !Internal-DMZ

If CTR reads security zones from top to bottom, why do I need to include the !DMZ IP Subnet in the Internet zone?

0 Helpful
Reply
3 REPLIES
nikhil_m
nikhil_m
Community Member
‎01-02-2004 06:07 AM
‎01-02-2004 06:07 AM

Re: CTR - Security Zones

It has its own functionality, I guess apart.

0 Helpful
Reply
crowland
crowland
Community Member
‎01-05-2004 07:18 AM
‎01-05-2004 07:18 AM

Re: CTR - Security Zones

It should work the way you have it setup so there may be a typo in the addresses you entered. I'm curious about the DMZ entry though. What is the exact syntax you're using?

0 Helpful
Reply
bfl1
bfl1
Community Member
‎01-05-2004 07:35 AM
‎01-05-2004 07:35 AM

Re: CTR - Security Zones

Lan - Destination IP = 10.10.10.1 - 10.10.10.255

DMZ - Desitnation IP = 10.10.11.1 - 10.10.11.255

Internet WAS - Destination IP !10.10.10.1 - 10.10.10.255

To make it work, I changed Internet to:

!10.10.10.1 - 10.10.11.255

0 Helpful
Reply
Latest Documents
Snort IPS on ISR, ISRv and CSR - Step-By-Step Configuration
Created by Kureli Sankar on 04-19-2018 11:25 AM
0
0
0
0
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin... view more
Upgrade Chassis Manager (FXOS)
Created by Jeet Kumar on 02-23-2018 02:51 AM
2
15
2
15
    Login to the FXOS chassis manager. Direct your browser to https://hostname/, and log-in using the user-name and password.     Go to Help > About and check the current version:    Check the current version availa... view more
ASA 5506-X with ipv6 no access to internet
Created by Klaxel on 02-08-2018 01:25 AM
3
5
3
5
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6. In Syslog I also se... view more
All Documents
93
Views
0
Helpful
3
Replies
CreatePlease to create content
Discussion
Blog
Document
Video
Popular Blogs
AnyConnect Certificate Based Authentication.
Created by Marvin Ruiz on 08-27-2012 05:20 PM
36
70
36
70
BLOG (No Title)
Created by athukral on 06-14-2011 04:23 AM
15
35
15
35
Wireless Hacking
Created by Anim Saxena on 01-24-2013 07:56 AM
2
20
2
20
All Blogs