Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

CTR - Security Zones

1. Threat Response

2. LAN Source = * Destination = Internal IP Subnet

3. DMZ Source -= * Destination = DMZ IP Subnet

4. Ignore Broadcast

5. Internet Source = * Destination = ! Internal IP Subnet

When I test hacks aimed at the DMZ, CTR downgrades and reports the zone as Internet. This IP range is defined in the DMZ and is listed before the Internet zone.

The only way it would not list DMZ addresses as "internet" was to list the Internet Zone ast !Internal-DMZ

If CTR reads security zones from top to bottom, why do I need to include the !DMZ IP Subnet in the Internet zone?

3 REPLIES
Community Member

Re: CTR - Security Zones

It has its own functionality, I guess apart.

Community Member

Re: CTR - Security Zones

It should work the way you have it setup so there may be a typo in the addresses you entered. I'm curious about the DMZ entry though. What is the exact syntax you're using?

Community Member

Re: CTR - Security Zones

Lan - Destination IP = 10.10.10.1 - 10.10.10.255

DMZ - Desitnation IP = 10.10.11.1 - 10.10.11.255

Internet WAS - Destination IP !10.10.10.1 - 10.10.10.255

To make it work, I changed Internet to:

!10.10.10.1 - 10.10.11.255

93
Views
0
Helpful
3
Replies
CreatePlease to create content