02-26-2014 10:42 AM - edited 03-04-2019 10:27 PM
If so, what are your experiences? Reliable? Only looking to protect 'To Self' and restrict 'From Self'
SELF: BGP in, OSPF out
Any other traffic from Outside and Inside will be PASSED.
Please rate useful posts & remember to mark any solved questions as answered. Thank you.
02-27-2014 08:55 AM
Hello, Bilal.
Not sure why do you need ZBFW to protect only "self" zone!
If I had such a task, I would better use control plane protection (
http://www.cisco.com/c/en/us/td/docs/ios/12_4t/12_4t4/htcpp.html
).
02-27-2014 11:48 PM
Hello, thanks for the reply, what is the reason you would opt for CoPP over ZBFW. Reason I had thought of ZBFW is the very fact that everything not permitted from the outside to self, by the administrator will be dropped, this way you are protecting and permitting the only things that should be permitted, not saying same can't be achieved with CoPP though. I picked this idea/practice from Center for Internet Security.
Sent from Cisco Technical Support iPhone App
02-28-2014 01:17 AM
Hello Bilal
With ZBFW the "self" zone is created automatically when using this such IOS FW and by default hosts from either zones( outside-inside etc..( can access the router that is configured as the FW)
The "self" zone can be used to control this access to or from the router using ZBFW self zone.
Alow R2 to ping R1 but prohibit R1 to ping R2
Inside Outside
R1-R2 - R3
R2
int fa0/1
Description Link to R1 - WAN
zone member outside
int fa0/0
Description Link to R1 - LAN
zone member inside
access-list extended ICMP
permit icmp any any echo
Class-map type inspect self-inside_cm
match access-group name ICMP
Policy-map type inspect self-inside_pm
class self-inside_cm
inspect
zone-pair security self-inside source self destination inside
service-policy type inspect self-inside_pm
Note: self zone is defined in lower case
res
Paul
Please don't forget to rate any posts that have been helpful.
Thanks.
02-28-2014 01:21 AM
Hi, I know how to configure it and how it works. The discussion was around peoples experience with it at the internet edge. It does exactly what I want it to do which is protect itself.
Please rate useful posts & remember to mark any solved questions as answered. Thank you.
02-28-2014 01:27 AM
Hello
I was responding to your quote which was incorrect
Reason I had thought of ZBFW is the very fact that everything not permitted from the outside to self, by the administrator will be dropped, this way you are protecting and permitting the only things that should be permitted
By default it is prohibited sourced to/from the ZBFW itself
res
Paul
Please don't forget to rate any posts that have been helpful.
Thanks.
02-28-2014 01:31 AM
Hi Paul, I know, what I meant by that is if you permit, from or to a zone, rest will be dropped/denied in my configuration, not implying having no rules/policy.
Sent from Cisco Technical Support iPhone App
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: