Re: Anyone out there running ZBFW on internet edge router?

Bilal Nawaz · ‎02-26-2014

If so, what are your experiences? Reliable? Only looking to protect 'To Self' and restrict 'From Self'

SELF: BGP in, OSPF out

Any other traffic from Outside and Inside will be PASSED.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Vasilii Mikhailovskii · ‎02-27-2014

Hello, Bilal.

Not sure why do you need ZBFW to protect only "self" zone!

If I had such a task, I would better use control plane protection (

http://www.cisco.com/c/en/us/td/docs/ios/12_4t/12_4t4/htcpp.html

).

Bilal Nawaz · ‎02-27-2014

Hello, thanks for the reply, what is the reason you would opt for CoPP over ZBFW. Reason I had thought of ZBFW is the very fact that everything not permitted from the outside to self, by the administrator will be dropped, this way you are protecting and permitting the only things that should be permitted, not saying same can't be achieved with CoPP though. I picked this idea/practice from Center for Internet Security.

Sent from Cisco Technical Support iPhone App

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

paul driver · ‎02-28-2014

Hello Bilal

With ZBFW the "self" zone is created automatically when using this such IOS FW and by default hosts from either zones( outside-inside etc..( can access the router that is configured as the FW)

The "self" zone can be used to control this access to or from the router using ZBFW self zone.

Alow R2 to ping R1 but prohibit R1 to ping R2

Inside Outside

R1-R2 - R3

R2

int fa0/1

Description Link to R1 - WAN

zone member outside

int fa0/0

Description Link to R1 - LAN

zone member inside

access-list extended ICMP

permit icmp any any echo

Class-map type inspect self-inside_cm

match access-group name ICMP

Policy-map type inspect self-inside_pm

class self-inside_cm

inspect

zone-pair security self-inside source self destination inside

service-policy type inspect self-inside_pm

Note: self zone is defined in lower case

res

Paul

Please don't forget to rate any posts that have been helpful.

Thanks.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Bilal Nawaz · ‎02-28-2014

Hi, I know how to configure it and how it works. The discussion was around peoples experience with it at the internet edge. It does exactly what I want it to do which is protect itself.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

paul driver · ‎02-28-2014

Hello

I was responding to your quote which was incorrect

Reason I had thought of ZBFW is the very fact that everything not permitted from the outside to self, by the administrator will be dropped, this way you are protecting and permitting the only things that should be permitted

By default it is prohibited sourced to/from the ZBFW itself

res

Paul

Please don't forget to rate any posts that have been helpful.

Thanks.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Bilal Nawaz · ‎02-28-2014

Hi Paul, I know, what I meant by that is if you permit, from or to a zone, rest will be dropped/denied in my configuration, not implying having no rules/policy.

Sent from Cisco Technical Support iPhone App

Please rate useful posts & remember to mark any solved questions as answered. Thank you.