Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Anyone out there running ZBFW on internet edge router?

If so, what are your experiences? Reliable? Only looking to protect 'To Self' and restrict 'From Self'

SELF: BGP in, OSPF out

Any other traffic from Outside and Inside will be PASSED.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.       

Please rate useful posts & remember to mark any solved questions as answered. Thank you.
6 REPLIES

Re: Anyone out there running ZBFW on internet edge router?

Hello, Bilal.

Not sure why do you need ZBFW to protect only "self" zone!

If I had such a task, I would better use control plane protection (

http://www.cisco.com/c/en/us/td/docs/ios/12_4t/12_4t4/htcpp.html

).

Re: Anyone out there running ZBFW on internet edge router?

Hello, thanks for the reply, what is the reason you would opt for CoPP over ZBFW. Reason I had thought of ZBFW is the very fact that everything not permitted from the outside to self, by the administrator will be dropped, this way you are protecting and permitting the only things that should be permitted, not saying same can't be achieved with CoPP though. I picked this idea/practice from Center for Internet Security.

Sent from Cisco Technical Support iPhone App

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Re: Anyone out there running ZBFW on internet edge router?

Hello Bilal

With ZBFW the "self" zone is created automatically when using this such IOS FW and by default hosts from either zones( outside-inside etc..( can access the router that is configured as the FW)

The "self" zone can be used to control this access to or from the router using ZBFW self zone.

Alow R2 to ping R1 but prohibit  R1 to ping R2

Inside   Outside

R1-R2 -  R3

R2

int fa0/1

Description Link to R1 - WAN

zone member outside

int fa0/0

Description Link to R1 - LAN

zone member inside

access-list extended ICMP

permit icmp any any echo

Class-map type inspect self-inside_cm

match access-group name ICMP

Policy-map type inspect self-inside_pm

class self-inside_cm

inspect

zone-pair security self-inside source self destination inside

service-policy type inspect self-inside_pm

Note: self zone is defined in lower case

res

Paul

Please don't forget to rate any posts that have been helpful.

Thanks.

Please don't forget to rate any posts that have been helpful. Thanks.

Anyone out there running ZBFW on internet edge router?

Hi, I know how to configure it and how it works. The discussion was around peoples experience with it at the internet edge. It does exactly what I want it to do which is protect itself.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Re: Anyone out there running ZBFW on internet edge router?

Hello

I was responding to your quote which was incorrect

Reason I had thought of ZBFW is the very fact that everything not  permitted from the outside to self, by the administrator will be  dropped, this way you are protecting and permitting the only things that  should be permitted

By default it is prohibited sourced to/from  the ZBFW itself

res

Paul

Please don't forget to rate any posts that have been helpful.

Thanks.

Please don't forget to rate any posts that have been helpful. Thanks.

Re: Anyone out there running ZBFW on internet edge router?

Hi Paul, I know, what I meant by that is if you permit, from or to a zone, rest will be dropped/denied in my configuration, not implying having no rules/policy.

Sent from Cisco Technical Support iPhone App

Please rate useful posts & remember to mark any solved questions as answered. Thank you.
377
Views
0
Helpful
6
Replies
CreatePlease to create content