?
Solved

zone firewall review

Posted on 2013-12-17
5
Medium Priority
?
736 Views
Last Modified: 2013-12-17
I want to add self-zone rules to my zone firewall.  It needs to permit SIP traffic to specific subnets, permit ICMP in or out.  Then inbound wan to self it needs to drop and log.  Outbound self to wan it needs to pass.  Should the zone firewall config below get me where I want to go??

ip access-list extended wan2self-acl

 permit udp 10.244.153.0 0.0.0.255 any eq 5060
 permit udp 10.244.153.0 0.0.0.255 any range 16384 32767

 permit udp 10.111.102.0 0.0.0.255 any eq 5060
 permit udp 10.111.102.0 0.0.0.255 any range 16384 32767

 permit udp 10.124.42.0 0.0.0.255 any eq 5060
 permit udp 10.124.42.0 0.0.0.255 any range 16384 32767

 permic icmp any any


class-map inspect wan2self-class
      match access-group name wan2self-acl

policy-map type inspect wan2self-policy
      class type inspect wan2self-class
            class class-default
            drop log


zone-pair security wan-self source wan destination self

 service-policy type inspect wan2self-policy
------

ip access-list extended self2wan-acl
 permit udp 10.244.153.0 0.0.0.255 any eq 5060
 permit udp 10.244.153.0 0.0.0.255 any range 16384 32767

 permit udp 10.111.102.0 0.0.0.255 any eq 5060
 permit udp 10.111.102.0 0.0.0.255 any range 16384 32767

 permit udp 10.124.42.0 0.0.0.255 any eq 5060
 permit udp 10.124.42.0 0.0.0.255 any range 16384 32767

 permic icmp any any

class-map inspec self2wan-class
      match access-group name self2wan-acl

policy-map type inspect self2wan-policy

 class type inspect self2wan-class

 class class-default

  pass

zone-pair security self-wan source self destination wan

 service-policy type inspect self2wan-policy
0
Comment
Question by:amigan_99
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 13

Expert Comment

by:Quori
ID: 39725236
Close.

For your self2wan you need to use inspection for return traffic to be permitted, otherwise it will just be dropped by the class-default action.

Create an ACL self2wan-acl with permit ip any any, match it under a class map then inspect in the policy map, then for good measure configure class-default to drop log for self2wan, just to keep in line with a standard.
0
 
LVL 1

Author Comment

by:amigan_99
ID: 39725247
Better?

ip access-list extended self2wan-acl
 permit udp 10.244.153.0 0.0.0.255 any eq 5060
 permit udp 10.244.153.0 0.0.0.255 any range 16384 32767

 permit udp 10.111.102.0 0.0.0.255 any eq 5060
 permit udp 10.111.102.0 0.0.0.255 any range 16384 32767

 permit udp 10.124.42.0 0.0.0.255 any eq 5060
 permit udp 10.124.42.0 0.0.0.255 any range 16384 32767

 permit icmp any any
 permit ip any any

class-map inspec self2wan-class
      match access-group name self2wan-acl

policy-map type inspect self2wan-policy

 class type inspect self2wan-class

 class class-default

  pass

zone-pair security self-wan source self destination wan

 service-policy type inspect self2wan-policy
0
 
LVL 13

Expert Comment

by:Quori
ID: 39725254
ip access-list extended self2wan-acl
 permit icmp any any
 permit ip any any
!
class-map inspec self2wan-class
      match access-group name self2wan-acl
!
policy-map type inspect self2wan-policy
 class type inspect self2wan-class
  inspect
 class class-default
  drop log
!
zone-pair security self-wan source self destination wan
 service-policy type inspect self2wan-policy
0
 
LVL 13

Accepted Solution

by:
Quori earned 2000 total points
ID: 39725257
And you'd need to inspect inbound as well, for return traffic - based on your other question, and the requirement to block all traffic destined to the router other than the explicitly permitted.
0
 
LVL 1

Author Closing Comment

by:amigan_99
ID: 39725410
Thanks much!
0

Featured Post

Get proactive database performance tuning online

At Percona’s web store you can order full Percona Database Performance Audit in minutes. Find out the health of your database, and how to improve it. Pay online with a credit card. Improve your database performance now!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question