amigan_99
asked on
zone firewall review
I want to add self-zone rules to my zone firewall. It needs to permit SIP traffic to specific subnets, permit ICMP in or out. Then inbound wan to self it needs to drop and log. Outbound self to wan it needs to pass. Should the zone firewall config below get me where I want to go??
ip access-list extended wan2self-acl
permit udp 10.244.153.0 0.0.0.255 any eq 5060
permit udp 10.244.153.0 0.0.0.255 any range 16384 32767
permit udp 10.111.102.0 0.0.0.255 any eq 5060
permit udp 10.111.102.0 0.0.0.255 any range 16384 32767
permit udp 10.124.42.0 0.0.0.255 any eq 5060
permit udp 10.124.42.0 0.0.0.255 any range 16384 32767
permic icmp any any
class-map inspect wan2self-class
match access-group name wan2self-acl
policy-map type inspect wan2self-policy
class type inspect wan2self-class
class class-default
drop log
zone-pair security wan-self source wan destination self
service-policy type inspect wan2self-policy
------
ip access-list extended self2wan-acl
permit udp 10.244.153.0 0.0.0.255 any eq 5060
permit udp 10.244.153.0 0.0.0.255 any range 16384 32767
permit udp 10.111.102.0 0.0.0.255 any eq 5060
permit udp 10.111.102.0 0.0.0.255 any range 16384 32767
permit udp 10.124.42.0 0.0.0.255 any eq 5060
permit udp 10.124.42.0 0.0.0.255 any range 16384 32767
permic icmp any any
class-map inspec self2wan-class
match access-group name self2wan-acl
policy-map type inspect self2wan-policy
class type inspect self2wan-class
class class-default
pass
zone-pair security self-wan source self destination wan
service-policy type inspect self2wan-policy
ip access-list extended wan2self-acl
permit udp 10.244.153.0 0.0.0.255 any eq 5060
permit udp 10.244.153.0 0.0.0.255 any range 16384 32767
permit udp 10.111.102.0 0.0.0.255 any eq 5060
permit udp 10.111.102.0 0.0.0.255 any range 16384 32767
permit udp 10.124.42.0 0.0.0.255 any eq 5060
permit udp 10.124.42.0 0.0.0.255 any range 16384 32767
permic icmp any any
class-map inspect wan2self-class
match access-group name wan2self-acl
policy-map type inspect wan2self-policy
class type inspect wan2self-class
class class-default
drop log
zone-pair security wan-self source wan destination self
service-policy type inspect wan2self-policy
------
ip access-list extended self2wan-acl
permit udp 10.244.153.0 0.0.0.255 any eq 5060
permit udp 10.244.153.0 0.0.0.255 any range 16384 32767
permit udp 10.111.102.0 0.0.0.255 any eq 5060
permit udp 10.111.102.0 0.0.0.255 any range 16384 32767
permit udp 10.124.42.0 0.0.0.255 any eq 5060
permit udp 10.124.42.0 0.0.0.255 any range 16384 32767
permic icmp any any
class-map inspec self2wan-class
match access-group name self2wan-acl
policy-map type inspect self2wan-policy
class type inspect self2wan-class
class class-default
pass
zone-pair security self-wan source self destination wan
service-policy type inspect self2wan-policy
ASKER
Better?
ip access-list extended self2wan-acl
permit udp 10.244.153.0 0.0.0.255 any eq 5060
permit udp 10.244.153.0 0.0.0.255 any range 16384 32767
permit udp 10.111.102.0 0.0.0.255 any eq 5060
permit udp 10.111.102.0 0.0.0.255 any range 16384 32767
permit udp 10.124.42.0 0.0.0.255 any eq 5060
permit udp 10.124.42.0 0.0.0.255 any range 16384 32767
permit icmp any any
permit ip any any
class-map inspec self2wan-class
match access-group name self2wan-acl
policy-map type inspect self2wan-policy
class type inspect self2wan-class
class class-default
pass
zone-pair security self-wan source self destination wan
service-policy type inspect self2wan-policy
ip access-list extended self2wan-acl
permit udp 10.244.153.0 0.0.0.255 any eq 5060
permit udp 10.244.153.0 0.0.0.255 any range 16384 32767
permit udp 10.111.102.0 0.0.0.255 any eq 5060
permit udp 10.111.102.0 0.0.0.255 any range 16384 32767
permit udp 10.124.42.0 0.0.0.255 any eq 5060
permit udp 10.124.42.0 0.0.0.255 any range 16384 32767
permit icmp any any
permit ip any any
class-map inspec self2wan-class
match access-group name self2wan-acl
policy-map type inspect self2wan-policy
class type inspect self2wan-class
class class-default
pass
zone-pair security self-wan source self destination wan
service-policy type inspect self2wan-policy
ip access-list extended self2wan-acl
permit icmp any any
permit ip any any
!
class-map inspec self2wan-class
match access-group name self2wan-acl
!
policy-map type inspect self2wan-policy
class type inspect self2wan-class
inspect
class class-default
drop log
!
zone-pair security self-wan source self destination wan
service-policy type inspect self2wan-policy
permit icmp any any
permit ip any any
!
class-map inspec self2wan-class
match access-group name self2wan-acl
!
policy-map type inspect self2wan-policy
class type inspect self2wan-class
inspect
class class-default
drop log
!
zone-pair security self-wan source self destination wan
service-policy type inspect self2wan-policy
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks much!
For your self2wan you need to use inspection for return traffic to be permitted, otherwise it will just be dropped by the class-default action.
Create an ACL self2wan-acl with permit ip any any, match it under a class map then inspect in the policy map, then for good measure configure class-default to drop log for self2wan, just to keep in line with a standard.