Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

zone firewall review

Posted on 2013-12-17
5
Medium Priority
?
742 Views
Last Modified: 2013-12-17
I want to add self-zone rules to my zone firewall.  It needs to permit SIP traffic to specific subnets, permit ICMP in or out.  Then inbound wan to self it needs to drop and log.  Outbound self to wan it needs to pass.  Should the zone firewall config below get me where I want to go??

ip access-list extended wan2self-acl

 permit udp 10.244.153.0 0.0.0.255 any eq 5060
 permit udp 10.244.153.0 0.0.0.255 any range 16384 32767

 permit udp 10.111.102.0 0.0.0.255 any eq 5060
 permit udp 10.111.102.0 0.0.0.255 any range 16384 32767

 permit udp 10.124.42.0 0.0.0.255 any eq 5060
 permit udp 10.124.42.0 0.0.0.255 any range 16384 32767

 permic icmp any any


class-map inspect wan2self-class
      match access-group name wan2self-acl

policy-map type inspect wan2self-policy
      class type inspect wan2self-class
            class class-default
            drop log


zone-pair security wan-self source wan destination self

 service-policy type inspect wan2self-policy
------

ip access-list extended self2wan-acl
 permit udp 10.244.153.0 0.0.0.255 any eq 5060
 permit udp 10.244.153.0 0.0.0.255 any range 16384 32767

 permit udp 10.111.102.0 0.0.0.255 any eq 5060
 permit udp 10.111.102.0 0.0.0.255 any range 16384 32767

 permit udp 10.124.42.0 0.0.0.255 any eq 5060
 permit udp 10.124.42.0 0.0.0.255 any range 16384 32767

 permic icmp any any

class-map inspec self2wan-class
      match access-group name self2wan-acl

policy-map type inspect self2wan-policy

 class type inspect self2wan-class

 class class-default

  pass

zone-pair security self-wan source self destination wan

 service-policy type inspect self2wan-policy
0
Comment
Question by:amigan_99
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 13

Expert Comment

by:Quori
ID: 39725236
Close.

For your self2wan you need to use inspection for return traffic to be permitted, otherwise it will just be dropped by the class-default action.

Create an ACL self2wan-acl with permit ip any any, match it under a class map then inspect in the policy map, then for good measure configure class-default to drop log for self2wan, just to keep in line with a standard.
0
 
LVL 1

Author Comment

by:amigan_99
ID: 39725247
Better?

ip access-list extended self2wan-acl
 permit udp 10.244.153.0 0.0.0.255 any eq 5060
 permit udp 10.244.153.0 0.0.0.255 any range 16384 32767

 permit udp 10.111.102.0 0.0.0.255 any eq 5060
 permit udp 10.111.102.0 0.0.0.255 any range 16384 32767

 permit udp 10.124.42.0 0.0.0.255 any eq 5060
 permit udp 10.124.42.0 0.0.0.255 any range 16384 32767

 permit icmp any any
 permit ip any any

class-map inspec self2wan-class
      match access-group name self2wan-acl

policy-map type inspect self2wan-policy

 class type inspect self2wan-class

 class class-default

  pass

zone-pair security self-wan source self destination wan

 service-policy type inspect self2wan-policy
0
 
LVL 13

Expert Comment

by:Quori
ID: 39725254
ip access-list extended self2wan-acl
 permit icmp any any
 permit ip any any
!
class-map inspec self2wan-class
      match access-group name self2wan-acl
!
policy-map type inspect self2wan-policy
 class type inspect self2wan-class
  inspect
 class class-default
  drop log
!
zone-pair security self-wan source self destination wan
 service-policy type inspect self2wan-policy
0
 
LVL 13

Accepted Solution

by:
Quori earned 2000 total points
ID: 39725257
And you'd need to inspect inbound as well, for return traffic - based on your other question, and the requirement to block all traffic destined to the router other than the explicitly permitted.
0
 
LVL 1

Author Closing Comment

by:amigan_99
ID: 39725410
Thanks much!
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting to know the threat landscape in which DDoS has evolved, and making the right choice to get ourselves geared up to defend against  DDoS attacks effectively. Get the necessary preparation works done and focus on Doing the First Things Right.
How does someone stay on the right and legal side of the hacking world?
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question