Solved

zone firewall review

Posted on 2013-12-17
5
733 Views
Last Modified: 2013-12-17
I want to add self-zone rules to my zone firewall.  It needs to permit SIP traffic to specific subnets, permit ICMP in or out.  Then inbound wan to self it needs to drop and log.  Outbound self to wan it needs to pass.  Should the zone firewall config below get me where I want to go??

ip access-list extended wan2self-acl

 permit udp 10.244.153.0 0.0.0.255 any eq 5060
 permit udp 10.244.153.0 0.0.0.255 any range 16384 32767

 permit udp 10.111.102.0 0.0.0.255 any eq 5060
 permit udp 10.111.102.0 0.0.0.255 any range 16384 32767

 permit udp 10.124.42.0 0.0.0.255 any eq 5060
 permit udp 10.124.42.0 0.0.0.255 any range 16384 32767

 permic icmp any any


class-map inspect wan2self-class
      match access-group name wan2self-acl

policy-map type inspect wan2self-policy
      class type inspect wan2self-class
            class class-default
            drop log


zone-pair security wan-self source wan destination self

 service-policy type inspect wan2self-policy
------

ip access-list extended self2wan-acl
 permit udp 10.244.153.0 0.0.0.255 any eq 5060
 permit udp 10.244.153.0 0.0.0.255 any range 16384 32767

 permit udp 10.111.102.0 0.0.0.255 any eq 5060
 permit udp 10.111.102.0 0.0.0.255 any range 16384 32767

 permit udp 10.124.42.0 0.0.0.255 any eq 5060
 permit udp 10.124.42.0 0.0.0.255 any range 16384 32767

 permic icmp any any

class-map inspec self2wan-class
      match access-group name self2wan-acl

policy-map type inspect self2wan-policy

 class type inspect self2wan-class

 class class-default

  pass

zone-pair security self-wan source self destination wan

 service-policy type inspect self2wan-policy
0
Comment
Question by:amigan_99
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 13

Expert Comment

by:Quori
ID: 39725236
Close.

For your self2wan you need to use inspection for return traffic to be permitted, otherwise it will just be dropped by the class-default action.

Create an ACL self2wan-acl with permit ip any any, match it under a class map then inspect in the policy map, then for good measure configure class-default to drop log for self2wan, just to keep in line with a standard.
0
 
LVL 1

Author Comment

by:amigan_99
ID: 39725247
Better?

ip access-list extended self2wan-acl
 permit udp 10.244.153.0 0.0.0.255 any eq 5060
 permit udp 10.244.153.0 0.0.0.255 any range 16384 32767

 permit udp 10.111.102.0 0.0.0.255 any eq 5060
 permit udp 10.111.102.0 0.0.0.255 any range 16384 32767

 permit udp 10.124.42.0 0.0.0.255 any eq 5060
 permit udp 10.124.42.0 0.0.0.255 any range 16384 32767

 permit icmp any any
 permit ip any any

class-map inspec self2wan-class
      match access-group name self2wan-acl

policy-map type inspect self2wan-policy

 class type inspect self2wan-class

 class class-default

  pass

zone-pair security self-wan source self destination wan

 service-policy type inspect self2wan-policy
0
 
LVL 13

Expert Comment

by:Quori
ID: 39725254
ip access-list extended self2wan-acl
 permit icmp any any
 permit ip any any
!
class-map inspec self2wan-class
      match access-group name self2wan-acl
!
policy-map type inspect self2wan-policy
 class type inspect self2wan-class
  inspect
 class class-default
  drop log
!
zone-pair security self-wan source self destination wan
 service-policy type inspect self2wan-policy
0
 
LVL 13

Accepted Solution

by:
Quori earned 500 total points
ID: 39725257
And you'd need to inspect inbound as well, for return traffic - based on your other question, and the requirement to block all traffic destined to the router other than the explicitly permitted.
0
 
LVL 1

Author Closing Comment

by:amigan_99
ID: 39725410
Thanks much!
0

Featured Post

Is your NGFW recommended by NSS Labs?

Ours is! NSS Labs Next Generation Firewall Test gives the WatchGuard Firebox M4600 a "Recommended" rating! Curious where your NGFW landed on the  Security Value Map? See the map and download the full report today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
David Varnum recently wrote up his impressions of PRTG, based on a presentation by my colleague Christian at Tech Field Day at VMworld in Barcelona. Thanks David, for your detailed and honest evaluation!
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question