zone firewall review

I want to add self-zone rules to my zone firewall.  It needs to permit SIP traffic to specific subnets, permit ICMP in or out.  Then inbound wan to self it needs to drop and log.  Outbound self to wan it needs to pass.  Should the zone firewall config below get me where I want to go??

ip access-list extended wan2self-acl

 permit udp 10.244.153.0 0.0.0.255 any eq 5060
 permit udp 10.244.153.0 0.0.0.255 any range 16384 32767

 permit udp 10.111.102.0 0.0.0.255 any eq 5060
 permit udp 10.111.102.0 0.0.0.255 any range 16384 32767

 permit udp 10.124.42.0 0.0.0.255 any eq 5060
 permit udp 10.124.42.0 0.0.0.255 any range 16384 32767

 permic icmp any any


class-map inspect wan2self-class
      match access-group name wan2self-acl

policy-map type inspect wan2self-policy
      class type inspect wan2self-class
            class class-default
            drop log


zone-pair security wan-self source wan destination self

 service-policy type inspect wan2self-policy
------

ip access-list extended self2wan-acl
 permit udp 10.244.153.0 0.0.0.255 any eq 5060
 permit udp 10.244.153.0 0.0.0.255 any range 16384 32767

 permit udp 10.111.102.0 0.0.0.255 any eq 5060
 permit udp 10.111.102.0 0.0.0.255 any range 16384 32767

 permit udp 10.124.42.0 0.0.0.255 any eq 5060
 permit udp 10.124.42.0 0.0.0.255 any range 16384 32767

 permic icmp any any

class-map inspec self2wan-class
      match access-group name self2wan-acl

policy-map type inspect self2wan-policy

 class type inspect self2wan-class

 class class-default

  pass

zone-pair security self-wan source self destination wan

 service-policy type inspect self2wan-policy
LVL 1
amigan_99Network EngineerAsked:
Who is Participating?
 
QuoriConnect With a Mentor Commented:
And you'd need to inspect inbound as well, for return traffic - based on your other question, and the requirement to block all traffic destined to the router other than the explicitly permitted.
0
 
QuoriCommented:
Close.

For your self2wan you need to use inspection for return traffic to be permitted, otherwise it will just be dropped by the class-default action.

Create an ACL self2wan-acl with permit ip any any, match it under a class map then inspect in the policy map, then for good measure configure class-default to drop log for self2wan, just to keep in line with a standard.
0
 
amigan_99Network EngineerAuthor Commented:
Better?

ip access-list extended self2wan-acl
 permit udp 10.244.153.0 0.0.0.255 any eq 5060
 permit udp 10.244.153.0 0.0.0.255 any range 16384 32767

 permit udp 10.111.102.0 0.0.0.255 any eq 5060
 permit udp 10.111.102.0 0.0.0.255 any range 16384 32767

 permit udp 10.124.42.0 0.0.0.255 any eq 5060
 permit udp 10.124.42.0 0.0.0.255 any range 16384 32767

 permit icmp any any
 permit ip any any

class-map inspec self2wan-class
      match access-group name self2wan-acl

policy-map type inspect self2wan-policy

 class type inspect self2wan-class

 class class-default

  pass

zone-pair security self-wan source self destination wan

 service-policy type inspect self2wan-policy
0
 
QuoriCommented:
ip access-list extended self2wan-acl
 permit icmp any any
 permit ip any any
!
class-map inspec self2wan-class
      match access-group name self2wan-acl
!
policy-map type inspect self2wan-policy
 class type inspect self2wan-class
  inspect
 class class-default
  drop log
!
zone-pair security self-wan source self destination wan
 service-policy type inspect self2wan-policy
0
 
amigan_99Network EngineerAuthor Commented:
Thanks much!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.