[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

zone firewall review

Posted on 2013-12-17
5
Medium Priority
?
747 Views
Last Modified: 2013-12-17
I want to add self-zone rules to my zone firewall.  It needs to permit SIP traffic to specific subnets, permit ICMP in or out.  Then inbound wan to self it needs to drop and log.  Outbound self to wan it needs to pass.  Should the zone firewall config below get me where I want to go??

ip access-list extended wan2self-acl

 permit udp 10.244.153.0 0.0.0.255 any eq 5060
 permit udp 10.244.153.0 0.0.0.255 any range 16384 32767

 permit udp 10.111.102.0 0.0.0.255 any eq 5060
 permit udp 10.111.102.0 0.0.0.255 any range 16384 32767

 permit udp 10.124.42.0 0.0.0.255 any eq 5060
 permit udp 10.124.42.0 0.0.0.255 any range 16384 32767

 permic icmp any any


class-map inspect wan2self-class
      match access-group name wan2self-acl

policy-map type inspect wan2self-policy
      class type inspect wan2self-class
            class class-default
            drop log


zone-pair security wan-self source wan destination self

 service-policy type inspect wan2self-policy
------

ip access-list extended self2wan-acl
 permit udp 10.244.153.0 0.0.0.255 any eq 5060
 permit udp 10.244.153.0 0.0.0.255 any range 16384 32767

 permit udp 10.111.102.0 0.0.0.255 any eq 5060
 permit udp 10.111.102.0 0.0.0.255 any range 16384 32767

 permit udp 10.124.42.0 0.0.0.255 any eq 5060
 permit udp 10.124.42.0 0.0.0.255 any range 16384 32767

 permic icmp any any

class-map inspec self2wan-class
      match access-group name self2wan-acl

policy-map type inspect self2wan-policy

 class type inspect self2wan-class

 class class-default

  pass

zone-pair security self-wan source self destination wan

 service-policy type inspect self2wan-policy
0
Comment
Question by:amigan_99
  • 3
  • 2
5 Comments
 
LVL 13

Expert Comment

by:Quori
ID: 39725236
Close.

For your self2wan you need to use inspection for return traffic to be permitted, otherwise it will just be dropped by the class-default action.

Create an ACL self2wan-acl with permit ip any any, match it under a class map then inspect in the policy map, then for good measure configure class-default to drop log for self2wan, just to keep in line with a standard.
0
 
LVL 1

Author Comment

by:amigan_99
ID: 39725247
Better?

ip access-list extended self2wan-acl
 permit udp 10.244.153.0 0.0.0.255 any eq 5060
 permit udp 10.244.153.0 0.0.0.255 any range 16384 32767

 permit udp 10.111.102.0 0.0.0.255 any eq 5060
 permit udp 10.111.102.0 0.0.0.255 any range 16384 32767

 permit udp 10.124.42.0 0.0.0.255 any eq 5060
 permit udp 10.124.42.0 0.0.0.255 any range 16384 32767

 permit icmp any any
 permit ip any any

class-map inspec self2wan-class
      match access-group name self2wan-acl

policy-map type inspect self2wan-policy

 class type inspect self2wan-class

 class class-default

  pass

zone-pair security self-wan source self destination wan

 service-policy type inspect self2wan-policy
0
 
LVL 13

Expert Comment

by:Quori
ID: 39725254
ip access-list extended self2wan-acl
 permit icmp any any
 permit ip any any
!
class-map inspec self2wan-class
      match access-group name self2wan-acl
!
policy-map type inspect self2wan-policy
 class type inspect self2wan-class
  inspect
 class class-default
  drop log
!
zone-pair security self-wan source self destination wan
 service-policy type inspect self2wan-policy
0
 
LVL 13

Accepted Solution

by:
Quori earned 2000 total points
ID: 39725257
And you'd need to inspect inbound as well, for return traffic - based on your other question, and the requirement to block all traffic destined to the router other than the explicitly permitted.
0
 
LVL 1

Author Closing Comment

by:amigan_99
ID: 39725410
Thanks much!
0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, we’ll look at how to deploy ProxySQL.
What monsters are hiding in your child's room? In this article I will share with you a tech horror story that could happen to anyone, along with some tips on how you can prevent it from happening to you.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question