ACL or Zone Based FW

notgoing2failnotgoing2fail Member Posts: 1,138
in CCNA Security
Just wondering who here just uses regular ACL's in their production networks or do you actually use Zone-based Firewall as intended by Cisco...
Failed to load the poll.
· Share on FacebookShare on Twitter

Comments

  • blackninjablackninja Member Posts: 385
    You don't have dedicated firewall in your poll.

    Nearly every production network would use ACLs, but just not as a firewall.
    Currently studying:
    CCIE R&S - using INE workbooks & videos

    Currently reading:
    Everything. Twice ;)
    · Share on FacebookShare on Twitter
  • notgoing2failnotgoing2fail Member Posts: 1,138
    blackninja wrote: »
    You don't have dedicated firewall in your poll.

    Nearly every production network would use ACLs, but just not as a firewall.

    My bad, let me add that...


    HMM.... I can't edit my poll?
    · Share on FacebookShare on Twitter
  • StoticStotic Member Posts: 248
    zone-based, but not cisco
    · Share on FacebookShare on Twitter
  • cjthedj45cjthedj45 Member Posts: 331 ■■■□□□□□□□
    notgoing2fail wrote: »
    Just wondering who here just uses regular ACL's in their production networks or do you actually use Zone-based Firewall as intended by Cisco...

    If there was the option to use a ZBF or just straight access lists then surely the ZBF would be a better option as it has more features than just permit or deny. The ZBF will also inspect traffic and block any traffic with malicous code for example. I'm no expert but given the choice I think I would go with the ZBF. However I have never used a ZBF in a production environment so I'm not sure how good they are "real world" My knowledge is just from what I have studied in the CCNA Security. I would be interested to hear if people do prefer access lists over a ZBF and why?
    · Share on FacebookShare on Twitter
  • notgoing2failnotgoing2fail Member Posts: 1,138
    cjthedj45 wrote: »
    If there was the option to use a ZBF or just straight access lists then surely the ZBF would be a better option as it has more features than just permit or deny. The ZBF will also inspect traffic and block any traffic with malicous code for example. I'm no expert but given the choice I think I would go with the ZBF. However I have never used a ZBF in a production environment so I'm not sure how good they are "real world" My knowledge is just from what I have studied in the CCNA Security. I would be interested to hear if people do prefer access lists over a ZBF and why?


    Agreed, I'd like to hear as many "real world" examples from people as possible.

    I also would like to know if people actually use SDM or they just stick with CLI...
    · Share on FacebookShare on Twitter
  • ilcram19-2ilcram19-2 Banned Posts: 436
    you dont really want to use the SDM for this since it required to keep track of class maps and policy maps and with the naming that is use by SDM it gets confusing.


    here is another example config allowing from one vlan to a DMZ zone


    class-map type inspect match-all vlan2-DMZ-http-class
    match access-group name DMZ-vlan2-http-ACL

    class-map type inspect match-any vlan2-to-DMZ-class
    match protocol kerberos
    match protocol msrpc
    match protocol ntp
    match protocol ldap
    match access-group name vlan2-DMZ-ACL
    match protocol dns
    match protocol icmp

    policy-map type inspect vlan2-to-DMZ-policy
    class type inspect vlan2-DMZ-http-class
    pass log <
    no inspecting just passing traffic
    class type inspect vlan2-to-DMZ-class
    inspect ZFW
    class class-default
    drop log

    zone-pair security vlan2-to-DMZ source VLAN2 destination DMZ
    service-policy type inspect vlan2-to-DMZ-policy

    IP access list vlan2-DMZ-http-ACL
    10 permit tcp 10.200.34.128 0.0.0.127 host 10.33.45.2 eq www (43709224 matches)

    Extended IP access list vlan2-DMZ-ACL
    10 permit ip 10.200.34.128 0.0.0.127 host 10.33.45.5 (116893 matches)
    20 permit ip 10.200.34.128 0.0.0.127 host 10.33.45.23
    30 permit ip 10.200.34.128 0.0.0.127 host 10.33.45.80
    40 permit ip 10.200.34.128 0.0.0.127 host 10.33.45.81
    50 permit ip 10.200.34.128 0.0.0.127 host 10.33.45.126 (24429 matches)
    60 permit ip 10.200.34.128 0.0.0.127 host 10.33.45.119 (5315 matches)
    70 permit tcp 10.200.34.128 0.0.0.127 10.33.45.0 0.0.0.127 eq 445 (65586 matches)
    80 permit tcp 10.200.34.128 0.0.0.127 10.33.45.0 0.0.0.127 eq 135
    90 permit udp 10.200.34.128 0.0.0.127 10.33.45.0 0.0.0.127 eq 389 (30785 matches)
    100 permit tcp 10.200.34.128 0.0.0.127 10.33.45.0 0.0.0.127 eq 389
    110 permit udp 10.200.34.128 0.0.0.127 10.33.45.0 0.0.0.127 eq 3268
    120 permit udp 10.200.34.128 0.0.0.127 10.33.45.0 0.0.0.127 eq ntp
    130 permit udp 10.200.34.128 0.0.0.127 10.33.45.0 0.0.0.127 eq domain (577528 matches)
    140 permit tcp 10.200.34.128 0.0.0.127 10.33.45.0 0.0.0.127 eq domain (28 matches)
    150 permit tcp 10.200.34.128 0.0.0.127 10.33.45.0 0.0.0.127 eq 53211
    160 permit tcp 10.200.34.128 0.0.0.127 10.33.45.0 0.0.0.127 eq 53212
    170 permit tcp 10.200.34.128 0.0.0.127 10.33.45.0 0.0.0.127 eq 88
    180 permit udp 10.200.34.128 0.0.0.127 10.33.45.0 0.0.0.127 eq 88 (25465 matches)
    · Share on FacebookShare on Twitter
  • notgoing2failnotgoing2fail Member Posts: 1,138
    ilcram19-2 wrote: »
    you dont really want to use the SDM for this since it required to keep track of class maps and policy maps and with the naming that is use by SDM it gets confusing.


    here is another example config allowing from one vlan to a DMZ zone


    class-map type inspect match-all vlan2-DMZ-http-class
    match access-group name DMZ-vlan2-http-ACL

    class-map type inspect match-any vlan2-to-DMZ-class
    match protocol kerberos
    match protocol msrpc
    match protocol ntp
    match protocol ldap
    match access-group name vlan2-DMZ-ACL
    match protocol dns
    match protocol icmp

    policy-map type inspect vlan2-to-DMZ-policy
    class type inspect vlan2-DMZ-http-class
    pass log <
    no inspecting just passing traffic
    class type inspect vlan2-to-DMZ-class
    inspect ZFW
    class class-default
    drop log

    zone-pair security vlan2-to-DMZ source VLAN2 destination DMZ
    service-policy type inspect vlan2-to-DMZ-policy

    IP access list vlan2-DMZ-http-ACL
    10 permit tcp 10.200.34.128 0.0.0.127 host 10.33.45.2 eq www (43709224 matches)

    Extended IP access list vlan2-DMZ-ACL
    10 permit ip 10.200.34.128 0.0.0.127 host 10.33.45.5 (116893 matches)
    20 permit ip 10.200.34.128 0.0.0.127 host 10.33.45.23
    30 permit ip 10.200.34.128 0.0.0.127 host 10.33.45.80
    40 permit ip 10.200.34.128 0.0.0.127 host 10.33.45.81
    50 permit ip 10.200.34.128 0.0.0.127 host 10.33.45.126 (24429 matches)
    60 permit ip 10.200.34.128 0.0.0.127 host 10.33.45.119 (5315 matches)
    70 permit tcp 10.200.34.128 0.0.0.127 10.33.45.0 0.0.0.127 eq 445 (65586 matches)
    80 permit tcp 10.200.34.128 0.0.0.127 10.33.45.0 0.0.0.127 eq 135
    90 permit udp 10.200.34.128 0.0.0.127 10.33.45.0 0.0.0.127 eq 389 (30785 matches)
    100 permit tcp 10.200.34.128 0.0.0.127 10.33.45.0 0.0.0.127 eq 389
    110 permit udp 10.200.34.128 0.0.0.127 10.33.45.0 0.0.0.127 eq 3268
    120 permit udp 10.200.34.128 0.0.0.127 10.33.45.0 0.0.0.127 eq ntp
    130 permit udp 10.200.34.128 0.0.0.127 10.33.45.0 0.0.0.127 eq domain (577528 matches)
    140 permit tcp 10.200.34.128 0.0.0.127 10.33.45.0 0.0.0.127 eq domain (28 matches)
    150 permit tcp 10.200.34.128 0.0.0.127 10.33.45.0 0.0.0.127 eq 53211
    160 permit tcp 10.200.34.128 0.0.0.127 10.33.45.0 0.0.0.127 eq 53212
    170 permit tcp 10.200.34.128 0.0.0.127 10.33.45.0 0.0.0.127 eq 88
    180 permit udp 10.200.34.128 0.0.0.127 10.33.45.0 0.0.0.127 eq 88 (25465 matches)


    Is this your sole FW for your network or do you also have an ASA/PIX?
    · Share on FacebookShare on Twitter
  • ilcram19-2ilcram19-2 Banned Posts: 436
    i've been using ISR's for all my remote location mainly from the flexibility of routing over vpn options avaliable, i'm now trainig for the Advanced ASA and they very impresive devices but work alot difference than routers when it comes to zones. for now im sticking with the ISR since they can do IPS,Content filtering,Zone-Based firewall, DMVPN, VTIs. I do like the ASA modular policy framework and all the good packet inspection features
    · Share on FacebookShare on Twitter
Sign In or Register to comment.