Note: Cisco IOS Software always uses the IP address associated with an interface “nearest” destination hosts for traffic such as syslog, tftp, telnet, and other control-plane services, and subjects this traffic to self-zone firewall policy. However, if a service defines a specific interface as the source-interface using commands that include, but not limited to logging source-interface [type number], ip tftp source-interface [type number], and ip telnet source-interface [type number], the traffic is subjected to the zone-to-zone firewall policy for the source interface’s zone and the security zone of the destination host. If a service is configured to use an interface that is assigned to a specific security zone, self-zone policy does not apply to that service’s traffic.
Note: Some services (particularly routers’ voice-over-IP services) use ephemeral or non-configurable interfaces that cannot be assigned to security zones. These services might not function properly if their traffic cannot be associated with a configured security zone. If the service is configured to use one of the configurable physical or virtual interfaces on the device, the traffic should be handled by security zone policy relevant to that interface.
Self-Zone Policy Limitations
Self-zone policy has limited functionality as compared to the policies available for transit-traffic zone-pairs:- As was the case with classical stateful inspection, router-generated traffic is limited to TCP, UDP, ICMP, and complex-protocol inspection for H.323.
- Application Inspection is not available for self-zone policies.
- Session and rate limiting cannot be configured on self-zone policies.
Unfortunately, the self-zone policy does not offer the capability to inspect TFTP transfers. Thus, the firewall must pass all traffic to and from the TFTP server if TFTP must pass through the firewall.class-map type inspect match-any self—service-cmap match protocol tcp match protocol udp match protocol icmp match protocol h323 ! class-map type inspect match-all to-self-cmap match class-map self—service-cmap match access-group 120 ! class-map type inspect match-all from-self-cmap match class-map self—service-cmap ! class-map type inspect match-all tftp-in-cmap match access-group 121 ! class-map type inspect match-all tftp-out-cmap match access-group 122 ! policy-map type inspect to-self-pmap class type inspect to-self-cmap inspect class type inspect tftp-in-cmap pass ! policy-map type inspect from-self-pmap class type inspect from-self-cmap inspect class type inspect tftp-out-cmap pass ! zone security private zone security internet zone-pair security priv-self source private destination self service-policy type inspect to-self-pmap zone-pair security net-self source internet destination self service-policy type inspect to-self-pmap zone-pair security self-priv source self destination private service-policy type inspect from-self-pmap zone-pair security self-net source self destination internet service-policy type inspect from-self-pmap ! interface FastEthernet 0/0 ip address 172.16.100.10 zone-member security internet ! interface FastEthernet 0/1 ip address 172.17.100.10 zone-member security private ! access-list 120 permit icmp 172.17.100.0 0.0.0.255 any access-list 120 permit icmp any host 172.17.100.10 echo access-list 120 deny icmp any any access-list 120 permit tcp 172.17.100.0 0.0.0.255 host 172.17.100.10 eq www access-list 120 permit tcp any any eq 443 access-list 120 permit tcp any any eq 22 access-list 120 permit udp any host 172.17.100.10 eq snmp access-list 121 permit udp host 172.17.100.17 host 172.17.100.10 access-list 122 permit udp host 172.17.100.10 host 172.17.100.17
No comments:
Post a Comment