Comments on: Cisco IOS Zone Based Policy Firewall http://blogg.kvistofta.nu/cisco-ios-zone-based-policy-firewall/ A Cisco Security-guy exploring the world Mon, 03 May 2010 22:24:07 +0000 hourly 1 http://wordpress.org/?v=3.0 By: Jimmy Larsson http://blogg.kvistofta.nu/cisco-ios-zone-based-policy-firewall/comment-page-1/#comment-88 Jimmy Larsson Sat, 06 Feb 2010 13:46:21 +0000 http://blogg.kvistofta.nu/?p=680#comment-88 Hi Dazzler!<br><br>Thanks for notifying me about the typo, it´s corrected now!<br><br>Next step is to also do deep packet inspection in the same config. Like "also, inside users should be able to http to internet, except to sites with the string "piratebay" in the url. Or something. ;) Hi Dazzler!

Thanks for notifying me about the typo, it´s corrected now!

Next step is to also do deep packet inspection in the same config. Like “also, inside users should be able to http to internet, except to sites with the string “piratebay” in the url. Or something. ;)

]]> By: Jimmy Larsson http://blogg.kvistofta.nu/cisco-ios-zone-based-policy-firewall/comment-page-1/#comment-86 Jimmy Larsson Fri, 05 Feb 2010 22:29:22 +0000 http://blogg.kvistofta.nu/?p=680#comment-86 Thanks for the input. I have corrected it now.<br><br>I was thinking about doing a third thing; a level7-inspection of something. Like "Also, inside host should be able to http to urls except all .com-addresses". Hmm. Sounds like an idea for next blog post. Thanks for the input. I have corrected it now.

I was thinking about doing a third thing; a level7-inspection of something. Like “Also, inside host should be able to http to urls except all .com-addresses”. Hmm. Sounds like an idea for next blog post.

]]> By: Dazzler http://blogg.kvistofta.nu/cisco-ios-zone-based-policy-firewall/comment-page-1/#comment-85 Dazzler Fri, 05 Feb 2010 17:24:14 +0000 http://blogg.kvistofta.nu/?p=680#comment-85 Cool example. I too had a hard job with this, especially trying to get it to work staeless as well as stateful..... <br><br>One small typo, below the IP address should read 10.13.13.13.<br><br>Task 2. Also allow specific pings outbound<br>The next task for me is to enable ping from inside hosts to the outside. To make it a bit trickier I decide to make an exception for the internal host 10.11.11.11 who should not be able to ping.<br><br>Great work! :-) Cool example. I too had a hard job with this, especially trying to get it to work staeless as well as stateful…..

One small typo, below the IP address should read 10.13.13.13.

Task 2. Also allow specific pings outbound
The next task for me is to enable ping from inside hosts to the outside. To make it a bit trickier I decide to make an exception for the internal host 10.11.11.11 who should not be able to ping.

Great work! :-)

]]>