ASA/PIX, IDS, IPS, VPN, Cisco Secure ACS, AAA, ISE.
tangoseal
Member
Posts:
185
Joined:
Tue Apr 29, 2008 7:22 pm

Creating a guest network on Cisco Router, not ASA question?

Sat May 05, 2012 11:23 pm

Alrighty, a little misdirected here. been reading docs for a little while and experimenting around maybe someone can point me in the right direction.

How do you create a Guest Network in IOS Zone Firewall. For some reason Cisco, while using the term DMZ, applies differently on their routers than it does on their ASA's. I know how to do this on ASA's all day long however on the router it is a little different story.

I would appreciate a little direction even if you reference Cisco documentation on how this is to be done. I am sure this is basic and laughably so .... I cant seem to understand how to do this on a router with Zone Firewall. Thanks in advance.

Edit***1 For some reason I think I might need to create a zone just for guest... still studying up and yet your pointers are still going to be helpful. Thanks!
Edit***2 And again I am dumbfounded how it always never fails that when I am searching around the internets I never find poop, then I post here, and within 3 minutes I find this....
http://packetlife.net/blog/2012/jan/30/ ... -firewall/
Edit***3 And Bingo. I got it and now it all makes sense. I used that tutuorial, coupled with my knowledge of ASA OS, and coupled with Cisco Documentation and found how to do this. It was so easy I should slap my mama and call my self silly.

However I still want to ask you security experts if this is a problem. From my LAB GUEST PC (My laptop) connected through my VLAN'd and trunked 2960G switch I cant ping any other (in-zone) aka inside network hosts. However I can ping all of my router's subinterfaces, i.e. Gig 0/0 and Gig 0/1.1 0/1.9 etc... is there someway I can block pinging from the guest lan to my "on a stick" routed sub-interfaces? I do not want guest to know that there are other "discoverable" networks they might be able to attempt access at. I do have the firewall zones setup, security policies, etc... working like a charm.

Thanks in advance.
Awesomesauce!!!!

User avatar
DanC
Ultimate Member
Posts:
843
Joined:
Mon Oct 06, 2008 8:01 am
Certs:
CCNA, CCNA-W, CCNP

Creating a guest network on Cisco Router, not ASA question?

Mon May 07, 2012 3:37 am

Post your configuration


---
- Sent from my iPhone using Tapatalk

tangoseal
Member
Posts:
185
Joined:
Tue Apr 29, 2008 7:22 pm

Re: Creating a guest network on Cisco Router, not ASA questi

Mon May 07, 2012 9:57 am

I will post the config as soon as I get a chance. I really just want to make sure that being able to ping the routed subinterfaces on the inside routed port is not going to be a huge security risk.
Awesomesauce!!!!

auglan
Junior Member
Posts:
89
Joined:
Fri Jun 25, 2010 7:55 am
Certs:
CCNP

Re: Creating a guest network on Cisco Router, not ASA questi

Mon May 07, 2012 2:02 pm

Your routers interfaces are part of the "self" zone with ZBFW. By default any traffic going to the self zone or coming from the self zone is allowed. If your worried about users being able to ping your interfaces just create a new zone pair and deny icmp traffic to the self zone from that subnet.

tangoseal
Member
Posts:
185
Joined:
Tue Apr 29, 2008 7:22 pm

Re: Creating a guest network on Cisco Router, not ASA questi

Mon May 07, 2012 2:29 pm

auglan wrote:Your routers interfaces are part of the "self" zone with ZBFW. By default any traffic going to the self zone or coming from the self zone is allowed. If your worried about users being able to ping your interfaces just create a new zone pair and deny icmp traffic to the self zone from that subnet.


Thanks. I will do that. I am still learning to use Zone Firewall over the ASA. I am really loving zone firewall. It is so easy to use as I am learning my way around it and its actually very very secure from what little penetration test I have been throwing at it. Go figure haha a simple ACL to deny ICMP will do the trick.
Awesomesauce!!!!

auglan
Junior Member
Posts:
89
Joined:
Fri Jun 25, 2010 7:55 am
Certs:
CCNP

Re: Creating a guest network on Cisco Router, not ASA questi

Mon May 07, 2012 2:48 pm

Yeah with ZBPFW we are not tied to ACL's like with CBAC or reflexive ACL's. All flows between interfaces are controlled by the zone pairs which gives you a lot more control. Very similar to the ASA security levels.

IF your using this router as an edge device (internet facing) just remember that anything going to the "self zone" or coming from the "self zone" is allowed, so you may want to lock down the self zone from the outside as well.

'

Return to Cisco Security

Who is online

Users browsing this forum: No registered users and 22 guests