I have Cisco 891F configured with ZBF from CBAC. Right now, router is wide-open SSH/443 or anything my public address is listening on, which is not what I intended. My intention was to only allow IMCP in. Is there somewhere else I need to apply a restrictions? I feel like I'm missing something glaring.
Parakoopa891F#show run
ip ssh version 2
!
class-map type inspect match-any INSIDE-TO-OUTSIDE-CLASS
description Allowed_Protocols_From_INSIDE_to_OUTSIDE
match protocol http
match protocol https
match protocol dns
match protocol udp
match protocol tcp
match protocol icmp
class-map type inspect match-any OUTSIDE-TO-INSIDE-CLASS
description Allowed_Protocols_From_OUTSIDE_to_INSIDE
match protocol icmp
!
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
class type inspect INSIDE-TO-OUTSIDE-CLASS
inspect
class class-default
drop log
policy-map type inspect OUTSIDE-TO-INSIDE-POLICY
class type inspect OUTSIDE-TO-INSIDE-CLASS
pass
class class-default
drop log
!
zone security INSIDE
zone security OUTSIDE
zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
service-policy type inspect OUTSIDE-TO-INSIDE-POLICY
!
interface Loopback0
ip address 172.16.1.1 255.255.255.255
!
interface GigabitEthernet8
description Outside
ip address dhcp
ip nat outside
ip virtual-reassembly in
zone-member security OUTSIDE
duplex auto
speed auto
!
interface Virtual-Template1
ip unnumbered Loopback0
ip nat inside
ip virtual-reassembly in
zone-member security INSIDE
!
interface Vlan1
description Internal
ip address 10.69.69.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security INSIDE
ip nat inside source list ACLNATOVERLOAD interface GigabitEthernet8 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet8
!
ip access-list extended ACLNATOVERLOAD
permit ip 10.69.69.0 0.0.0.255 any
!
end
Any insight would be greatly appreciated!
No comments:
Post a Comment