traceroute, difference between Linux and Windows August 18, 2010
Posted by ZoeL in Cisco, Desktop PC, Notes.Tags: traceroute
1 comment so far
What is the difference of “traceroute” between Windows and Linux?.
Never met one until recently, our DNS server failed. And during troubleshooting session we tried to trace the path. I already open icmp ports (host-unreachable and time-exceed) on our firewall. But strangely, we were not able to trace from linux machines. Different result achieved if we tried it from windows machines, traceroute running okay.
Googled it, and found the fact :
Windows uses ICMP, whilst Linux use random high UDP port number.
i test it on our firewall, open all high UDP port number, and voila… now our Linux server able to “traceroute” traverse Firewall machine.
.end of notes.
Zone-Based Firewall August 6, 2010
Posted by ZoeL in Cisco, Security.Tags: ZFW, Zone-Based Firewall
add a comment
Cisco Router has capability to act as Zoned Firewall. The concept itself is not very far with the real PIX or ASA box. These are 3 important things to remember if we want to setup ZBFW on Cisco Routers.
- Zones
Just like ASA or PIX, we must define which interface would be the Outside (untrusted) zone, or Inside (trusted) Zone. Or u can setup other zone. lets say : DMZ. - Inspect type for Class-maps and Policy-Maps.
There is one special type for Class-Map and Policy-Map for ZBFW. And this type is called INSPECT. This type must be used each time we create Class or Policy-Map. Otherwise, we wont be able to setup zone-pair. - Zone-Pair
This command binds Zones/Areas with policy-map and define the flow of packet between areas. For example : from outside to inside, inside to outside or from DMZ to outside, etc etc.
And here is a simple scenario,
Create 2 Zones on R1, outside and inside. Internet User must not able to telnet and ping inside Router (R2). R2 is not allowed to telnet into internet area. Let any other packet flows.
