• The procedure for describing a subnet or a range which will be firewalled is very similar
at leads to a common mistake:
- This policy describes a subnet (it has a subnet prefix for the 10.1.1.0 network):
policy 10 out address 10.1.1.0 24 any any
- This policy describes a range (it has a start and end address):
policy 11 out address 20.1.1.1 20.1.1.200 any any
- This policy describes a range (it has a start and end address) but is almost certainly
not what was intended:
policy 12 out address 30.1.1.0 255.255.255.0 any any
Policy 12 describes the range of addresses starting from 30.1.1.0 and continuing up
through (almost) all the available IP address range to 255.255.255.0. Policy 12 does
*not* describe the subnet 30.1.1.0/24.
• Firewall policies intended to protect end hosts behind the firewall must be expressed in
a trusted zone. Policies in the untrusted zone, internet, only protect the firewall internet
interface itself.
Firewall troubleshooting commands
debug firewall alg
debug firewall alg
debug firewall attack
debug firewall attack
debug firewall connections
debug firewall connections
debug firewall ip-reassembly
Troubleshooting security
200 Troubleshooting August 2013
Comments? infodev@avaya.com
To Next Page
Loading...
