RE: ZONE-BASED-FIREWALL from Mohammad Mousa on 2012-10-03 (Ccielab archives 10/2012)

From: Mohammad Mousa <mohd-mousa_at_hotmail.com>
Date: Wed, 3 Oct 2012 15:50:25 +0000

This is my configuration, zone security x
zone security y class-map type inspect ICMP
match protocol icmp policy-map type inspect POLICY
class type inspect ICMP
pass
class class-default
pass zone-pair security Y-X source y destination x
service-policy type inspect POLICY at the interface (facing-R5) is in zone x
> Date: Wed, 3 Oct 2012 15:48:10 +0000
> Subject: Re: ZONE-BASED-FIREWALL
> From: ccie99999_at_gmail.com
> To: mohd-mousa_at_hotmail.com
> CC: ccielab_at_groupstudy.com
>
> Hi!,
>
> so you did something like:
>
> class-map type inspect CM_ICMP
> match protocol ICMP
>
> policy-map type inspect PM_ICMP
> class CM_ICMP
> inspect
>
> zone security X
> zone security Y
>
> interface facing to R5
> zone-member security X
>
> interface facing R1
> zone-member sec Y
>
> zone-pair security FROM_Y_TO_X source Y destination X
> service-policy type inspect PM_ICMP
>
> is this your configuration?
>
> if not can you send in yours?
>
>
>
>
> On Wed, Oct 3, 2012 at 2:54 PM, Mohammad Mousa <mohd-mousa_at_hotmail.com>wrote:
>
> > Hi Guys, I have a question about ZBF, as far as I know that the ZBF is
> > taking the concept from the CBAC by permiting all the traffic that
> > initiated from inside to the outside and permit the return traffic.I
> > defined the policy-map to pass the ICMP and class-default as well.
> > R1------R2----R5 (Router2) have four interfaces, one of them is in Zone
> > X (interface facing R5) and the others in zone Y. When I pinged from
> > R1-R5, I saw the output of the ICMP debuging and the packets reached R5,
> > but the traffice didn't come back to R1. When I put the zone-pair both
> > direction, it worked fine! please advice me, correct me if I'm wrong !Thank
> > you all.
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> >
> >
> >
> >
> >
>
>
> --
> @ccie99999
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Wed Oct 03 2012 - 15:50:25 ART

This archive was generated by hypermail 2.2.0 : Thu Nov 01 2012 - 10:53:33 ART