Paul,
Thanks for the quick reply! So to get this point I originally did
have zone pairs and service policies. In fact, there were the ones in
the PG. However I could not see the counters increment as traffic passed
nor dis-allowed traffic drop. In the process of debugging I wanted to at
least the default behavior and that is what got me to this point.
This is what I started with:
class-map type inspect match-all IN->OUT-ICMP-REPLY
match access-group name IN->OUT
class-map type inspect match-any IN->OUT-PROTO
match protocol ssh
match protocol http
match protocol https
match protocol dns
match protocol smtp
match protocol bootps
class-map type inspect match-all IN->OUT-ICMP
match access-group name ICMP
class-map type inspect match-all OUT-IN
match access-group name FW-IN
!
!
policy-map type inspect FW-OUT->IN
class type inspect OUT-IN
pass
class class-default
drop
policy-map type inspect FW-IN->OUT
class type inspect IN->OUT-PROTO
inspect
class type inspect IN->OUT-ICMP
inspect
class type inspect IN->OUT-ICMP-REPLY
pass
class class-default
pass
!
zone security INSIDE
zone security OUTSIDE
zone-pair security IN->OUT source INSIDE destination OUTSIDE
service-policy type inspect FW-IN->OUT
zone-pair security OUT->IN source OUTSIDE destination INSIDE
service-policy type inspect FW-OUT->IN
ip access-list extended FW-IN
permit icmp any any echo
permit icmp any any unreachable
permit udp host 9.9.156.9 eq ntp host 7.7.7.7 eq ntp
permit tcp host 9.9.156.9 gt 1024 host 9.9.156.7 eq bgp
permit tcp host 9.9.156.9 eq bgp host 9.9.156.7 gt 1024
ip access-list extended ICMP
permit icmp any any echo
ip access-list extended IN->OUT
permit icmp any any echo-reply
So at this point I wondering if ZBFW is totally broken with the HW/SW I
am running?
Thanks!
Dave
______________________________________________________________
David A. Mack (703) 391-7787 (W)
CCIE #6963 (SP and R&S) JNCIE-M #399 CISSP (703) 431-7617 (C)
email: [email protected]
______________________________________________________________
"We are now the knights who say... Ping!"
________________________________
From: Paul Stewart [mailto:[email protected]]
Sent: Saturday, October 24, 2009 11:37 AM
To: Mack, David A (Dave)
Cc: [email protected]
Subject: RE: LAb2A Zone Based Firewall
Dave,
I can certainly see your confusion. However, I think that if
you just bind the zones to the interface it will still permit traffic as
you indicated. I think you would have to create a zone-pair and quite
possibly even add a service-policy before the default behavior changes
to the implicit deny. Last night, I was working around with
communications to the "self" zone and I found that to be the case. HTH,
and anyone please correct my thinking if I am incorrect.
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
