Paul,
Ok, so restored the config I had saved prior to the erase and reload.
I also added the ip inspect log drop-pkt. Traffic is flowing through R8
just fine but there are no counters incrementing or sessions:
SEC-R8# sh policy-map type inspect zone-pair
Zone-pair: IN->OUT
Service-policy inspect : FW-IN->OUT
Class-map: IN->OUT-PROTO (match-any)
Match: protocol ssh
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol http
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol https
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol dns
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol smtp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol bootps
0 packets, 0 bytes
30 second rate 0 bps
Inspect
Session creations since subsystem startup or last reset 0
Current session counts (estab/half-open/terminating) [0:0:0]
Maxever session counts (estab/half-open/terminating) [0:0:0]
Last session created never
Last statistic reset never
Last session creation rate 0
Maxever session creation rate 0
Last half-open session total 0
Class-map: IN->OUT-ICMP (match-all)
Match: access-group name ICMP
Inspect
Session creations since subsystem startup or last reset 0
Current session counts (estab/half-open/terminating) [0:0:0]
Maxever session counts (estab/half-open/terminating) [0:0:0]
Last session created never
Last statistic reset never
Last session creation rate 0
Maxever session creation rate 0
Last half-open session total 0
Class-map: IN->OUT-ICMP-REPLY (match-all)
Match: access-group name IN->OUT
Pass
0 packets, 0 bytes
Class-map: class-default (match-any)
Match: any
Pass
0 packets, 0 bytes
Zone-pair: OUT->IN
Service-policy inspect : FW-OUT->IN
Class-map: OUT-IN (match-all)
Match: access-group name FW-IN
Pass
0 packets, 0 bytes
Class-map: class-default (match-any)
Match: any
Drop
0 packets, 0 bytes
SEC-R8#
The logs don't show anything:
SEC-R8# sh log
Syslog logging: enabled (12 messages dropped, 0 messages rate-limited,
0 flushes, 0 overruns, xml disabled, filtering disabled)
No Active Message Discriminator.
No Inactive Message Discriminator.
Console logging: level emergencies, 56 messages logged, xml
disabled,
filtering disabled
Monitor logging: level debugging, 0 messages logged, xml disabled,
filtering disabled
Buffer logging: level debugging, 9 messages logged, xml disabled,
filtering disabled
Logging Exception size (8192 bytes)
Count and timestamp logging messages: disabled
Persistent logging: disabled
No active filter modules.
ESM: 0 messages dropped
Trap logging: level informational, 69 message lines logged
Logging to 9.2.1.101 (udp port 514, audit disabled,
authentication disabled, encryption disabled, link up),
5 message lines logged,
0 message lines rate-limited,
0 message lines dropped-by-MD,
xml disabled, sequence number disabled
filtering disabled
Log Buffer (10000 bytes):
*Oct 24 15:08:29.615: %SYS-6-CLOCKUPDATE: System clock has been updated
from 15:08:29 UTC Sat Oct 24 2009 to 10:08:29 EST Sat Oct 24 2009,
configured from console by console.
*Oct 24 15:08:29.643: %SYS-6-CLOCKUPDATE: System clock has been updated
from 10:08:29 EST Sat Oct 24 2009 to 11:08:29 EDT Sat Oct 24 2009,
configured from console by console.
*Oct 24 15:08:32.835: %LINK-3-UPDOWN: Interface Serial1/0:0, changed
state to up
*Oct 24 15:08:33.835: %LINEPROTO-5-UPDOWN: Line protocol on Interface
Serial1/0:0, changed state to up
*Oct 24 15:08:37.479: %SYS-5-CONFIG_I: Configured from console by
console
*Oct 24 15:08:38.479: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host
9.2.1.101 port 514 started - CLI initiated
Oct 24 16:01:25.063: %SYS-5-CONFIG_I: Configured from console by console
Oct 24 16:02:38.544: %SYS-5-CONFIG_I: Configured from console by console
Oct 24 16:06:51.457: %SYS-5-CONFIG_I: Configured from console by console
SEC-R8#
So here is the full config:
SEC-R8#sh run
Building configuration...
Current configuration : 3930 bytes
!
! Last configuration change at 12:06:51 EDT Sat Oct 24 2009
!
upgrade fpd auto
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SEC-R8
!
boot-start-marker
boot system disk0:c7200-adventerprisek9-mz.124-15.T1.bin
boot-end-marker
!
logging buffered 10000
logging console emergencies
!
no aaa new-model
clock timezone EST -5
clock summer-time EDT recurring
ip cef
!
!
!
!
no ip domain lookup
ip inspect log drop-pkt
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
log config
hidekeys
!
!
controller T1 1/0
framing esf
clock source internal
linecode b8zs
cablelength short 133
channel-group 0 timeslots 1-24
!
controller T1 1/1
framing esf
linecode b8zs
!
controller T1 1/2
framing esf
linecode b8zs
!
controller T1 1/3
framing esf
linecode b8zs
!
controller T1 1/4
framing esf
linecode b8zs
!
controller T1 1/5
framing esf
linecode b8zs
!
controller T1 1/6
framing esf
linecode b8zs
!
controller T1 1/7
framing esf
linecode b8zs
!
ip tcp synwait-time 7
!
class-map type inspect match-all IN->OUT-ICMP-REPLY
match access-group name IN->OUT
class-map type inspect match-any IN->OUT-PROTO
match protocol ssh
match protocol http
match protocol https
match protocol dns
match protocol smtp
match protocol bootps
class-map type inspect match-all IN->OUT-ICMP
match access-group name ICMP
class-map type inspect match-all OUT-IN
match access-group name FW-IN
!
!
policy-map type inspect FW-OUT->IN
class type inspect OUT-IN
pass
class class-default
drop
policy-map type inspect FW-IN->OUT
class type inspect IN->OUT-PROTO
inspect
class type inspect IN->OUT-ICMP
inspect
class type inspect IN->OUT-ICMP-REPLY
pass
class class-default
pass
!
zone security INSIDE
zone security OUTSIDE
zone-pair security IN->OUT source INSIDE destination OUTSIDE
service-policy type inspect FW-IN->OUT
zone-pair security OUT->IN source OUTSIDE destination INSIDE
service-policy type inspect FW-OUT->IN
bridge irb
!
!
!
!
interface FastEthernet0/0
ip address 192.168.144.158 255.255.255.0
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial1/0:0
no ip address
!
interface FastEthernet2/0
no ip address
zone-member security OUTSIDE
duplex full
speed 100
bridge-group 1
!
interface FastEthernet2/1
no ip address
zone-member security INSIDE
duplex full
speed 100
bridge-group 1
!
interface BVI1
ip address 9.9.156.8 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 192.168.144.1
ip route 0.0.0.0 0.0.0.0 9.9.156.9
ip route 192.168.4.0 255.255.255.0 192.168.144.1
ip route 192.168.5.0 255.255.255.0 192.168.144.1
no ip http server
no ip http secure-server
!
ip bgp-community new-format
!
!
ip access-list extended FW-IN
permit icmp any any echo
permit icmp any any unreachable
permit udp host 9.9.156.9 eq ntp host 7.7.7.7 eq ntp
permit tcp host 9.9.156.9 gt 1024 host 9.9.156.7 eq bgp
permit tcp host 9.9.156.9 eq bgp host 9.9.156.7 gt 1024
ip access-list extended ICMP
permit icmp any any echo
ip access-list extended IN->OUT
permit icmp any any echo-reply
!
logging alarm informational
logging 9.2.1.101
!
!
!
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
!
!
!
!
gatekeeper
shutdown
!
alias configure a access-list
alias exec c conf t
alias exec i sh ip route
alias exec ib sh ip int brief
alias exec b sh ip bgp
alias exec bs sh ip bgp summ
alias exec clb clear ip bgp *
alias exec oi sh ip ospf int
alias exec on sh ip ospf neigh
alias exec s sh run
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
stopbits 1
line vty 0 4
exec-timeout 0 0
privilege level 15
no login
!
ntp authentication-key 1 md5 020F145E13160A3358 7
ntp authenticate
ntp trusted-key 1
ntp clock-period 17179178
ntp server 9.9.156.9 key 1
!
webvpn cef
!
end
SEC-R8#
and the sh ver
SEC-R8#sh ver
Cisco IOS Software, 7200 Software (C7200-ADVENTERPRISEK9-M), Version
12.4(15)T1, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Wed 18-Jul-07 13:29 by prod_rel_team
ROM: System Bootstrap, Version 12.2(4r)B2, RELEASE SOFTWARE (fc2)
BOOTLDR: Cisco IOS Software, 7200 Software (C7200-KBOOT-M), Version
12.3(7)T, RELEASE SOFTWARE (fc1)
SEC-R8 uptime is 3 hours, 36 minutes
System returned to ROM by reload at 08:59:14 EDT Sat Oct 24 2009
System restarted at 09:01:22 EDT Sat Oct 24 2009
System image file is "disk0:c7200-adventerprisek9-mz.124-15.T1.bin"
Last reload reason: Reload Command
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be
found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
Cisco 7206VXR (NPE400) processor (revision B) with 491520K/32768K bytes
of memory.
Processor board ID 16066293
R7000 CPU at 350MHz, Implementation 39, Rev 3.3, 256KB L2 Cache
6 slot VXR midplane, Version 2.0
Last reset from power-on
PCI bus mb0_mb1 (Slots 0, 1, 3 and 5) has a capacity of 600 bandwidth
points.
Current configuration on bus mb0_mb1 has a total of 400 bandwidth
points.
This configuration is within the PCI bus capacity and is supported.
PCI bus mb2 (Slots 2, 4, 6) has a capacity of 600 bandwidth points.
Current configuration on bus mb2 has a total of 400 bandwidth points
This configuration is within the PCI bus capacity and is supported.
Please refer to the following document "Cisco 7200 Series Port Adaptor
Hardware Configuration Guidelines" on Cisco.com <http://www.cisco.com>
for c7200 bandwidth points oversubscription and usage guidelines.
4 FastEthernet interfaces
1 Serial interface
8 Channelized T1/PRI ports
125K bytes of NVRAM.
500377K bytes of ATA PCMCIA card at slot 0 (Sector size 512 bytes).
8192K bytes of Flash internal SIMM (Sector size 256K).
Configuration register is 0x2102
SEC-R8#
Thanks!
Dave
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
