It is working here with no problems. I am using Dynamips
(C3725-ADVENTERPRISEK9-M), Version 12.4(15)T5
Here is my config
Router#show run
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
ip inspect log drop-pkt
!
class-map type inspect match-any test
match protocol telnet
match protocol http
!
!
policy-map type inspect test
class type inspect test
inspect
class class-default
!
zone security inside
zone security outside
zone-pair security inout source inside destination outside
service-policy type inspect test
bridge irb
!
!
!
!
interface FastEthernet0/0
no ip address
zone-member security inside
bridge-group 1
!
interface FastEthernet0/1
no ip address
zone-member security outside
bridge-group 1
!
interface BVI1
ip address 20.20.20.1 255.255.255.0
!
!
ip http server
no ip http secure-server
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
!
line con 0
line aux 0
line vty 0 4
!
!
end
Router#show policy-map type inspect zone-pair
Zone-pair: inout
Service-policy inspect : test
Class-map: test (match-any)
Match: protocol telnet
3 packets, 72 bytes
30 second rate 0 bps
Match: protocol http
1 packets, 24 bytes
30 second rate 0 bps
Inspect
Packet inspection statistics [process switch:fast switch]
tcp packets: [0:112]
Session creations since subsystem startup or last reset 4
Current session counts (estab/half-open/terminating) [1:0:0]
Maxever session counts (estab/half-open/terminating) [1:1:1]
Last session created 00:00:02
Last statistic reset never
Last session creation rate 1
Maxever session creation rate 2
Last half-open session total 0
Class-map: class-default (match-any)
Match: any
Drop (default action)
0 packets, 0 bytes
Regards,
Mohammed Gazzaz
Date: Sat, 24 Oct 2009 13:17:18 -0400
From: [email protected]
To: [email protected]
CC: [email protected]
Subject: Re: [OSL | CCIE_Security] LAb2A Zone Based Firewall
I don't see any issues with the config, but it shouldn't behave like that. I
will try to lab that up when I get some time on my equipment. This question is
to both Dave and Brian. Are either or both of you running this on Dynamips? I
guess I am curious if it could be a minor glitch with how that works.
On Sat, Oct 24, 2009 at 12:40 PM, Mack, David A (Dave) <[email protected]>
wrote:
Paul,
Ok, so restored the config I had saved
prior to the erase and reload. I also added the ip inspect log drop-pkt.
Traffic
is flowing through R8 just fine but there are no counters incrementing or
sessions:
SEC-R8# sh policy-map type inspect zone-pair
Zone-pair: IN->OUT
Service-policy inspect :
FW-IN->OUT
Class-map: IN->OUT-PROTO
(match-any)
Match: protocol
ssh
0 packets, 0
bytes
30 second rate 0
bps
Match: protocol
http
0 packets, 0
bytes
30 second rate 0
bps
Match: protocol
https
0 packets, 0
bytes
30 second rate 0
bps
Match: protocol
dns
0 packets, 0
bytes
30 second rate 0
bps
Match: protocol
smtp
0 packets, 0
bytes
30 second rate 0
bps
Match: protocol
bootps
0 packets, 0
bytes
30 second rate 0
bps
Inspect
Session creations since
subsystem startup or last reset 0
Current session counts (estab/half-open/terminating)
[0:0:0]
Maxever session counts
(estab/half-open/terminating)
[0:0:0]
Last session created
never
Last statistic reset
never
Last session creation rate
0
Maxever session creation rate
0
Last half-open session total
0
Class-map: IN->OUT-ICMP
(match-all)
Match: access-group name
ICMP
Inspect
Session creations since
subsystem startup or last reset 0
Current session counts (estab/half-open/terminating)
[0:0:0]
Maxever session counts
(estab/half-open/terminating)
[0:0:0]
Last session created
never
Last statistic reset
never
Last session creation rate
0
Maxever session creation rate
0
Last half-open session total
0
Class-map: IN->OUT-ICMP-REPLY
(match-all)
Match: access-group name
IN->OUT
Pass
0 packets, 0
bytes
Class-map: class-default
(match-any)
Match: any
Pass
0 packets, 0
bytes
Zone-pair: OUT->IN
Service-policy inspect :
FW-OUT->IN
Class-map: OUT-IN
(match-all)
Match: access-group name
FW-IN
Pass
0 packets, 0
bytes
Class-map: class-default
(match-any)
Match: any
Drop
0 packets, 0 bytes
SEC-R8#
The logs don't show anything:
SEC-R8# sh log
Syslog logging: enabled (12 messages
dropped, 0 messages
rate-limited,
0 flushes, 0 overruns, xml disabled, filtering disabled)
No Active Message Discriminator.
No Inactive Message Discriminator.
Console logging: level emergencies, 56 messages
logged, xml
disabled,
filtering disabled
Monitor logging: level debugging, 0
messages logged, xml
disabled,
filtering disabled
Buffer logging: level debugging,
9 messages logged, xml
disabled,
filtering disabled
Logging Exception size (8192
bytes)
Count and timestamp logging messages:
disabled
Persistent logging: disabled
No active filter
modules.
ESM: 0 messages
dropped
Trap logging: level informational, 69 message lines
logged
Logging to 9.2.1.101
(udp port 514, audit
disabled,
authentication disabled, encryption disabled, link
up),
5 message lines logged,
0 message lines rate-limited,
0 message lines dropped-by-MD,
xml disabled, sequence number
disabled
filtering disabled
Log Buffer (10000
bytes):
*Oct 24
15:08:29.615: %SYS-6-CLOCKUPDATE: System clock has been updated from 15:08:29
UTC Sat Oct 24 2009 to 10:08:29 EST Sat Oct 24 2009, configured from console by
console.
*Oct 24 15:08:29.643: %SYS-6-CLOCKUPDATE: System clock has been
updated from 10:08:29 EST Sat Oct 24 2009 to 11:08:29 EDT Sat Oct 24 2009,
configured from console by console.
*Oct 24 15:08:32.835: %LINK-3-UPDOWN:
Interface Serial1/0:0, changed state to up
*Oct 24 15:08:33.835:
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/0:0, changed state to
up
*Oct 24 15:08:37.479: %SYS-5-CONFIG_I: Configured from console by
console
*Oct 24 15:08:38.479: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host
9.2.1.101 port 514 started - CLI initiated
Oct 24 16:01:25.063:
%SYS-5-CONFIG_I: Configured from console by console
Oct 24 16:02:38.544:
%SYS-5-CONFIG_I: Configured from console by console
Oct 24 16:06:51.457:
%SYS-5-CONFIG_I: Configured from console by console
SEC-R8#
So here is the full config:
SEC-R8#sh run
Building configuration...
Current configuration : 3930 bytes
!
! Last
configuration change at 12:06:51 EDT Sat Oct 24 2009
!
upgrade fpd
auto
version 12.4
service timestamps debug datetime msec
service
timestamps log datetime msec
no service password-encryption
!
hostname
SEC-R8
!
boot-start-marker
boot system
disk0:c7200-adventerprisek9-mz.124-15.T1.bin
boot-end-marker
!
logging
buffered 10000
logging console emergencies
!
no aaa new-model
clock
timezone EST -5
clock summer-time EDT recurring
ip
cef
!
!
!
!
no ip domain lookup
ip inspect log
drop-pkt
!
multilink bundle-name
authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
log config
hidekeys
!
!
controller
T1 1/0
framing esf
clock source internal
linecode
b8zs
cablelength short 133
channel-group 0 timeslots
1-24
!
controller T1 1/1
framing esf
linecode
b8zs
!
controller T1 1/2
framing esf
linecode
b8zs
!
controller T1 1/3
framing esf
linecode
b8zs
!
controller T1 1/4
framing esf
linecode
b8zs
!
controller T1 1/5
framing esf
linecode
b8zs
!
controller T1 1/6
framing esf
linecode
b8zs
!
controller T1 1/7
framing esf
linecode
b8zs
!
ip tcp synwait-time 7
!
class-map type inspect match-all
IN->OUT-ICMP-REPLY
match access-group name IN->OUT
class-map
type inspect match-any IN->OUT-PROTO
match protocol
ssh
match protocol http
match protocol https
match
protocol dns
match protocol smtp
match protocol
bootps
class-map type inspect match-all IN->OUT-ICMP
match
access-group name ICMP
class-map type inspect match-all OUT-IN
match
access-group name FW-IN
!
!
policy-map type inspect
FW-OUT->IN
class type inspect OUT-IN
pass
class
class-default
drop
policy-map type inspect
FW-IN->OUT
class type inspect IN->OUT-PROTO
inspect
class type inspect IN->OUT-ICMP
inspect
class type inspect IN->OUT-ICMP-REPLY
pass
class class-default
pass
!
zone security
INSIDE
zone security OUTSIDE
zone-pair security IN->OUT source INSIDE
destination OUTSIDE
service-policy type inspect
FW-IN->OUT
zone-pair security OUT->IN source OUTSIDE destination
INSIDE
service-policy type inspect FW-OUT->IN
bridge
irb
!
!
!
!
interface FastEthernet0/0
ip address
192.168.144.158 255.255.255.0
shutdown
duplex
auto
speed auto
!
interface FastEthernet0/1
no ip
address
shutdown
duplex auto
speed
auto
!
interface Serial1/0:0
no ip address
!
interface
FastEthernet2/0
no ip address
zone-member security
OUTSIDE
duplex full
speed 100
bridge-group
1
!
interface FastEthernet2/1
no ip address
zone-member
security INSIDE
duplex full
speed 100
bridge-group
1
!
interface BVI1
ip address 9.9.156.8 255.255.255.0
!
ip
route 0.0.0.0 0.0.0.0 192.168.144.1
ip route 0.0.0.0 0.0.0.0 9.9.156.9
ip
route 192.168.4.0 255.255.255.0 192.168.144.1
ip route 192.168.5.0
255.255.255.0 192.168.144.1
no ip http server
no ip http
secure-server
!
ip bgp-community new-format
!
!
ip access-list
extended FW-IN
permit icmp any any echo
permit icmp any any
unreachable
permit udp host 9.9.156.9 eq ntp host 7.7.7.7 eq
ntp
permit tcp host 9.9.156.9 gt 1024 host 9.9.156.7 eq
bgp
permit tcp host 9.9.156.9 eq bgp host 9.9.156.7 gt 1024
ip
access-list extended ICMP
permit icmp any any echo
ip access-list
extended IN->OUT
permit icmp any any echo-reply
!
logging
alarm informational
logging
9.2.1.101
!
!
!
!
!
!
control-plane
!
bridge 1
protocol ieee
bridge 1 route
ip
!
!
!
!
!
gatekeeper
shutdown
!
alias
configure a access-list
alias exec c conf t
alias exec i sh ip
route
alias exec ib sh ip int brief
alias exec b sh ip bgp
alias exec
bs sh ip bgp summ
alias exec clb clear ip bgp *
alias exec oi sh ip ospf
int
alias exec on sh ip ospf neigh
alias exec s sh run
!
line con
0
exec-timeout 0 0
privilege level 15
logging
synchronous
stopbits 1
line aux 0
stopbits 1
line vty 0
4
exec-timeout 0 0
privilege level 15
no
login
!
ntp authentication-key 1 md5 020F145E13160A3358 7
ntp
authenticate
ntp trusted-key 1
ntp clock-period 17179178
ntp server
9.9.156.9 key 1
!
webvpn cef
!
end
SEC-R8#
and the sh ver
SEC-R8#sh ver
Cisco IOS Software, 7200 Software
(C7200-ADVENTERPRISEK9-M), Version 12.4(15)T1, RELEASE SOFTWARE
(fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright
(c) 1986-2007 by Cisco Systems, Inc.
Compiled Wed 18-Jul-07 13:29 by
prod_rel_team
ROM: System Bootstrap, Version 12.2(4r)B2, RELEASE SOFTWARE
(fc2)
BOOTLDR: Cisco IOS Software, 7200 Software (C7200-KBOOT-M), Version
12.3(7)T, RELEASE SOFTWARE (fc1)
SEC-R8 uptime is 3 hours, 36 minutes
System returned to ROM
by reload at 08:59:14 EDT Sat Oct 24 2009
System restarted at 09:01:22 EDT
Sat Oct 24 2009
System image file is
"disk0:c7200-adventerprisek9-mz.124-15.T1.bin"
Last reload reason: Reload
Command
This product contains cryptographic features and is subject to
United
States and local country laws governing import, export, transfer
and
use. Delivery of Cisco cryptographic products does not
imply
third-party authority to import, export, distribute or use
encryption.
Importers, exporters, distributors and users are responsible
for
compliance with U.S. and local country laws. By using this product
you
agree to comply with applicable laws and regulations. If you are
unable
to comply with U.S. and local laws, return this product
immediately.
A summary of U.S. laws governing Cisco cryptographic products
may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending
email to
[email protected].
Cisco 7206VXR (NPE400) processor (revision B) with
491520K/32768K bytes of memory.
Processor board ID 16066293
R7000 CPU at
350MHz, Implementation 39, Rev 3.3, 256KB L2 Cache
6 slot VXR midplane,
Version 2.0
Last reset from power-on
PCI bus mb0_mb1 (Slots 0, 1, 3 and 5) has a capacity of 600
bandwidth points.
Current configuration on bus mb0_mb1 has a total of 400
bandwidth points.
This configuration is within the PCI bus capacity and is
supported.
PCI bus mb2 (Slots 2, 4, 6) has a capacity of 600 bandwidth
points.
Current configuration on bus mb2 has a total of 400 bandwidth points
This configuration is within the PCI bus capacity and is supported.
Please refer to the following document "Cisco 7200 Series Port
Adaptor
Hardware Configuration Guidelines" on Cisco.com <http://www.cisco.com>
for c7200 bandwidth
points oversubscription and usage guidelines.
4 FastEthernet
interfaces
1 Serial interface
8 Channelized T1/PRI ports
125K bytes of
NVRAM.
500377K bytes of
ATA PCMCIA card at slot 0 (Sector size 512 bytes).
8192K bytes of Flash
internal SIMM (Sector size 256K).
Configuration register is
0x2102
SEC-R8#
Thanks!
Dave
_________________________________________________________________
New Windows 7: Find the right PC for you. Learn more.
http://windows.microsoft.com/shop_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
