Hi Jimmy, ZBF is always a sticky topic.
Here is my run down: the ICMP is going to be Stateful so you know it needs to be inspected. Try the following: ip access-list extended acl-INSIDE-TO-OUTSIDE-no-inspect permit icmp any any eq echo class-map type inspect class-INSIDE-TO-OUTSIDE-no-inspect match access-group acl-INSIDE-TO-OUTSIDE-no-inspect policy-map type inspect policy-INSIDE-TO-OUTSIDE class type inspect class-INSIDE-TO-OUTSIDE inspect ! Next the ICMP- it actually does need to be inspected to allow for the reply. class type inspect class-INSIDE-TO-OUTSIDE-no-inspect inspect class class-default drop You don't do any interfaces ACLs, rather they are handled my the class-maps, in other words you nest them in the policy-map. Here is a basic post I did on the ZBF. There is another one coming but I'm a bit behind. Hopefully this gives you a push in the right direction. Also- take a look at the DSG for Lab 2a. Task 2.11 has ICMP allowed in the ZBF configuration. Perhaps that will help a bit. Regards, Brandon Carroll - CCIE #23837 Senior Technical Instructor - IPexpert Mailto: [email protected] Telephone: +1.810.326.1444 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA (R&S, Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security & Service Provider) Certification Training with locations throughout the United States, Europe and Australia. Be sure to check out our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com. On Wed, Feb 3, 2010 at 12:54 PM, Jimmy Larsson <[email protected]> wrote: > > Hi > > I am trying some zone based firewall configurations am getting confused. My > background is that I am very familiar with Pix/ASA and not very familiar at > all with the Firewall-features of IOS. Therefore I always compare these > which gets me confused. > > Now I´ve done a simple 2-zone firewall out of my 3-legged router. My goal > is this: > * Allow all outbound telnet stateful > * Allow all icmp-echos initiated from inside (and ofcourse the > corresponding echo replies) > * Deny everything else between the zones. > > I have configured the two zones and a policy-map that inspects and allows > my outbound telnet. It looks like this: > > > > class-map type inspect match-any class-INSIDE-TO-OUTSIDE > match protocol telnet > ! > ! > policy-map type inspect policy-INSIDE-TO-OUTSIDE > class type inspect class-INSIDE-TO-OUTSIDE > inspect > class class-default > drop > ! > zone security OUTSIDE > zone security INSIDE > zone-pair security INSIDE-TO-OUTSIDE source INSIDE destination OUTSIDE > service-policy type inspect policy-INSIDE-TO-OUTSIDE > > > interface FastEthernet0 > description Outside > zone-member security OUTSIDE > ! > interface FastEthernet1 > description Inside > zone-member security INSIDE > ! > interface Vlan13 > zone-member security INSIDE > ! > > So, now I can telnet from outside to telnet. But what about the icmp:s? My > idea was to create a class-map referring to an acl that defines non-stateful > outbound-traffic that should be allowed. Something like this: > > ip access-list extended acl-INSIDE-TO-OUTSIDE-no-inspect > permit icmp any any eq echo > > class-map class-INSIDE-TO-OUTSIDE-no-inspect > match access-group acl-INSIDE-TO-OUTSIDE-no-inspect > > But when trying to apply this to my policy-map (my goal was to do > "pass"-action on this) I get this error: > r1(config-pmap)#class class-INSIDE-TO-OUTSIDE-no-inspect > % class class-INSIDE-TO-OUTSIDE-no-inspect of type default is not allowed > in policy-map policy-INSIDE-TO-OUTSIDE of type inspect > > In what way am I thinking wrong here? > > Also, in my scenario, how should my interface acl:s look like when doing > this zone-thing? Since traffic between zones are blocked by default and > traffic inside a zone is permitted, I guess that I should´nt have any > interface acl:s since all transit traffic security is taken care of by the > zone-configuration. Right? Can there be any situation where interface acl:s > are needed when doing ZBFW? > > Thanks in advance! > -- > ------- > Jimmy Larsson > Ryavagen 173 > s-26030 Vallakra > Sweden > http://blogg.kvistofta.nu > ------- > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
