Hi Jimmy You logic was right but the type of class-map that you have used in not the corrrect type. You are using the class type of default that will used for QoS.
class-map class-INSIDE-TO-OUTSIDE-no-inspect match access-group acl-INSIDE-TO-OUTSIDE-no-inspect The right syntax is as following: class-map *type inspect* class-INSIDE-TO-OUTSIDE-no-inspect match access-group acl-INSIDE-TO-OUTSIDE-no-inspect With ZBF, if you use "inspect" as the action, then the traffic will inspected and the response will be allowed back. You don't need to allow the response back in the opposite zone pair. If you use "pass" action, then you need to create a zone pair in the reverse and allow the response back. For your case, the following should be done: ip access-list extended acl-OUTSIDE-TO-INSIDE-no-inspect permit icmp any any eq echo-reply ip access-list extended acl-INSIDE-TO-OUTSIDE-no-inspect permit icmp any any eq echo class-map type inspect class-OUTSIDE-TO-INSIDE-no-inspect match access-group acl-OUTSIDE-TO-INSIDE-no-inspect class-map *type inspect* class-INSIDE-TO-OUTSIDE-no-inspect match access-group acl-INSIDE-TO-OUTSIDE-no-inspect class-map type inspect match-any class-INSIDE-TO-OUTSIDE match protocol telnet policy-map type inspect policy-OUTSIDE-TO-INSIDE class type inspect class-OUTSIDE-TO-INSIDE-no-inspect pass class class-default drop policy-map type inspect policy-INSIDE-TO-OUTSIDE class type inspect class-INSIDE-TO-OUTSIDE inspect class-map *inspect* class-INSIDE-TO-OUTSIDE-no-inspect pass class class-default drop zone-pair security INSIDE-TO-OUTSIDE source INSIDE destination OUTSIDE service-policy type inspect policy-INSIDE-TO-OUTSIDE zone-pair security OUTSIDE-TO-INSIDE source OUTSIDE destination INSIDE service-policy type inspect policy-OUTSIDE-TO-INSIDE ZBF can't inspect non-IP traffic like GRE, ESP, AH, etc. Pass action is meant for these kind of traffic that can't be inspected. With regards Kings On Thu, Feb 4, 2010 at 2:24 AM, Jimmy Larsson <[email protected]> wrote: > > Hi > > I am trying some zone based firewall configurations am getting confused. My > background is that I am very familiar with Pix/ASA and not very familiar at > all with the Firewall-features of IOS. Therefore I always compare these > which gets me confused. > > Now I´ve done a simple 2-zone firewall out of my 3-legged router. My goal > is this: > * Allow all outbound telnet stateful > * Allow all icmp-echos initiated from inside (and ofcourse the > corresponding echo replies) > * Deny everything else between the zones. > > I have configured the two zones and a policy-map that inspects and allows > my outbound telnet. It looks like this: > > > > class-map type inspect match-any class-INSIDE-TO-OUTSIDE > match protocol telnet > ! > ! > policy-map type inspect policy-INSIDE-TO-OUTSIDE > class type inspect class-INSIDE-TO-OUTSIDE > inspect > class class-default > drop > ! > zone security OUTSIDE > zone security INSIDE > zone-pair security INSIDE-TO-OUTSIDE source INSIDE destination OUTSIDE > service-policy type inspect policy-INSIDE-TO-OUTSIDE > > > interface FastEthernet0 > description Outside > zone-member security OUTSIDE > ! > interface FastEthernet1 > description Inside > zone-member security INSIDE > ! > interface Vlan13 > zone-member security INSIDE > ! > > So, now I can telnet from outside to telnet. But what about the icmp:s? My > idea was to create a class-map referring to an acl that defines non-stateful > outbound-traffic that should be allowed. Something like this: > > ip access-list extended acl-INSIDE-TO-OUTSIDE-no-inspect > permit icmp any any eq echo > > class-map class-INSIDE-TO-OUTSIDE-no-inspect > match access-group acl-INSIDE-TO-OUTSIDE-no-inspect > > But when trying to apply this to my policy-map (my goal was to do > "pass"-action on this) I get this error: > r1(config-pmap)#class class-INSIDE-TO-OUTSIDE-no-inspect > % class class-INSIDE-TO-OUTSIDE-no-inspect of type default is not allowed > in policy-map policy-INSIDE-TO-OUTSIDE of type inspect > > In what way am I thinking wrong here? > > Also, in my scenario, how should my interface acl:s look like when doing > this zone-thing? Since traffic between zones are blocked by default and > traffic inside a zone is permitted, I guess that I should´nt have any > interface acl:s since all transit traffic security is taken care of by the > zone-configuration. Right? Can there be any situation where interface acl:s > are needed when doing ZBFW? > > Thanks in advance! > -- > ------- > Jimmy Larsson > Ryavagen 173 > s-26030 Vallakra > Sweden > http://blogg.kvistofta.nu > ------- > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
