The PAM is configured incorrectly. The list acl should have the outside network not inside network. Either remove the list or configure the subnet between r2/r3 in the acl.
With regards Kings On Thu, May 31, 2012 at 4:00 AM, Eugene Pefti <[email protected]>wrote: > Guys, > I need a fresh eye on the problem (if it is a problem) I ran into. > Testing ZFW with non-standard ports, i.e. Telnet 3020 running on the > router. > > Host ---(10.0.0.0/24)----- <http://10.0.0.0/24%29-----> R3 -------- R2 > Rotary 20 is configured on VTY lines of R2 > > R1 has the following ZFW and PAM settings: > > R3#sh ip port-map telnet > Default mapping: telnet tcp port 23 > system defined > Host specific: telnet tcp port 3020 in list 1 > user defined > > access-list 1 permit 10.0.0.0 0.0.0.255 log //log is added to see matches > > class-map type inspect match-all TELNET-CM > match protocol telnet > > policy-map type inspect A->C-PM > class type inspect ICMP-CM > pass log > class type inspect TELNET-CM > Inspect > > Respective interfaces are assigned to zones and zone-pairs are created. > I don't show it for brevity as it does't relate to the problem. > When I try to telnet to R2 over port 3020 from the Host I fail, i.e. ZFW > doesn't match it and drops it by class-default. > But when I change the access-list 1 to have to be: > > Access-list 1 permit any > > The situation changes and I can telnet to port 3020. Why is that ? Is > the standard ACL not supposed to be working on the source address ? The IP > address of the Host is 10.0.0.100. > > Eugene > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
