Whew... Another tricky thing to watch out. Thanks, Kings. It's a stereotype to think about the standard ACL as a classification of the traffic matching the source address.
Eugene From: Kingsley Charles [mailto:[email protected]] Sent: Wednesday, May 30, 2012 11:17 PM To: Eugene Pefti Cc: [email protected] Subject: Re: [OSL | CCIE_Security] Help with PAM and ZFW The PAM is configured incorrectly. The list acl should have the outside network not inside network. Either remove the list or configure the subnet between r2/r3 in the acl. With regards Kings On Thu, May 31, 2012 at 4:00 AM, Eugene Pefti <[email protected]<mailto:[email protected]>> wrote: Guys, I need a fresh eye on the problem (if it is a problem) I ran into. Testing ZFW with non-standard ports, i.e. Telnet 3020 running on the router. Host ---(10.0.0.0/24)-----<http://10.0.0.0/24%29-----> R3 -------- R2 Rotary 20 is configured on VTY lines of R2 R1 has the following ZFW and PAM settings: R3#sh ip port-map telnet Default mapping: telnet tcp port 23 system defined Host specific: telnet tcp port 3020 in list 1 user defined access-list 1 permit 10.0.0.0 0.0.0.255 log //log is added to see matches class-map type inspect match-all TELNET-CM match protocol telnet policy-map type inspect A->C-PM class type inspect ICMP-CM pass log class type inspect TELNET-CM Inspect Respective interfaces are assigned to zones and zone-pairs are created. I don't show it for brevity as it does't relate to the problem. When I try to telnet to R2 over port 3020 from the Host I fail, i.e. ZFW doesn't match it and drops it by class-default. But when I change the access-list 1 to have to be: Access-list 1 permit any The situation changes and I can telnet to port 3020. Why is that ? Is the standard ACL not supposed to be working on the source address ? The IP address of the Host is 10.0.0.100. Eugene _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com<http://www.ipexpert.com> Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com<http://www.PlatinumPlacement.com>
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
