Whew...
Another tricky thing to watch out. Thanks, Kings.
It's a stereotype to think about the standard ACL as a classification of the 
traffic matching the source address.

Eugene

From: Kingsley Charles [mailto:[email protected]]
Sent: Wednesday, May 30, 2012 11:17 PM
To: Eugene Pefti
Cc: [email protected]
Subject: Re: [OSL | CCIE_Security] Help with PAM and ZFW

The PAM is configured incorrectly. The list acl should have the outside network 
not inside network. Either remove the list or configure the subnet between 
r2/r3 in the acl.


With regards
Kings

On Thu, May 31, 2012 at 4:00 AM, Eugene Pefti 
<[email protected]<mailto:[email protected]>> wrote:
Guys,
I need a fresh eye on the problem (if it is a problem) I ran into.
Testing ZFW with non-standard ports, i.e. Telnet 3020 running on the router.

Host ---(10.0.0.0/24)-----<http://10.0.0.0/24%29-----> R3 -------- R2
Rotary 20 is configured on VTY lines of R2

R1 has the following ZFW and PAM settings:

R3#sh ip port-map telnet
Default mapping:  telnet               tcp port 23                         
system defined
Host specific:    telnet               tcp port 3020           in list 1   user 
defined

access-list 1 permit 10.0.0.0 0.0.0.255 log //log is added to see matches

class-map type inspect match-all TELNET-CM
 match protocol telnet

policy-map type inspect A->C-PM
 class type inspect ICMP-CM
  pass log
 class type inspect TELNET-CM
  Inspect

Respective interfaces are assigned to zones and zone-pairs are created. I don't 
show it for brevity as it does't relate to the problem.
When I try to telnet to R2 over port 3020 from the Host I fail, i.e. ZFW 
doesn't match it and drops it by class-default.
But when I change the access-list 1 to have to be:

Access-list 1 permit any

The situation changes and I can telnet to port 3020. Why is that ? Is the 
standard ACL not supposed to be working on the source address ? The IP address 
of the Host is 10.0.0.100.

Eugene

_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com<http://www.ipexpert.com>

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com<http://www.PlatinumPlacement.com>

_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com

Reply via email to