(no subject) from Nart, Selim on 2009-05-14 (Ccielab archives 05/2009)

From: Nart, Selim <Selim.Nart_at_vignette.com>
Date: Thu, 14 May 2009 21:08:13 -0500

unsubscribe

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Sadiq Yakasai
Sent: Thursday, May 14, 2009 5:43 PM
To: Cisco certification; Cisco certification
Subject: Re: Zone Based FW on IOS

Appologies for the false alarm guys!! My transparent FW upstream was
silently discarding my bloody traffic!!!

I think its time for me to get some sleep now!

Night!

Sadiq

On Thu, May 14, 2009 at 10:18 PM, Sadiq Yakasai <sadiqtanko_at_gmail.com>wrote:

> Does anyone here know why I can ping from the INSIDE zone to the
> OUTSIDE....but I just cannot telnet (even at port 80)???
>
> When I further added a zone-pair for the OUTSIDE to INSIDE security zones,
> all goes through the firewall... this is really a strange one...
>
> unless there is something basic here about this Zone Based FW i havent
> understood yet...
>
> Thanks guys!
>
>
> class-map type inspect match-any ICMP
> match protocol icmp
> match protocol tcp
> match protocol http
> match protocol telnet
>
> class-map type inspect match-any TCP
> match protocol tcp
> match protocol udp
> match protocol icmp
> match protocol telnet
> match protocol http
> !
> !
> policy-map type inspect TCP_UDP_ICMP
> class type inspect TCP
> inspect
> class class-default
> drop
> policy-map type inspect ICMP_FROM_OUT
> class type inspect ICMP
> inspect
> class class-default
> drop
> !
> zone security INSIDE
> zone security OUTSIDE
> zone security zx
> zone security zy
> zone-pair security INSIDE-OUTSIDE source INSIDE destination OUTSIDE
> service-policy type inspect ICMP_FROM_OUT
> zone-pair security zx-zy source zx destination zy
> service-policy type inspect-internal px-py
> zone-pair security OUTSIDE-INSIDE source OUTSIDE destination INSIDE
> service-policy type inspect ICMP_FROM_OUT
> !
> !
> !
> !
> interface FastEthernet0/0
> ip address 191.1.123.3 255.255.255.0
> zone-member security INSIDE
> !
> interface FastEthernet0/1
> ip address 204.12.1.3 255.255.255.0
> zone-member security OUTSIDE
>
> interface Serial1/0.34 point-to-point
> ip address 191.1.34.3 255.255.255.0
> zone-member security INSIDE
> !
> interface Serial1/3
> ip address 191.1.23.3 255.255.255.0
> zone-member security INSIDE
> ip ospf authentication
> ip ospf authentication-key CISCO
>
>
> --
> CCIE #19963
>

--
CCIE #19963
Blogs and organic groups at http://www.ccie.net

Received on Thu May 14 2009 - 21:08:13 ART

This archive was generated by hypermail 2.2.0 : Mon Jun 01 2009 - 07:04:43 ART