hm that's really odd with the current config it does not show the counters
going up from the private to internet zones when I do a constant being to
4.2.2.2 from the inside. I am baffled why it does not catch the traffic but
when I do a show zone security it shows the interfaces in the proper zones.
I have rewritten my zbf config to further break everything out and not
working still
class-map type inspect match-any inspecttraffic-dmz2internet
match protocol tcp
match protocol udp
match protocol icmp
class-map type inspect match-any inspecttraffic-private2internet
match protocol tcp
match protocol udp
match protocol icmp
class-map type inspect match-any inspecttraffic-private2dmz
match protocol tcp
match protocol udp
match protocol icmp
policy-map type inspect inspect-dmz-to-internet
class type inspect inspecttraffic-dmz2internet
inspect
class class-default
drop
policy-map type inspect inspect-private-to-internet
class type inspect inspecttraffic-private2internet
inspect
class class-default
drop
policy-map type inspect inspect-private-to-dmz
class type inspect inspecttraffic-private2dmz
inspect
class class-default
drop
!
zone security private
zone security internet
zone security dmz
zone-pair security private-internet source private destination internet
service-policy type inspect inspect-private-to-internet
zone-pair security private-dmz source private destination dmz
service-policy type inspect inspect-private-to-dmz
zone-pair security dmz-internet source dmz destination internet
service-policy type inspect inspect-dmz-to-internet
!
interface FastEthernet0/0
zone-member security internet
!
interface FastEthernet0/1
zone-member security private
int vlan 150
zone-member security dmz
On Wed, Aug 26, 2009 at 10:14 AM, Anthony Sequeira <asequeira_at_ine.com>wrote:
> show policy-map type inspect zone-pair
>
> Warmest Regards,
>
> Anthony J. Sequeira, CCIE #15626
> http://www.INE.com <http://www.ine.com/>
>
> Test your Core Knowledge today!
> Q: What authentication option may be used with EIGRP?
> A: MD5
> More Info:
> http://www.cisco.com/en/US/docs/ios/12_0/np1/configuration/guide/1ceigrp.html#wp4759
>
>
>
> On Aug 26, 2009, at 10:06 AM, Fake Name wrote:
>
> hmm tried that and still does not work...
>>
>> is there any good show commands that can be used to figure out what's
>> happening...all I know is show zone security and it shows all the
>> interfaces
>> are in proper zones.
>>
>> On Wed, Aug 26, 2009 at 9:46 AM, Fake Name <fname84_at_gmail.com> wrote:
>>
>> so you mean like this?
>>>
>>> class-map type inspect match-any inspecttraffic
>>> match protocol tcp
>>> match protocol udp
>>> match protocol icmp
>>> !
>>> !
>>> policy-map type inspect inspect-private-to-internet
>>> class type inspect inspecttraffic
>>> inspect
>>> policy-map type inspect inspect-private-to-dmz
>>> class type inspect inspecttraffic
>>> inspect
>>> policy-map type inspect inspect-dmz-to-internet
>>> class type inspect inspecttraffic
>>> inspect
>>> class class-default
>>> drop
>>> zone security private
>>> zone security internet
>>> zone security dmz
>>> zone-pair security private-internet source private destination internet
>>> service-policy type inspect inspect-private-to-internet
>>> zone-pair security private-dmz source private destination dmz
>>> service-policy type inspect inspect-private-to-dmz
>>> zone-pair security dmz-internet source dmz destination internet
>>> service-policy type inspect inspect-dmz-to-internet
>>>
>>> On Wed, Aug 26, 2009 at 9:38 AM, Tony Schaffran (GS) <
>>> groupstudy_at_cconlinelabs.com> wrote:
>>>
>>> You need to setup a separate policy for inbound traffic from the internet
>>>> and then configure your zone-pair from internet to dmz and internet to
>>>> inside as well if you want traffic to be allowed from the internet.
>>>>
>>>> Tony Schaffran
>>>> Sr. Network Consultant
>>>> CCIE #11071
>>>> CCNP, CCNA, CCDA,
>>>> NNCDS, NNCSS, CNE, MCSE
>>>>
>>>> cconlinelabs.com
>>>> Your #1 choice for online Cisco rack rentals.
>>>>
>>>>
>>>>
>>>> -----Original Message-----
>>>> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
>>>> Fake
>>>> Name
>>>> Sent: Tuesday, August 25, 2009 8:53 PM
>>>> To: Cisco certification
>>>> Subject: zone based firewall
>>>>
>>>> I have done the following configuration for the zone based firewall for
>>>> 3
>>>> interfaces. A private, dmz, and internet interface. I am seeking that
>>>> the
>>>> private interface can talk through the dmz and internet interface and
>>>> traffic be inspected. The dmz interface can talk through the internet
>>>> interface and traffic be inspected. If a host from the dmz interface
>>>> needs
>>>> to reach a host on the inside interface without any initiating traffic
>>>> coming from the inside there must be an acl statement. If a host from
>>>> the
>>>> outside interface needs to reach a host on the inside interface or dmz
>>>> interface without any initiating traffic coming from the inside there
>>>> must
>>>> be an acl statement.
>>>>
>>>> Can anyone spot my configuration mistake?
>>>>
>>>>
>>>>
>>>>
>>>> class-map type inspect match-any inspecttraffic
>>>> match protocol tcp
>>>> match protocol udp
>>>> match protocol icmp
>>>> match protocol ssh
>>>> match protocol ftp
>>>> match protocol imap
>>>> match protocol http
>>>> match protocol https
>>>> match protocol dns
>>>>
>>>> policy-map type inspect inspecttrafficpolicy
>>>> class type inspect inspecttraffic
>>>> inspect
>>>>
>>>> zone security private
>>>> zone security internet
>>>> zone security dmz
>>>>
>>>> zone-pair security private-internet source private destination internet
>>>> service-policy type inspect inspecttrafficpolicy
>>>>
>>>>
>>>> zone-pair security private-dmz source private destination dmz
>>>> service-policy type inspect inspecttrafficpolicy
>>>>
>>>> zone-pair security dmz-internet source dmz destination internet
>>>> service-policy type inspect inspecttrafficpolicy
>>>>
>>>>
>>>> !
>>>> interface FastEthernet0/0
>>>> zone-member internet
>>>> !
>>>> interface FastEthernet0/1
>>>> zone-member private
>>>>
>>>> int vlan 150
>>>> zone-member dmz
>>>>
>>>>
>>>> Blogs and organic groups at http://www.ccie.net
>>>>
>>>> _______________________________________________________________________
>>>> Subscription information may be found at:
>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>
>>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Thu Aug 27 2009 - 09:44:42 ART
This archive was generated by hypermail 2.2.0 : Tue Sep 01 2009 - 05:43:57 ART