Hey team,
Am using my handy dandy router pair and configured zone based FW ... my
first time really, I actually think CBAC is extremely easy ... oh well ...
things change and I need to learn Zone based.
I am pinging from the source interface, loop0, and to the remote router. I
figured my config would block this, but nope ... the ping worked. Can you
all please look this over and let me know what I am missing /
misconfigured? Many TIA.
Also, I read that the default action for the class-default is to drop
everything. This also does not see to be the case. I am sure I have
something misconfigured.
!
parameter-map type inspect CCIE
!
class-map type inspect match-all CCIE
match protocol http
!
class-map type inspect match-all dropicmp
match protocol icmp
!
policy-map type inspect CCIE
class type inspect CCIE
inspect
class type inspect dropicmp
drop
class class-default
!
zone security outside
zone security inside
zone-pair security no-way source inside destination outside
service-policy type inspect CCIE
!
interface Loopback0
ip address 10.2.2.2 255.255.255.0
zone-member security inside
!
interface FastEthernet0/0
ip address 12.12.12.2 255.255.255.0
ip verify unicast source reachable-via any
zone-member security outside
I am doing a ping from the inside interface to a remote router.
ping 12.12.12.1 source lo0
-- Andrew Lee Lissitz all.from.nj_at_gmail.com Blogs and organic groups at http://www.ccie.netReceived on Thu Oct 22 2009 - 23:47:25 ART
This archive was generated by hypermail 2.2.0 : Sun Nov 01 2009 - 07:51:00 ART