Re: How to test Zone Based FW

The built in "zone self" allows everything to/from your router by default
------Original Message------
From: ALL From_NJ
Sender: nobody_at_groupstudy.com
To: CCIE Groupstudy
ReplyTo: ALL From_NJ
Subject: How to test Zone Based FW
Sent: Oct 22, 2009 11:47 PM

Hey team,

Am using my handy dandy router pair and configured zone based FW ... my
first time really, I actually think CBAC is extremely easy ... oh well ...
things change and I need to learn Zone based.

I am pinging from the source interface, loop0, and to the remote router. I
figured my config would block this, but nope ... the ping worked. Can you
all please look this over and let me know what I am missing /
misconfigured? Many TIA.

Also, I read that the default action for the class-default is to drop
everything. This also does not see to be the case. I am sure I have
something misconfigured.
!
parameter-map type inspect CCIE
!
class-map type inspect match-all CCIE
 match protocol http
!
class-map type inspect match-all dropicmp
 match protocol icmp
!
policy-map type inspect CCIE
 class type inspect CCIE
  inspect
 class type inspect dropicmp
  drop
 class class-default
!
zone security outside
zone security inside
zone-pair security no-way source inside destination outside
 service-policy type inspect CCIE
!
interface Loopback0
 ip address 10.2.2.2 255.255.255.0
 zone-member security inside
!
interface FastEthernet0/0
 ip address 12.12.12.2 255.255.255.0
 ip verify unicast source reachable-via any
 zone-member security outside

I am doing a ping from the inside interface to a remote router.

 ping 12.12.12.1 source lo0

-- 
Andrew Lee Lissitz
all.from.nj_at_gmail.com
Blogs and organic groups at http://www.ccie.net