Re: How to test Zone Based FW from ALL From_NJ on 2009-10-23 (Ccielab archives 10/2009)

From: ALL From_NJ <all.from.nj_at_gmail.com>
Date: Fri, 23 Oct 2009 07:35:04 -0400

Nope, this was not needed. Just left over from an earlier lab. Since I had
a route to the devices that was being ping'ed to and from, all worked and
the uRPF check was good.

Thanks!

On Fri, Oct 23, 2009 at 1:00 AM, Johnny B CCIE <jbccie_at_gmail.com> wrote:

> Do you need this for this example?
>
> ip verify unicast source reachable-via any
>
> On Thu, Oct 22, 2009 at 11:47 PM, ALL From_NJ <all.from.nj_at_gmail.com>
> wrote:
> > Hey team,
> >
> > Am using my handy dandy router pair and configured zone based FW ... my
> > first time really, I actually think CBAC is extremely easy ... oh well
> ...
> > things change and I need to learn Zone based.
> >
> > I am pinging from the source interface, loop0, and to the remote router.
> I
> > figured my config would block this, but nope ... the ping worked. Can
> you
> > all please look this over and let me know what I am missing /
> > misconfigured? Many TIA.
> >
> > Also, I read that the default action for the class-default is to drop
> > everything. This also does not see to be the case. I am sure I have
> > something misconfigured.
> > !
> > parameter-map type inspect CCIE
> > !
> > class-map type inspect match-all CCIE
> > match protocol http
> > !
> > class-map type inspect match-all dropicmp
> > match protocol icmp
> > !
> > policy-map type inspect CCIE
> > class type inspect CCIE
> > inspect
> > class type inspect dropicmp
> > drop
> > class class-default
> > !
> > zone security outside
> > zone security inside
> > zone-pair security no-way source inside destination outside
> > service-policy type inspect CCIE
> > !
> > interface Loopback0
> > ip address 10.2.2.2 255.255.255.0
> > zone-member security inside
> > !
> > interface FastEthernet0/0
> > ip address 12.12.12.2 255.255.255.0
> > ip verify unicast source reachable-via any
> > zone-member security outside
> >
> > I am doing a ping from the inside interface to a remote router.
> >
> > ping 12.12.12.1 source lo0
> >
> >
> > --
> > Andrew Lee Lissitz
> > all.from.nj_at_gmail.com
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

-- 
Andrew Lee Lissitz
all.from.nj_at_gmail.com
Blogs and organic groups at http://www.ccie.net

Received on Fri Oct 23 2009 - 07:35:04 ART

This archive was generated by hypermail 2.2.0 : Sun Nov 01 2009 - 07:51:00 ART