Re: zbf from Narbik Kocharians on 2012-01-02 (Ccielab archives 01/2012)

From: Narbik Kocharians <narbikk_at_gmail.com>
Date: Mon, 2 Jan 2012 15:29:20 -0800

The "Pass" command inspects the traffic statelessly, which means that it
does not keep a state table, therefore, the return traffic will NOT be
allowed unless it is configured to be allowed.
The "Inspect" command inspects the traffic statefully, which mean that the
router keeps a state table and it is based on this table that it allows the
return traffic.

On Mon, Jan 2, 2012 at 2:31 PM, marc abel <marcabel_at_gmail.com> wrote:

> Inspect allows the return traffic.
>
> On Mon, Jan 2, 2012 at 4:00 PM, Aaron <aaron1_at_gvtc.com> wrote:
>
> > The following seems to allow me to ping from inside to outside.. What if
> I
> > replace the "inspect" action under the policy-map with the "pass" action?
> > What is the difference?
> >
> >
> >
> > Aaron
> >
> >
> >
> >
> >
> > zone security inside
> >
> >
> >
> > zone security outside
> >
> >
> >
> > interface FastEthernet0/0
> >
> > zone-member security inside
> >
> >
> >
> > interface Serial2/0:0
> >
> > zone-member security outside
> >
> >
> >
> > class-map typ inspe inside-to-outside
> >
> > match protocol icmp
> >
> >
> >
> > policy-map type inspect inside-to-outside
> >
> > class type inspect inside-to-outside
> >
> > inspect
> >
> >
> >
> > zone-p sec inside-to-outside sou inside des outside
> >
> > service-policy type inspect inside-to-outside
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

-- 
*Narbik Kocharians
*CCSI#30832, CCIE# 12410 (R&S, SP, Security)
*www.MicronicsTraining.com* <http://www.micronicstraining.com/>
Sr. Technical Instructor
YES! We take Cisco Learning Credits!
Training & Remote Racks available
Blogs and organic groups at http://www.ccie.net

Received on Mon Jan 02 2012 - 15:29:20 ART

This archive was generated by hypermail 2.2.0 : Thu Feb 02 2012 - 11:52:51 ART