Hi,
Pass will NOT inspect. It only passes traffic in one direction
(statelessly).
To see sessions use command 'sh policy-map type inspect zone-pair sessions'
Regards,
--
Piotr Matusiak
CCIE #19860 (R&S, Security), CCSI #33705
Technical Instructor
website: www.MicronicsTraining.com <http://www.micronicstraining.com/>
blog: www.ccie1.com
�If you can't explain it simply, you don't understand it well enough� -
Albert Einstein
2012/1/3 Aaron <aaron1_at_gvtc.com>
> Thanks. Sounds like "pass" action is like a permit statement in an acl
> that's applied to an interface as an access-group to allow (statelessly) a
> certain port/prot/ip to flow through always.
>
>
>
> Also, how do you see/view these state tables that you mention that zbf
> inspect spawns? How do you view those? What are the show commands to see
> those in zbf?
>
>
>
> Aaron
>
>
>
>
>
> From: Narbik Kocharians [mailto:narbikk_at_gmail.com]
> Sent: Monday, January 02, 2012 5:29 PM
> To: marc abel
> Cc: Aaron; ccielab_at_groupstudy.com
> Subject: Re: zbf
>
>
>
> The "Pass" command inspects the traffic statelessly, which means that it
> does not keep a state table, therefore, the return traffic will NOT be
> allowed unless it is configured to be allowed.
>
> The "Inspect" command inspects the traffic statefully, which mean that the
> router keeps a state table and it is based on this table that it allows the
> return traffic.
>
> On Mon, Jan 2, 2012 at 2:31 PM, marc abel <marcabel_at_gmail.com> wrote:
>
> Inspect allows the return traffic.
>
>
> On Mon, Jan 2, 2012 at 4:00 PM, Aaron <aaron1_at_gvtc.com> wrote:
>
> > The following seems to allow me to ping from inside to outside.. What if
> I
> > replace the "inspect" action under the policy-map with the "pass" action?
> > What is the difference?
> >
> >
> >
> > Aaron
> >
> >
> >
> >
> >
> > zone security inside
> >
> >
> >
> > zone security outside
> >
> >
> >
> > interface FastEthernet0/0
> >
> > zone-member security inside
> >
> >
> >
> > interface Serial2/0:0
> >
> > zone-member security outside
> >
> >
> >
> > class-map typ inspe inside-to-outside
> >
> > match protocol icmp
> >
> >
> >
> > policy-map type inspect inside-to-outside
> >
> > class type inspect inside-to-outside
> >
> > inspect
> >
> >
> >
> > zone-p sec inside-to-outside sou inside des outside
> >
> > service-policy type inspect inside-to-outside
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> --
>
> Narbik Kocharians
> CCSI#30832, CCIE# 12410 (R&S, SP, Security)
> <http://www.micronicstraining.com/>
www.MicronicsTraining.com<http://www.micronicstraining.com/>
> Sr. Technical Instructor
>
> YES! We take Cisco Learning Credits!
> Training & Remote Racks available
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Tue Jan 03 2012 - 20:36:56 ART