RE: zbf

.

   Inspect

      Number of Established Sessions = 1

      Established Sessions

        Session 66DA0960 (204.12.1.254:8)=>(54.1.1.254:0) icmp SIS_OPEN

          Created 00:00:05, Last heard 00:00:04

          ECHO request

          Bytes sent (initiator:responder) [360:360]

.

Awesome, thanks Piotr

From: Piotr Matusiak [mailto:pitt2k_at_gmail.com]
Sent: Tuesday, January 03, 2012 1:37 PM
To: Aaron
Cc: Narbik Kocharians; marc abel; Jay McMickle; ccielab_at_groupstudy.com
Subject: Re: zbf

Hi,

Pass will NOT inspect. It only passes traffic in one direction
(statelessly).

To see sessions use command 'sh policy-map type inspect zone-pair sessions'

Regards,

--
Piotr Matusiak
CCIE #19860 (R&S, Security), CCSI #33705
Technical Instructor
website: www.MicronicsTraining.com <http://www.micronicstraining.com/> 
blog: www.ccie1.com <http://www.ccie1.com/> 
"If you can't explain it simply, you don't understand it well enough" -
Albert Einstein
2012/1/3 Aaron <aaron1_at_gvtc.com>
Thanks.  Sounds like "pass" action is like a permit statement in an acl
that's applied to an interface as an access-group to allow (statelessly) a
certain port/prot/ip to flow through always.
Also, how do you see/view these state tables that you mention that zbf
inspect spawns?  How do you view those?  What are the show commands to see
those in zbf?
Aaron
From: Narbik Kocharians [mailto:narbikk_at_gmail.com]
Sent: Monday, January 02, 2012 5:29 PM
To: marc abel
Cc: Aaron; ccielab_at_groupstudy.com
Subject: Re: zbf
The "Pass" command inspects the traffic statelessly, which means that it
does not keep a state table, therefore, the return traffic will NOT be
allowed unless it is configured to be allowed.
The "Inspect" command inspects the traffic statefully, which mean that the
router keeps a state table and it is based on this table that it allows the
return traffic.
On Mon, Jan 2, 2012 at 2:31 PM, marc abel <marcabel_at_gmail.com> wrote:
Inspect allows the return traffic.
On Mon, Jan 2, 2012 at 4:00 PM, Aaron <aaron1_at_gvtc.com> wrote:
> The following seems to allow me to ping from inside to outside.. What if I
> replace the "inspect" action under the policy-map with the "pass" action?
> What is the difference?
>
>
>
> Aaron
>
>
>
>
>
> zone security inside
>
>
>
> zone security outside
>
>
>
> interface FastEthernet0/0
>
> zone-member security inside
>
>
>
> interface Serial2/0:0
>
> zone-member security outside
>
>
>
> class-map typ inspe inside-to-outside
>
> match protocol icmp
>
>
>
> policy-map type inspect inside-to-outside
>
> class type inspect inside-to-outside
>
> inspect
>
>
>
> zone-p sec inside-to-outside sou inside des outside
>
> service-policy type inspect inside-to-outside
>
>
> Blogs and organic groups at http://www.ccie.net <http://www.ccie.net/> 
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net <http://www.ccie.net/>