Hi,
Really confusing.
*From
http://www.cisco.com/en/US/products/ps6441/products_feature_guide09186a008060f6dd.html
*
*
*
*However, it is not necessary to configure a zone-pair and a service policy
solely for return traffic. Return traffic is allowed, by default, if a
service policy permits the traffic in the forward direction. In the above
example, it is not mandatory that you configure a zone-pair source Z2
destination Z1 solely for allowing return traffic from Z2 to Z1. The
service policy on the Z1-Z2 zone-pair takes care of it. *
R1-------------(IN)-R2--(OUT)-------------------R3
R2 is configure with zone base firewall. Do we need to apply the zone-pair
policy from OUT to IN since it is returning traffic and zone pair IN_OUT
should take care of it. But if it wasn't apply, it cannot works when R1
ping R3 or telnet R3. So, can someone shed a light on what does cisco meant
the above? Thanks.
R2
zone security IN
zone security OUT
zone-pair security IN_OUT source IN destination OUT
service-policy type inspect IN_OUT
*zone-pair security OUT_IN source OUT destination IN *
*service-policy type inspect OUT_IN*
class-map type inspect match-all IN_OUT
match protocol icmp
!
!
policy-map type inspect IN_OUT
class type inspect IN_OUT
pass
class class-default
pass
!
policy-map type inspect OUT_IN
class class-default
pass
Blogs and organic groups at http://www.ccie.net
Received on Sat Jun 16 2012 - 23:16:13 ART
This archive was generated by hypermail 2.2.0 : Sun Jul 01 2012 - 10:39:52 ART