Thanks. Got it. So, pass will not take advantage of the stateful feature.
Vincent Tay
On 17 Jun, 2012, at 12:49 AM, marc edwards <renorider_at_gmail.com> wrote:
> The above configuration doesn't use inspect to take advantage of the
stateful feature of the ZBFW. Inspect will allow the access rules to
dynamically re write based on if where they originate. This is the benefit of
using policy compared to ACLs. I will use your above example to help drive
this home.
>
> You could achieve similar reach from inside to outside if you were to remove
the OUT_IN policy and re write the IN_OUT to:
>
> !
> !
> policy-map type inspect IN_OUT
> class type inspect IN_OUT
> inspect
> class class-default
> inspect
> !
>
> This has a few benefits. The outside interface going OUT_IN will now (by
default) drop traffic UNLESS the traffic oritionated from a syn passing
through IN_OUT. At which point, the traffic matches policy to inspect and
stateful feature will rewrite all traffic for stream.
>
> HTH
>
> Marc
> On Sat, Jun 16, 2012 at 8:16 AM, Vincent Tay <vtay.75_at_gmail.com> wrote:
> Hi,
>
> Really confusing.
>
> *From
>
http://www.cisco.com/en/US/products/ps6441/products_feature_guide09186a008060
f6dd.html
> *
> *
> *
> *However, it is not necessary to configure a zone-pair and a service policy
> solely for return traffic. Return traffic is allowed, by default, if a
> service policy permits the traffic in the forward direction. In the above
> example, it is not mandatory that you configure a zone-pair source Z2
> destination Z1 solely for allowing return traffic from Z2 to Z1. The
> service policy on the Z1-Z2 zone-pair takes care of it. *
>
> R1-------------(IN)-R2--(OUT)-------------------R3
>
> R2 is configure with zone base firewall. Do we need to apply the zone-pair
> policy from OUT to IN since it is returning traffic and zone pair IN_OUT
> should take care of it. But if it wasn't apply, it cannot works when R1
> ping R3 or telnet R3. So, can someone shed a light on what does cisco meant
> the above? Thanks.
>
> R2
> zone security IN
> zone security OUT
>
> zone-pair security IN_OUT source IN destination OUT
> service-policy type inspect IN_OUT
> *zone-pair security OUT_IN source OUT destination IN *
> *service-policy type inspect OUT_IN*
>
> class-map type inspect match-all IN_OUT
> match protocol icmp
> !
> !
> policy-map type inspect IN_OUT
> class type inspect IN_OUT
> pass
> class class-default
> pass
> !
> policy-map type inspect OUT_IN
> class class-default
> pass
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Sun Jun 17 2012 - 09:12:37 ART
This archive was generated by hypermail 2.2.0 : Sun Jul 01 2012 - 10:39:52 ART