Do u assign zone X is better than zone Y in terms of security-level?
If yes, I consider because of ICMP is not a stateful service, try to
test another (HTTP for exemple, u should acitivate HTTP server on R5 for
testing) or might be activate inspection for ICMP traffic.
Viet
On 10/03/2012 04:54 PM, Mohammad Mousa wrote:
> Hi Guys, I have a question about ZBF, as far as I know that the ZBF is taking the concept from the CBAC by permiting all the traffic that initiated from inside to the outside and permit the return traffic.I defined the policy-map to pass the ICMP and class-default as well. R1------R2----R5 (Router2) have four interfaces, one of them is in Zone X (interface facing R5) and the others in zone Y. When I pinged from R1-R5, I saw the output of the ICMP debuging and the packets reached R5, but the traffice didn't come back to R1. When I put the zone-pair both direction, it worked fine! please advice me, correct me if I'm wrong !Thank you all.
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Wed Oct 03 2012 - 17:03:16 ART
This archive was generated by hypermail 2.2.0 : Thu Nov 01 2012 - 10:53:33 ART