- Silver, 250 points or more
Not very familiar with the ZBF on the SR520, can anyone please provide me with a config enabling the SR520 to send ping reply´s.
Zone-based firewall configuration can be confusing, especially if one is used to older CBAC-type FW configuration.
Your best resource for this problem is the
Zone-Based Policy Firewall Design and Application Guide
Appendix B has a sample config that would allow ping replies.
There are four basic steps in setting up the firewall.
1) Define the zones
2) Define the class maps that identify traffic between zones
3) Create a policy map that defines the action to take on the class map
4) Configure the zone pair and apply the policy
In Appendix B, you'll see the class map specifiying what traffic to inspect. The names of the class-map and policy-map could be anything.
class-map type inspect match-any L4-inspect-class
match protocol tcp
match protocol udp
match protocol icmp
The policy map here indicates what action to take, and in this case, the only action is to 'inspect'.
If it was 'drop', the connection would be denied.policy-map type inspect clients-servers-policy
class type inspect L4-inspect-class
Hopefully that helps!