SR520, ping reply

Answered Question
Feb 27th, 2009

Hi,

Not very familiar with the ZBF on the SR520, can anyone please provide me with a config enabling the SR520 to send ping reply´s.

Regards

Eivind

I have this problem too.
0 votes
Correct Answer by addis about 7 years 9 months ago

Zone-based firewall configuration can be confusing, especially if one is used to older CBAC-type FW configuration.

Your best resource for this problem is the

Zone-Based Policy Firewall Design and Application Guide

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note...

Appendix B has a sample config that would allow ping replies.

There are four basic steps in setting up the firewall.

1) Define the zones

2) Define the class maps that identify traffic between zones

3) Create a policy map that defines the action to take on the class map

4) Configure the zone pair and apply the policy

In Appendix B, you'll see the class map specifiying what traffic to inspect. The names of the class-map and policy-map could be anything.

class-map type inspect match-any L4-inspect-class
match protocol tcp
match protocol udp
match protocol icmp

The policy map here indicates what action to take, and in this case, the only action is to 'inspect'.
If it was 'drop', the connection would be denied.

policy-map type inspect clients-servers-policy
class type inspect L4-inspect-class
  inspect

Hopefully that helps!

Addis


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
addis Wed, 03/04/2009 - 09:18

Zone-based firewall configuration can be confusing, especially if one is used to older CBAC-type FW configuration.

Your best resource for this problem is the

Zone-Based Policy Firewall Design and Application Guide

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note...

Appendix B has a sample config that would allow ping replies.

There are four basic steps in setting up the firewall.

1) Define the zones

2) Define the class maps that identify traffic between zones

3) Create a policy map that defines the action to take on the class map

4) Configure the zone pair and apply the policy

In Appendix B, you'll see the class map specifiying what traffic to inspect. The names of the class-map and policy-map could be anything.

class-map type inspect match-any L4-inspect-class
match protocol tcp
match protocol udp
match protocol icmp

The policy map here indicates what action to take, and in this case, the only action is to 'inspect'.
If it was 'drop', the connection would be denied.

policy-map type inspect clients-servers-policy
class type inspect L4-inspect-class
  inspect

Hopefully that helps!

Addis


Eivind Jonassen Thu, 03/05/2009 - 13:02

Thanks,

What I´ve tried earlier was to "pass" the traffic instead of "inspect" it. Inspect was the right thing, it´s now working the way I want. Thanks alot for your help.

Regards

Eivind

angel0711 Mon, 05/21/2012 - 06:09

Hello,

I got the same issue, i have a vpn site to site between sr520 and rv04,and would like to allow  complete trafic between these two offices, or almost complete trafic, because behing sr520 a got a IPPBX directly connected, and on the other site RV042  I got several remote IP extentions.

I´ve tryed with an extended access-list between my lan on sr520 and remotes rv042 lan, with no results

How can I make this work?

Thank you very much best regards!!!