Solved: SR520, ping reply

Eivind Jonassen · ‎02-27-2009

Hi,

Not very familiar with the ZBF on the SR520, can anyone please provide me with a config enabling the SR520 to send ping reply´s.

Regards

Eivind

addis · ‎03-04-2009

Zone-based firewall configuration can be confusing, especially if one is used to older CBAC-type FW configuration.

Your best resource for this problem is the

Zone-Based Policy Firewall Design and Application Guide

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml#app-b

Appendix B has a sample config that would allow ping replies.

There are four basic steps in setting up the firewall.

1) Define the zones

2) Define the class maps that identify traffic between zones

3) Create a policy map that defines the action to take on the class map

4) Configure the zone pair and apply the policy

In Appendix B, you'll see the class map specifiying what traffic to inspect. The names of the class-map and policy-map could be anything.

class-map type inspect match-any L4-inspect-class
 match protocol tcp
 match protocol udp
 match protocol icmp

The policy map here indicates what action to take, and in this case, the only action is to 'inspect'.
If it was 'drop', the connection would be denied.

policy-map type inspect clients-servers-policy
 class type inspect L4-inspect-class
  inspect

Hopefully that helps!

Addis

View solution in original post

addis · ‎03-04-2009

Zone-based firewall configuration can be confusing, especially if one is used to older CBAC-type FW configuration.

Your best resource for this problem is the

Zone-Based Policy Firewall Design and Application Guide

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml#app-b

Appendix B has a sample config that would allow ping replies.

There are four basic steps in setting up the firewall.

1) Define the zones

2) Define the class maps that identify traffic between zones

3) Create a policy map that defines the action to take on the class map

4) Configure the zone pair and apply the policy

In Appendix B, you'll see the class map specifiying what traffic to inspect. The names of the class-map and policy-map could be anything.

class-map type inspect match-any L4-inspect-class
 match protocol tcp
 match protocol udp
 match protocol icmp

The policy map here indicates what action to take, and in this case, the only action is to 'inspect'.
If it was 'drop', the connection would be denied.

policy-map type inspect clients-servers-policy
 class type inspect L4-inspect-class
  inspect

Hopefully that helps!

Addis

Eivind Jonassen · ‎03-05-2009

Thanks,

What I´ve tried earlier was to "pass" the traffic instead of "inspect" it. Inspect was the right thing, it´s now working the way I want. Thanks alot for your help.

Regards

Eivind

angel0711 · ‎05-21-2012

Hello,

I got the same issue, i have a vpn site to site between sr520 and rv04,and would like to allow complete trafic between these two offices, or almost complete trafic, because behing sr520 a got a IPPBX directly connected, and on the other site RV042 I got several remote IP extentions.

I´ve tryed with an extended access-list between my lan on sr520 and remotes rv042 lan, with no results

How can I make this work?

Thank you very much best regards!!!