02-27-2009 12:00 PM
Hi,
Not very familiar with the ZBF on the SR520, can anyone please provide me with a config enabling the SR520 to send ping reply´s.
Regards
Eivind
Solved! Go to Solution.
03-04-2009 09:18 AM
Zone-based firewall configuration can be confusing, especially if one is used to older CBAC-type FW configuration.
Your best resource for this problem is the
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml#app-b
Appendix B has a sample config that would allow ping replies.
There are four basic steps in setting up the firewall.
1) Define the zones
2) Define the class maps that identify traffic between zones
3) Create a policy map that defines the action to take on the class map
4) Configure the zone pair and apply the policy
In Appendix B, you'll see the class map specifiying what traffic to inspect. The names of the class-map and policy-map could be anything.
class-map type inspect match-any L4-inspect-class
match protocol tcp
match protocol udp
match protocol icmp
The policy map here indicates what action to take, and in this case, the only action is to 'inspect'.
If it was 'drop', the connection would be denied.policy-map type inspect clients-servers-policy
class type inspect L4-inspect-class
inspect
Hopefully that helps!
Addis
03-04-2009 09:18 AM
Zone-based firewall configuration can be confusing, especially if one is used to older CBAC-type FW configuration.
Your best resource for this problem is the
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml#app-b
Appendix B has a sample config that would allow ping replies.
There are four basic steps in setting up the firewall.
1) Define the zones
2) Define the class maps that identify traffic between zones
3) Create a policy map that defines the action to take on the class map
4) Configure the zone pair and apply the policy
In Appendix B, you'll see the class map specifiying what traffic to inspect. The names of the class-map and policy-map could be anything.
class-map type inspect match-any L4-inspect-class
match protocol tcp
match protocol udp
match protocol icmp
The policy map here indicates what action to take, and in this case, the only action is to 'inspect'.
If it was 'drop', the connection would be denied.policy-map type inspect clients-servers-policy
class type inspect L4-inspect-class
inspect
Hopefully that helps!
Addis
03-05-2009 01:02 PM
Thanks,
What I´ve tried earlier was to "pass" the traffic instead of "inspect" it. Inspect was the right thing, it´s now working the way I want. Thanks alot for your help.
Regards
Eivind
05-21-2012 06:09 AM
Hello,
I got the same issue, i have a vpn site to site between sr520 and rv04,and would like to allow complete trafic between these two offices, or almost complete trafic, because behing sr520 a got a IPPBX directly connected, and on the other site RV042 I got several remote IP extentions.
I´ve tryed with an extended access-list between my lan on sr520 and remotes rv042 lan, with no results
How can I make this work?
Thank you very much best regards!!!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: