Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
498
Views
0
Helpful
0
Replies

Default policy allows to ping between zones in Cisco firewall

iamdrdani
Level 1
Level 1

‎09-22-2021 01:18 AM

I have a very simple setting in Packet Tracer to test what I learned from zone-based firewalls.

WAN <==>[Fa0/0] c2811 [Fa0/1]<==> LAN

I am using c2811 router, which is the only one in Packet Tracer 6.0.1 (the only version I have access to), because it is the only router I could find the zone-member command to assign an interface to a zone. Routers c2901 and c2911 don't have this command, or I couldn't find it (is it somewhere different from the interface menu?).

So my configuration is very simple:

zone security LAN
zone security WAN
zone-pair security LAN2WAN source LAN destination WAN
zone-pair security WAN2LAN source WAN destination LAN
!
interface FastEthernet0/0
  ip address 192.168.1.1 255.255.255.0
  zone-member security WAN
  duplex auto
  speed auto
!
interface FastEthernet0/1
  ip address 192.168.2.1 255.255.255.0
  zone-member security LAN
  duplex auto
  speed auto
!

From what I read in several sites (including Cisco's) after creating the zones, assigning interfaces to them and creating the zone pairs, all inter zone traffic should be block. However, I can ping from one PC in LAN to another PC in WAN.

What am I missing? Thanks in advance! Calvindude France

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents