Re: Zone-based firewall configuration

Bienvenu Ngala · ‎12-07-2012

Hi Everyone,

I am completly stuck since 2 weeks now and I decided to seek for help from the expert.

On my study lab, I configured a cisco router 2811 with 3 Interfaces as follow:

1. Fa0/0 Inside

2. Fa0/1 Outside

3. Fa0/0/0 DMZ

And I configured advanced firewall on the router, now my interfaces are divided into zone-based firewall.

On the Inside (Private LAN) I have got a host named Exchange IP address 192.168.30.5 and on my DMZ I have got a host named Edge IP address 172.16.30.3.

Now, my question is this how can I configure my router so that the host Exchange (from inside) can ping host Edge (On DMZ).

Please find attached my router config.

Best regards,

BEN

Marvin Rhoads · ‎12-07-2012

Hi Ben,

Welcome to the network management forum. You would generally get more attention to a firewall question in the firewalling forum; but I'll have a try at it.

Your zone pair:

zone-pair security sdm-zp-in-dmz source in-zone destination dmz-zone

service-policy type inspect sdm-permit-dmzservice

applies. The service-policy called out there would have to permit icmp. It doesn't:

policy-map type inspect sdm-permit-dmzservice

class type inspect sdm-dmz-traffic

inspect

class type inspect SDM-Voice-permit

inspect

class type inspect sdm-nat--1

inspect

class class-default

pass

The easiest method would probably be to add a permit for icmp to the sdm-dmz-traffic class map. It is currently :

class-map type inspect match-all sdm-dmz-traffic

match access-group name dmz-traffic

match class-map sdm-dmz-protocols

which refers to:

class-map type inspect match-any sdm-dmz-protocols

match protocol smtp

So add:

match protocol icmp

to that final class-map above.