Hello All
i'm hoping you can assist me, i'm trying to convert from the old ip inspect firewall rules to zone based policy's
I have worked out most of the setting however I can't seem to get outside icmp blocking to occur
I want clients inside the network to be able to ping, just not the big bad internet pinging my wan interface.
I have tried acl's on the in bound interface but then clients inside the network can't ping
I tried adding class to match icmp and block it however that didn't work
here is my zone-based policy config thus far
class-map type inspect match-any INSIDE-TO-OUTSIDE-CLASS
match access-group name INSIDE-TO-OUTSIDE
class-map type inspect match-all OUTSIDE-TO-INSIDE-CLASS
match access-group name OUTSIDE-TO-INSIDE
class-map type inspect match-all OUTSIDE-ICMP-POLICY
match protocol icmp
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
class type inspect INSIDE-TO-OUTSIDE-CLASS
inspect
class class-default
drop log
policy-map type inspect OUTSIDE-TO-INSIDE-POLICY
class type inspect OUTSIDE-TO-INSIDE-CLASS
inspect
class type inspect OUTSIDE-ICMP-POLICY
drop
class class-default
drop log
!
zone security INSIDE
zone security OUTSIDE
zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
service-policy type inspect OUTSIDE-TO-INSIDE-POLICY
ip access-list extended INSIDE-TO-OUTSIDE
10 permit ip any any
ip access-list extended OUTSIDE-TO-INSIDE
10 remark Allow Inbound Connections
10 remark VPN Connection
10 permit gre any any
20 permit udp any any eq non500-isakmp
30 permit udp any any eq isakmp
40 permit esp any any
50 permit ahp any any
60 permit tcp any any eq 10000
70 remark Internode SIP UDP 5060
70 permit udp host <removed> any eq 5060
90 remark DNS Access TCP (53)
90 permit tcp any any eq domain
100 remark DNS Access TCP (53)
100 permit udp any any eq domain
170 remark HTTPS (443) Access TCP
170 permit tcp any any eq 443
180 remark HTTPS (443) Access UDP
180 permit udp any any eq 443
190 remark NTP (123)
190 permit udp any any eq ntp
220 remark ESET ESMC Management Agent (2222) TCP
220 permit tcp any any eq 2222
260 remark Deny ICMP
260 deny icmp any any
270 deny ip 10.0.0.0 0.0.0.255 any
280 deny ip 172.16.0.0 0.15.255.255 any
290 deny ip 192.168.0.0 0.0.255.255 any
300 deny ip 127.0.0.0 0.255.255.255 any
310 deny ip host 255.255.255.255 any
320 deny ip host 0.0.0.0 any
330 deny ip any any
interface GigabitEthernet0/0/2
description GLECSW01_Gi1/0/1
ip address 10.0.1.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip nat inside
zone-member security INSIDE
media-type rj45
negotiation auto
no mop enabled
ip virtual-reassembly
ip virtual-reassembly-out
interface Dialer0
description --- FTTP PPPoE ---
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip nat outside
zone-member security OUTSIDE
encapsulation ppp
dialer pool 1
dialer idle-timeout 0
dialer persistent
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname <removed>
ppp chap password 7 <removed>
ppp ipcp dns request accept
ppp ipcp route default
ip virtual-reassembly max-reassemblies 256
