Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2861
Views
0
Helpful
3
Replies

SR520, ping reply

Go to solution
Eivind Jonassen
Level 4
Level 4

‎02-27-2009 12:00 PM

Hi,

Not very familiar with the ZBF on the SR520, can anyone please provide me with a config enabling the SR520 to send ping reply´s.

Regards

Eivind

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
addis
Level 1
Level 1

‎03-04-2009 09:18 AM

Zone-based firewall configuration can be confusing, especially if one is used to older CBAC-type FW configuration.

Your best resource for this problem is the

Zone-Based Policy Firewall Design and Application Guide

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml#app-b

Appendix B has a sample config that would allow ping replies.

There are four basic steps in setting up the firewall.

1) Define the zones

2) Define the class maps that identify traffic between zones

3) Create a policy map that defines the action to take on the class map

4) Configure the zone pair and apply the policy

In Appendix B, you'll see the class map specifiying what traffic to inspect. The names of the class-map and policy-map could be anything.

class-map type inspect match-any L4-inspect-class
 match protocol tcp
 match protocol udp
 match protocol icmp

The policy map here indicates what action to take, and in this case, the only action is to 'inspect'.
If it was 'drop', the connection would be denied.

policy-map type inspect clients-servers-policy
 class type inspect L4-inspect-class
  inspect

Hopefully that helps!

Addis


View solution in original post

0 Helpful
3 Replies 3

Go to solution
addis
Level 1
Level 1

‎03-04-2009 09:18 AM

Zone-based firewall configuration can be confusing, especially if one is used to older CBAC-type FW configuration.

Your best resource for this problem is the

Zone-Based Policy Firewall Design and Application Guide

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml#app-b

Appendix B has a sample config that would allow ping replies.

There are four basic steps in setting up the firewall.

1) Define the zones

2) Define the class maps that identify traffic between zones

3) Create a policy map that defines the action to take on the class map

4) Configure the zone pair and apply the policy

In Appendix B, you'll see the class map specifiying what traffic to inspect. The names of the class-map and policy-map could be anything.

class-map type inspect match-any L4-inspect-class
 match protocol tcp
 match protocol udp
 match protocol icmp

The policy map here indicates what action to take, and in this case, the only action is to 'inspect'.
If it was 'drop', the connection would be denied.

policy-map type inspect clients-servers-policy
 class type inspect L4-inspect-class
  inspect

Hopefully that helps!

Addis


0 Helpful

Go to solution
Eivind Jonassen
Level 4
Level 4
In response to addis

‎03-05-2009 01:02 PM

Thanks,

What I´ve tried earlier was to "pass" the traffic instead of "inspect" it. Inspect was the right thing, it´s now working the way I want. Thanks alot for your help.

Regards

Eivind

0 Helpful

Go to solution
angel0711
Level 1
Level 1
In response to Eivind Jonassen

‎05-21-2012 06:09 AM

Hello,

I got the same issue, i have a vpn site to site between sr520 and rv04,and would like to allow  complete trafic between these two offices, or almost complete trafic, because behing sr520 a got a IPPBX directly connected, and on the other site RV042  I got several remote IP extentions.

I´ve tryed with an extended access-list between my lan on sr520 and remotes rv042 lan, with no results

How can I make this work?

Thank you very much best regards!!!

0 Helpful
Customers Also Viewed These Support Documents