Hello gpauwen

Thanks for your quick feedback, after reading your help and modify this i
also see any mistake with ZonePair Security with "Service Policy"

policy-map type inspect LAN2INTERNET
class type inspect LAN2INTERNET
 --> inspect

Thanks alot to your help
Adding also this to Zone-Pair
zone-pair security LAN2INTERNET source LAN destination INTERNET
 --> service-policy type inspect LAN2INTERNET

but now me Interface FA0/0 don't become any IP from the ISP

Router# release dhcp fa0/0
Router# renew dhcp fa0/0
Not in Bound state.

Router# sh ip int brief
Interface                  IP-Address         OK? Method Status                Protocol
FastEthernet0/0      unassigned        YES DHCP     up                    up
FastEthernet0/1      192.168.1.254     YES NVRAM  up                    up

if delete the "zone-member security INTERNET" from Fa0/0 i will become the IP from ISP
I think i have any other trubles with me Zones's or the Policy settings

i have add now the new Run file to this post.

thanks for any possible Help!

Best regards
Mauri

Hello,

try and add the following:

class-map type inspect match-all ICMP
match protocol icmp
class-map type inspect match-all SSH
match access-group 100
class-map type inspect match-any LAN2INTERNET
match protocol icmp
match protocol http
match protocol https
match protocol bootpc
match protocol bootps

Hello Together

Now on FA0/0 i have the IP from ISP

And on FA0/1 the Clients from "LAN" become the assigned IP-Range.

but Tracert from Client to Internet arn't possible

Ping from Cisco Console running

Ping from Client not running

Router#sh zone-pair security
Zone-pair name LAN2INTERNET
    Source-Zone LAN  Destination-Zone INTERNET
    service-policy not configured
Zone-pair name INTERNET2SELF
    Source-Zone INTERNET  Destination-Zone self
    service-policy not configured
Zone-pair name LAN2SELF
    Source-Zone LAN  Destination-Zone self
    service-policy not configured

Router#sh policy-map type inspect
  Policy Map type inspect INTERNET2SELF
    Class ICMP
      Inspect
    Class class-default

  Policy Map type inspect LAN2INTERNET
    Class LAN2INTERNET
      Inspect
    Class class-default

  Policy Map type inspect LAN2SELF
    Class SSH
      Inspect
    Class class-default

Thanks to all for any possible help!

Regards

The problem is that your zone pair INTERNET2SELF has 'self' as the destination. 'Self' is the router and nothing else. Change it to:

Zone-pair name INTERNET2SELF
    Source-Zone INTERNET  Destination-Zone LAN

and check if traceroute and ping from the clients work after that configuration change.

Hello gpauwen

after change the Settings the Client PC's arn't possible to Ping 8.8.8.8

from router Cli here are possible to ping and tracert to internet.

Thanks for your Help and best regards

Mauri

Hello,

you don't have any service policies configured for your zone pairs.This is what the zone pairs should look like:

zone-pair security LAN2INTERNET source LAN destination INTERNET
 service-policy type inspect LAN2INTERNET
zone-pair security INTERNET2SELF source INTERNET destination LAN
 service-policy type inspect INTERNET2SELF
zone-pair security LAN2SELF source LAN destination SELF
 service-policy type inspect LAN2SELF

Hello,

keep in mind that a zone must be configured before interfaces can be assigned to the zone.

I would start from scratch:

1. remove all security zone configuration from the interfaces

2. make sure the security zone configuration and security policy assignments are in place

3. reassign the security zones to the interfaces