Solved: Config Zone-based policy firewall

tungnf1 · ‎09-13-2023

Hi im new to networking and struggle with some of my assesment,

So i follow instruction but still could not

ping

the server at all, i have try ACL but same result. My cofig

Current configuration : 2172 bytes
!
! Last configuration change at 23:44:08 UTC Wed Sep 13 2023
! NVRAM config last updated at 23:38:21 UTC Wed Sep 13 2023
! NVRAM config last updated at 23:38:21 UTC Wed Sep 13 2023
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Rx
!
boot-start-marker
boot-end-marker
!
!
enable secret X.X.X
!
no aaa new-model
!
!
no ipv6 cef
ip source-route
ip cef
!
!
!
!
ip dhcp pool LAB
network 192.168.5.0 255.255.255.0
default-router 192.168.5.1
!
!
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
!
license udi pid CISCO1941/K9 sn FGL163212NZ
license boot module c1900 technology-package securityk9
!
!
username admin privilege 15 secret X.X.X
!
redundancy
!
!
!
!
!
class-map type inspect match-any ToINTERNET_MAP
match protocol http
match protocol ssh
match protocol telnet
!
!
policy-map type inspect ToINTERNET_POLICY
class type inspect ToINTERNET_MAP
inspect
class class-default
drop
!
zone security INSIDE
zone security INTERNET
zone-pair security INOUT source INSIDE destination INTERNET
service-policy type inspect ToINTERNET_POLICY
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 192.168.254.5 255.255.255.0
zone-member security INTERNET
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 192.168.5.1 255.255.255.0
zone-member security INSIDE
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
shutdown
clock rate 2000000
!
interface Serial0/0/1
no ip address
shutdown
clock rate 2000000
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
!
!
!
!
!
!
!
control-plane
!
!
!
line con 0
password X.X.X
login
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password X.X.X
login
transport input all
!
scheduler allocate 20000 1000
end

Much appreciated

M02@rt37 · ‎09-14-2023

hello @tungnf1,

Add protocol icmp:

class-map type inspect match-any ToINTERNET_MAP
match protocol http
match protocol ssh
match protocol telnet
match protocol icmp

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

View solution in original post

MHM Cisco World · ‎09-14-2023

Can You Confirm this issue is solved?

View solution in original post

M02@rt37 · ‎09-14-2023

hello @tungnf1,

Add protocol icmp:

class-map type inspect match-any ToINTERNET_MAP
match protocol http
match protocol ssh
match protocol telnet
match protocol icmp

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

tungnf1 · ‎09-14-2023

awesome, it works now thank you !!!

M02@rt37 · ‎09-14-2023

You're very welcome @tungnf1

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

MHM Cisco World · ‎09-14-2023

Can You Confirm this issue is solved?

tungnf1 · ‎09-14-2023

Yep , the solution works perfect