cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
216
Views
0
Helpful
0
Replies
lsoinatel00416
Beginner

Zone-Based Policy Firewall - RT1101

Hello, could you help me with the Zone-Based Policy Firewall function on Cisco RT1101?
 
When I enable "zone-member security INSIDE" on Gi0/0/0 interface I can't reach host 10.229.226.75 (RT_1101_PE SUZANO). But when I do the same configuration using Fa0/0/3 it works normally (RT_1101_MANIFOLD). Is there any particularity between layer 2 and layer 3 interfaces? When I remove the "zone-member security INSIDE" parameter from Gi0/0/0, I can ping the host 10.229.226.75
Are there any wrong settings on (RT_1101_PE_SUZANO.txt attached)?
 
!
class-map type inspect match-any CMAP_CLP
 match protocol icmp
 match protocol tcp
 match protocol udp
!
policy-map type inspect PMAP_CLP
 class type inspect CMAP_CLP
  inspect
 class class-default
  drop log
!
zone security INSIDE
 description CLP network
zone security OUTSIDE
 description VSAT network
zone-pair security SCADA_to_CLP source OUTSIDE destination INSIDE
 service-policy type inspect PMAP_CLP
!
!****NOT WORKING****If I remove zone-member...It works!
interface GigabitEthernet0/0/0
 description ROTA TRANSITO RT-TP
 ip address 10.251.64.46 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip access-group CLP_ACCESS in
 no cdp enable
zone-member security INSIDE
!
interface FastEthernet0/0/1
 description VSAT1-principal
 switchport access vlan 5
 switchport mode access
 zone-member security OUTSIDE
!
interface FastEthernet0/0/2
 description VSAT2-backup
 switchport access vlan 10
 switchport mode access
 zone-member security OUTSIDE
!
Regards,
Leonardo Oliveira
0 REPLIES 0