Hello, could you help me with the Zone-Based Policy Firewall function on Cisco RT1101?
When I enable "zone-member security INSIDE" on Gi0/0/0 interface I can't reach host 10.229.226.75 (RT_1101_PE SUZANO). But when I do the same configuration using Fa0/0/3 it works normally (RT_1101_MANIFOLD). Is there any particularity between layer 2 and layer 3 interfaces? When I remove the "zone-member security INSIDE" parameter from Gi0/0/0, I can ping the host 10.229.226.75.
Are there any wrong settings on (RT_1101_PE_SUZANO.txt attached)?
!
class-map type inspect match-any CMAP_CLP
match protocol icmp
match protocol tcp
match protocol udp
!
policy-map type inspect PMAP_CLP
class type inspect CMAP_CLP
inspect
class class-default
drop log
!
zone security INSIDE
description CLP network
zone security OUTSIDE
description VSAT network
zone-pair security SCADA_to_CLP source OUTSIDE destination INSIDE
service-policy type inspect PMAP_CLP
!
!****NOT WORKING****If I remove zone-member...It works!
interface GigabitEthernet0/0/0
description ROTA TRANSITO RT-TP
ip address 10.251.64.46 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip access-group CLP_ACCESS in
no cdp enable
zone-member security INSIDE
!
interface FastEthernet0/0/1
description VSAT1-principal
switchport access vlan 5
switchport mode access
zone-member security OUTSIDE
!
interface FastEthernet0/0/2
description VSAT2-backup
switchport access vlan 10
switchport mode access
zone-member security OUTSIDE
!
Regards,
Leonardo Oliveira