I am performing a POC config for a project I am working on. I have configured a ZBF and it works as intended with one exception, traffic in from the Internet is not inheritly blocked, I think, to the self zone. In the below config I am allowing ICMP out from LAN and allowing telnet out from the DMZ. Similarly I am allowing telnet in to simulate traffic being inspected/passed to a server in the DMZ.   What I was surprised to see what I could still ping the outside interface 1.1.1.1. I presumed, maybe incorrectly, ZBF would inheritly blocked traffic such as ping to the outside interface because it wasn't specified as an exception. How can I block ping to my outside interface 1.1.1.1 without creating an ACL to allow only icmp echo-reply? If I go the route of allowing just icmp echo-reply I will end up having to specifiy everything else I want to pass which defeats the simplicty of ZBF.   My config works as intended. The only thing I want to do is block, or filter icmp allowing only echo-reply, so that my outside interface isn't pingable. I want to do so in the simplest manner possible so I can only worry about adding inspect statements to my ZBF and allowing exceptions for inbound rules per ACL  FIREWALL-EXCEPTIONS-ACL.   class-map type inspect match-any FIREWALL-EXCEPTIONS match access-group name FIREWALL-EXCEPTIONS-ACL class-map type inspect match-any DMZ-ALLOWED-PROTOCOLS match protocol telnet class-map type inspect match-any LAN-ALLOWED-PROTOCOLS match protocol icmp ! policy-map type inspect FIREWALL-EXCEPTIONS-POLICY class type inspect FIREWALL-EXCEPTIONS inspect class class-default drop policy-map type inspect LAN-TO-INTERNET-POLICY class type inspect LAN-ALLOWED-PROTOCOLS inspect class class-default policy-map type inspect DMZ-TO-INTERNET-POLICY class type inspect DMZ-ALLOWED-PROTOCOLS inspect class class-default ! zone security INTERNET zone security LAN zone security DMZ zone-pair security ZP-LAN-TO-INTERNET source LAN destination INTERNET service-policy type inspect LAN-TO-INTERNET-POLICY zone-pair security ZP-DMZ-TO-INTERNET source DMZ destination INTERNET service-policy type inspect DMZ-TO-INTERNET-POLICY zone-pair security ZP-INTERNET-TO-DMZ source INTERNET destination DMZ service-policy type inspect FIREWALL-EXCEPTIONS-POLICY ! interface FastEthernet0/0 ip address 1.1.1.1 255.255.255.248 ip nat outside zone-member security INTERNET ! interface FastEthernet0/1 ip address 10.1.0.1 255.255.255.0 ip nat inside zone-member security DMZ ! interface FastEthernet1/0 ip address 10.1.10.1 255.255.255.0 zone-member security LAN ! ip nat inside source list 1 interface FastEthernet0/0 overload ip nat inside source static tcp 10.1.0.3 23 1.1.1.1 2323 extendable ! ip access-list extended FIREWALL-EXCEPTIONS-ACL permit tcp any host 10.1.0.2 eq telnet permit tcp any host 10.1.0.3 eq telnet ! access-list 1 permit 10.1.10.0 0.0.0.255 access-list 1 permit 10.1.0.0 0.0.0.255 access-list 1 deny any ... View more

I am using a bgp config similar to the below. Works perfect for specifying one route to be preferable for specific source/destination traffic. However, if the preferred route route detects a link failover it will failover, but it will not fail back automatically. I've tried "clear ip bgp * soft in", "clear ip bgp * soft out", but only "clear ip bgp *" did the trick. How can I ensure a route with a higher preference is used without intervention if the link is restore? router bgp 65001  neighbor 10.50.0.1 remote-as 65005  neighbor 10.100.0.1 remote-as 65003  neighbor 10.100.0.1 route-map PBR_Voice_prefer_MPLS in  neighbor 10.250.0.1 remote-as 65002 ! access-list 10 permit 10.25.0.0 0.0.255.255 access-list 10 permit 10.15.0.0 0.0.255.255 ! route-map PBR_Voice_prefer_MPLS permit 10  match ip address 10  set local-preference 200   ... View more

Below is the config I wrote up. Basically, I have an admin user previously defined with priv level 15, and a new user as defined below. I want the new user to be able to VPN in using the IPsec tunnel, but I do not want the admin to VPN in. How would I enable the user to be tied to a IPsec group like the one I defined, and if you're not a member of the a group you can't login. Normally I would do this through RADIUS, but the site in which I am deploying this VPN does not have a server running RADIUS right now. That may change. aaa authentication login VPNauthentication1 local aaa authorization network VPNauthorization1 local access-list 101 permit ip 192.168.1.0 0.0.0.255 any access-list 100 permit udp any any eq non500-isakmp access-list 100 permit udp any any eq isakmp access-list 100 permit esp any any access-list 100 permit ahp any any access-list 100 deny ip any any access-list 100 deny tcp any any access-list 100 deny udp any any ip local pool VPNPOOL1 192.168.50.100 192.168.50.200 crypto isakmp profile IKEprofile1 isakmp authorization list VPNauthorization1 client authentication list VPNauthentication1 match identity group VPNusers client configuration address respond exit crypto ipsec transform-set ESP-3DES-SHA esp-sha-hmac esp-3des mode tunnel exit crypto ipsec profile IPsecProfile1 set security-association idle-time 900 set transform-set ESP-3DES-SHA set isakmp-profile IKEprofile1 exit interface Virtual-Template1 type tunnel exit default interface Virtual-Template1 interface Virtual-Template1 type tunnel no shutdown ip unnumbered GigabitEthernet0/0 tunnel protection ipsec profile IPsecProfile1 tunnel mode ipsec ipv4 exit crypto isakmp profile IKEprofile1 virtual-template 1 exit crypto isakmp policy 1 authentication pre-share encr 3des hash sha group 2 lifetime 86400 exit crypto isakmp client configuration group VPNusers key 0 ******************** pool VPNPOOL1 acl 101 include-local-lan pfs max-users 1 netmask 255.255.255.0 exit username VPNUSER privilege 0 secret 0 ******************** ... View more