Hi Ali and Matt,
About the many inspect commands…the thing is that the class-map that is used for inspection is a different one than the regular class-map. The same thing applies to the policy-map. For example, take a look at this code:
policy-map type inspect LAN-TO-WAN
class type inspect ICMP
inspect
The “policy-map type inspect” part only refers to the policy-map called LAN-TO-WAN and specifies that it’s an “inspect type” policy-map. The same thing applies to the class-map we use here.
The only command that does inspection, is the “inspect” command.
About where to use inspect. Let’s look at two different options:
policy-map type inspect LAN-TO-WAN
class type inspect ICMP
inspect
If you configure it like above, then ICMP traffic is allowed to go from LAN to WAN…AND the return traffic is permitted.
If you use pass instead of inspect, you’ll have to do something like this:
policy-map type inspect LAN-TO-WAN
class type inspect ICMP
pass
policy-map type inspect WAN-TO-LAN
class type inspect ICMP
pass
Creating a LAN-TO-SELF zone-pair is useful when you want to restrict traffic from LAN to SELF. you could add one and only permit something like SSH with a source IP.
Your WAN-TO-SELF policy-map looks good Matt. You can always add more class-maps to it for traffic that you do want to permit (SSH perhaps). Dropping everything by default from the outside is a good idea.
Rene