Zone Based Firewall Configuration Example

(Nyi Nyi L) #61

according to Zone Self rule.

R2(config)#policy-map type inspect WAN-TO-SELF
R2(config)#zone-pair security WAN-TO-SELF source WAN destination self
R2(config-sec-zone-pair)#service-policy type inspect WAN-TO-SELF

Will all the data send back from ISP to LAN be dropped because of R2 Zone Self rule?

(Rene Molenaar) #62

Hi @naingnnlwin,

The self zone is only for packets that are destined for the router itself, not for packets that are flowing through the router (like from WAN to LAN).

If you want to permit return traffic that originated from the LAN to the Internet, then you’ll need to use a inspect rule in your LAN-TO-WAN zone-pair.

(Nyi Nyi L) #63

Hi Rene,

thank for your explain.

Nyi Nyi.

(Jeremy M) #64

When I apply the WAN_TO_SELF service policy as shown in this lesson, as expected R3 cannot ping R2, but R2 also cannot ping R3. Is this expected? Since there is nothing applied in the self > WAN direction I expected that R2 would still be able to ping R3.

Thanks for the great lesson!

(Lazaros Agapides) #65

Hello Jeremy

Remember that a ping has communication occurring in both directions. When you ping from R2 to R3, you are sending an echo request. This echo request reaches R3, which replies with an echo reply. This reply does indeed go from WAN to Self, so it is caught by the service policy you applied.

I hope this has been helpful!