Zone Based Firewall Transparent Mode

kent2612 · December 24, 2018, 8:50am

Hi Rene,

Please help, I lab it up and it is not working. As shown in the show command below there is no icmp packet seen.

R2#show policy-map type inspect zone-pair

policy exists on zp LAN-TO-WAN
 Zone-pair: LAN-TO-WAN

  Service-policy inspect : LAN-TO-WAN

    Class-map: ICMP (match-all)
      Match: protocol icmp

   Inspect
        Session creations since subsystem startup or last reset 0
        Current session counts (estab/half-open/terminating) [0:0:0]
        Maxever session counts (estab/half-open/terminating) [0:0:0]
        Last session created never
        Last statistic reset never
        Last session creation rate 0
        Maxever session creation rate 0
        Last half-open session total 0

    Class-map: class-default (match-any)
      Match: any
      Drop
        0 packets, 0 bytes


R2#show run
Building configuration...

Current configuration : 1388 bytes
!
upgrade fpd auto
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
no aaa new-model
ip source-route
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
no ip domain lookup
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
 log config
  hidekeys
!
!
!
!
!
ip tcp synwait-time 5
!
class-map type inspect match-all ICMP
 match protocol icmp
!
!
policy-map type inspect LAN-TO-WAN
 class type inspect ICMP
  inspect
 class class-default
  drop
!
zone security LAN
zone security WAN
zone-pair security LAN-TO-WAN source LAN destination WAN
 service-policy type inspect LAN-TO-WAN
bridge crb
!
!
!
!
interface FastEthernet0/0
 no ip address
 zone-member security LAN
 duplex auto
 speed auto
 bridge-group 1
!
interface FastEthernet0/1
 no ip address
 zone-member security WAN
 duplex auto
 speed auto
 bridge-group 1
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
!
no cdp log mismatch duplex
!
!
!
!
!
!
control-plane
!
bridge 1 protocol ieee
!
!
!
!
!
!
gatekeeper
 shutdown
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line vty 0 4
 login
!
end