This topic is to discuss the following lesson:
thank you for this nice article
mr.rene i want to say something and wish you understand me because my english not strong too much
i love your way and your books it was so clear and helpful
i was wondering if you working on new books?
if not,so as one of people who loves your work i (kindly) suggest you make either
new “how to master” ccna/ccnp security books or “how to master” ccie r&s and recommend first one
i am sure there is people agree with me and i sure they trust in your work
so sorry that i talk too much
Helpful to us.You carry us to key points.Thanks Mr.Rene Molenaar.
Please help, I lab it up and it is not working. As shown in the show command below there is no icmp packet seen.
R2#show policy-map type inspect zone-pair policy exists on zp LAN-TO-WAN Zone-pair: LAN-TO-WAN Service-policy inspect : LAN-TO-WAN Class-map: ICMP (match-all) Match: protocol icmp Inspect Session creations since subsystem startup or last reset 0 Current session counts (estab/half-open/terminating) [0:0:0] Maxever session counts (estab/half-open/terminating) [0:0:0] Last session created never Last statistic reset never Last session creation rate 0 Maxever session creation rate 0 Last half-open session total 0 Class-map: class-default (match-any) Match: any Drop 0 packets, 0 bytes R2#show run Building configuration... Current configuration : 1388 bytes ! upgrade fpd auto version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R2 ! boot-start-marker boot-end-marker ! logging message-counter syslog ! no aaa new-model ip source-route no ip icmp rate-limit unreachable ip cef ! ! ! ! no ip domain lookup no ipv6 cef ! multilink bundle-name authenticated ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! archive log config hidekeys ! ! ! ! ! ip tcp synwait-time 5 ! class-map type inspect match-all ICMP match protocol icmp ! ! policy-map type inspect LAN-TO-WAN class type inspect ICMP inspect class class-default drop ! zone security LAN zone security WAN zone-pair security LAN-TO-WAN source LAN destination WAN service-policy type inspect LAN-TO-WAN bridge crb ! ! ! ! interface FastEthernet0/0 no ip address zone-member security LAN duplex auto speed auto bridge-group 1 ! interface FastEthernet0/1 no ip address zone-member security WAN duplex auto speed auto bridge-group 1 ! ip forward-protocol nd no ip http server no ip http secure-server ! ! ! no cdp log mismatch duplex ! ! ! ! ! ! control-plane ! bridge 1 protocol ieee ! ! ! ! ! ! gatekeeper shutdown ! ! line con 0 exec-timeout 0 0 privilege level 15 logging synchronous stopbits 1 line aux 0 exec-timeout 0 0 privilege level 15 logging synchronous stopbits 1 line vty 0 4 login ! end
The config looks ok. Without ZBF, can you ping between R1 and R3?
What did you use to test this? On Cisco VIRL, it doesn’t work for me. On real hardware it does.