Zone Based Firewall Transparent Mode

This topic is to discuss the following lesson:

Nice one… :slight_smile:

hello mr.rene
thank you for this nice article
mr.rene i want to say something and wish you understand me because my english not strong too much
i love your way and your books it was so clear and helpful
i was wondering if you working on new books?
if not,so as one of people who loves your work i (kindly) suggest you make either
new “how to master” ccna/ccnp security books or “how to master” ccie r&s and recommend first one
i am sure there is people agree with me and i sure they trust in your work
so sorry that i talk too much
best wishes

Helpful to us.You carry us to key points.Thanks Mr.Rene Molenaar.

Best Regards,
Herbert.

Hi Rene,

Please help, I lab it up and it is not working. As shown in the show command below there is no icmp packet seen.

R2#show policy-map type inspect zone-pair

policy exists on zp LAN-TO-WAN
 Zone-pair: LAN-TO-WAN

  Service-policy inspect : LAN-TO-WAN

    Class-map: ICMP (match-all)
      Match: protocol icmp

   Inspect
        Session creations since subsystem startup or last reset 0
        Current session counts (estab/half-open/terminating) [0:0:0]
        Maxever session counts (estab/half-open/terminating) [0:0:0]
        Last session created never
        Last statistic reset never
        Last session creation rate 0
        Maxever session creation rate 0
        Last half-open session total 0

    Class-map: class-default (match-any)
      Match: any
      Drop
        0 packets, 0 bytes


R2#show run
Building configuration...

Current configuration : 1388 bytes
!
upgrade fpd auto
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
no aaa new-model
ip source-route
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
no ip domain lookup
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
 log config
  hidekeys
!
!
!
!
!
ip tcp synwait-time 5
!
class-map type inspect match-all ICMP
 match protocol icmp
!
!
policy-map type inspect LAN-TO-WAN
 class type inspect ICMP
  inspect
 class class-default
  drop
!
zone security LAN
zone security WAN
zone-pair security LAN-TO-WAN source LAN destination WAN
 service-policy type inspect LAN-TO-WAN
bridge crb
!
!
!
!
interface FastEthernet0/0
 no ip address
 zone-member security LAN
 duplex auto
 speed auto
 bridge-group 1
!
interface FastEthernet0/1
 no ip address
 zone-member security WAN
 duplex auto
 speed auto
 bridge-group 1
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
!
no cdp log mismatch duplex
!
!
!
!
!
!
control-plane
!
bridge 1 protocol ieee
!
!
!
!
!
!
gatekeeper
 shutdown
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line vty 0 4
 login
!
end

Hi Kenneth,

The config looks ok. Without ZBF, can you ping between R1 and R3?

What did you use to test this? On Cisco VIRL, it doesn’t work for me. On real hardware it does.

Rene