geezer wrote: » Tried to add icmp but it is to do with the default in-out access-list (invalid-src) that drops the subnets' traffic from in to outzone. Configured it to PASS but still didn't work. Had to change the address in access list to get pings to work from in to out zone. If I want to permit ICMP from in to out zone but deny everything else what would I have to do? Head a bit fried after late working and ZBF of course! Cheers.
geezer wrote: » Did try 'Inspect' to no avail. The firewall was dropping all source addys via an access-list to deny loopback, broadcast and inside and spoofed addresses (from the outside interface) from leaving the in-to-out zone. Not on GNS at the min, got to get some studying notes sorted - IPS then the Encryption 'suite' of chapters - oh the joy!!! Will try and take a look when I have made more progress with studies. Just glad that VPN is a little more easy to understand/perceive. Cheers.
geezer wrote: » A lot of pieces to ZBF I suppose which can be as clear as mud esp. when using sdm and its naming! Haven't tried CLI only config but where the SDM creates in/out to the self-zone is it needed for CLI too or just overkill? The 'inspect' not allowing ping packets in the ACL action was confusing as I would expect it to be allowed but what else is needed for the 'inspect' action to allow traffic as it is acting just like 'drop'? Cheers
geezer wrote: » Hi Trying again to lab up a ZBF in GNS3 with VPCS. I have a 7200 router with local cloud (my PC's loopback address connected to i/f f0/0. VPC1 on f0/1, VPC2 on f1/0 and VPC3 on f1/1. I can ping all interfaces from all interfaces after startup but as soon as I configure f0/0 (as trusted) and f1/0 (untrusted) I can no longer ping between those two interfaces. The CBAC interfaces can ping eachother still (f0/1 and f1/1) but have tried adding icmp to the sdm but no joy. The theory looks great but this is one thing that isn't easy to get working. I see that the CBT nuggets video (although brief'ish') talks about configuring via the additional tasks pane is there any difference between that and the 'edit firewall' in the firewall tab? If anyone can guide me on how to SDM the firewall for ping even it would give me more hope about taking the exam. And I thought VPN was tricky!
TesseracT wrote: » What's the point of using CBAC and ZBF at the same time? I've seen it in the wild before as well... Doesn't all CBAC do is inspect traffic - exactly the same as the 'inspect' policy rule on ZBF?
