a query regarding ACL for example if i have 2 networks (netA and netB)
I have configured to block access from netA to netB and but also from netB cannot access netA.

Is it possible that only one side will be block (netA to netB)...????

You need a flow-based firewall to do that. ACL is stateless and so can't do this

_________________
www.mellowd.co.uk/ccie/

@mellowd

tnx for the reply and info... is that the same with the zone-based firewall?

zone-based is stateful, so will work

_________________
www.mellowd.co.uk/ccie/

Thanks... i'll check and try it later.....

i tried these simple configuration for zone based fw

class-map type inspect match-any ZONE_TRAFFIC
match protocol icmp
!
policy-map type inspect ZONE1_TO_ZONE2
class type inspect ZONE_TRAFFIC
pass
!
zone security ZONE1
zone security ZONE2
zone-pair security ZONE1_2 source ZONE1 destination ZONE2
service-policy type inspect ZONE1_TO_ZONE2
!
interface FastEthernet0/0
ip address 192.168.10.1 255.255.255.0
zone-member security ZONE1
!
interface FastEthernet0/1
ip address 192.168.20.1 255.255.255.0
zone-member security ZONE2

a pc from zone1 can ping the pc on zone2..

but when i tried pinging from zone2 pc to zone1 pc it shows 1st & 2nd successful then it failed in 3rd and 4th.

is this normal??? then i tried another ping all 4 is dropped


PC>ping 192.168.10.2

Pinging 192.168.10.2 with 32 bytes of data:

Reply from 192.168.10.2: bytes=32 time=19ms TTL=127
Reply from 192.168.10.2: bytes=32 time=13ms TTL=127
Request timed out.
Request timed out.

I don't know if i miss something on my config..

Zone-based firewalls require policies in both directions to allow traffic to flow between them. Your zone-pair states Z1 is the source and Z2 is the dest and you are inspecting traffic. This means that when you initiate traffic from Z1 to Z2 it will allow return traffic because it is stateful. You will need to have another zone-pair with Z2 as the source and Z1 as the dest and allow that traffic also. If you make it match the same traffic as the other zone pair traffic will flow fine.

With zone-based firewalls there are three things you can do with traffic:
Drop = deny
Pass = permit, but this is only one way traffic
Inspect = permit and creates a stateful session that will allow return traffic

@ qbakies

my goal is only to allow z1 to send icmp packet to z2 and then to deny z2 to send icmp packet z1.

when i tried to send a ping from z1 to z2 it works fine all 4 packets success, but when i tried to send ping packet from z2 to z1 two ping packets success and the other two failed.. i expect all 4 ping packets will be dropped since by default different zone cannot access..

Then you are good to go with this setup.


Yes all four pings should fail. It is odd that two succeeded and then two failed but you stated above then you tried again and all four failed. Are you still getting some that succeed?

whenever i tried to send a ping from z1 to z2, and then send a ping to z2 to z1 that will occur again... 2 ping packet success then the other 2 dropped..

When sending any traffic from z2 to z1 it should always fail since you don't have a zone-pair in that direction. If you PING then it should have four failures. I don't know why you got those two successes as you shouldn't have. If you test it again what happens?

policy-map type inspect ZONE1_TO_ZONE2
class type inspect ZONE_TRAFFIC
pass

Change it to inspect.

If you keep it to pass it will allow traffic going one way from Zone 1 - > Zone 2 it is allowed. But from Zone 2 - > Zone 1 its not allowed everything is dropped by default. The ZBFW will statefully inspect the packet that is being sourced from zone 1 and allow it in both directions. Pass only allows it to go through Zone 1 but no return traffic.

If you want something easier with less config since you only have two interfaces go with cbac. Deny all packets going in and only inspect icmp.

_________________
"I will prepare and some day my chance will come." - Abraham Lincoln
http://danielhertzberg.wordpress.com - I blog about networks!

@qbakies
@burnyd

i also tried "inspect" instead of "pass"

first ping : Z1 to Z2 (all 4 ping packet succeed)
second ping : Z2 to Z1 (all 4 ping packet dropped)

i observe before I conduct a second ping i should wait for a min of 5 secs, then all 4 ping packets dropped...

i believe this works fine...

Glad to hear.