Vol. II - Lab 7 - Task 2.4 - Is it broken or am I? (ZBF)

Hello,

Below is the full running configuration for R4 in Task 2.4 of Lab 7, Volume 2.  I have verified my answer against the answer book I have and it appears to be identical, yet R4 will never pass traffic to or from R5.  When I enable "ip inspect log drop-pkt", the error is that "one of the interfaces is not being cfged for zoning with ip ident 138", yet clearly all interfaces are indeed configured for a security zone.

Switch 1 and Switch 2 have full OSPF routing tables and are what I have been testing to - R5 can neither telnet to nor from either switch, and both switches see the same issue to R5 (both directions should be allowed).  

Oddly, Switch 1 CAN communicate with Switch 2 (switch 1 is in "outside" zone on int Fa0/0, switch 2 is in the "inside" zone on int Fa0/1) and I see the packets increment on the class-map properly. So something is just broken about the ZBF in relation to interface S0/1 (which R5 hangs off), but I can't imagine what it is.


I cannot seem to find any answer for this issue online.  Everything I have seen points towards me doing everything properly, but it doesn't work.  I have verified this across 2 different racks now and a few reboots, so I'm pretty sure it's not a one-off issue.

 

Any help with this would be greatly appreciated!

 

!----- CODE:


SCRack4R4#show run

Building configuration...

 

Current configuration : 3642 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname SCRack5R4

!

boot-start-marker

boot-end-marker

!

enable password cisco

!

no aaa new-model

no network-clock-participate slot 1

no network-clock-participate wic 0

ip cef

!

!

ip inspect log drop-pkt

!

!

ip vrf vrf1

!

no ip domain lookup

ip domain name INE.com

!

multilink bundle-name authenticated

 

parameter-map type inspect ZBF-PARAM

  audit-trail on

  alert off

 max-incomplete low  5

 max-incomplete high 10

 udp idle-time 10

 icmp idle-time 5

 dns-timeout 3

 tcp synwait-time 5

 sessions maximum 50

 

parameter-map type urlfilter BADSITE

 exclusive-domain deny badsite.com

!

!

!

!

!

archive

 log config

  hidekeys

!

!

!

!

ip tcp synwait-time 5

ip ssh time-out 30

ip ssh version 2

!

class-map type inspect match-all TCP-CLASS

 match protocol tcp

class-map type inspect match-all SSH-CLASS

 match protocol ssh

class-map type inspect match-all TELNET-CLASS

 match protocol telnet

class-map type inspect match-all ICMP-CLASS

 match protocol icmp

class-map type inspect match-all HTTP-CLASS

 match protocol http

!

!

policy-map type inspect INSIDE-OUT-POL

 class type inspect SSH-CLASS

  inspect ZBF-PARAM

 class type inspect TELNET-CLASS

  inspect ZBF-PARAM

 class type inspect ICMP-CLASS

  inspect ZBF-PARAM

 class type inspect HTTP-CLASS

  inspect ZBF-PARAM

  urlfilter BADSITE

 class type inspect TCP-CLASS

  inspect ZBF-PARAM

 class class-default

policy-map type inspect OUTSIDE-IN-POL

 class type inspect TELNET-CLASS

  inspect ZBF-PARAM

 class type inspect ICMP-CLASS

  inspect ZBF-PARAM

 class type inspect HTTP-CLASS

  inspect ZBF-PARAM

  urlfilter BADSITE

 class class-default

!

zone security inside

zone security outside

zone-pair security INSIDE-OUT source inside destination outside

 service-policy type inspect INSIDE-OUT-POL

zone-pair security OUTSIDE-IN source outside destination inside

 service-policy type inspect OUTSIDE-IN-POL

bridge irb

!

!

!

interface Loopback0

 ip vrf forwarding vrf1

 ip address 150.4.4.4 255.255.255.0

 zone-member security inside

 ip ospf network point-to-point

!

interface Loopback4

 ip vrf forwarding vrf1

 ip address 10.4.4.4 255.255.255.0

 zone-member security inside

!

interface FastEthernet0/0

 ip vrf forwarding vrf1

 no ip address

 zone-member security outside

 duplex auto

 speed auto

 bridge-group 1

!

interface Serial0/0

 no ip address

 encapsulation frame-relay

 no frame-relay inverse-arp

!

interface Serial0/0.1245 point-to-point

 ip vrf forwarding vrf1

 ip address 136.4.0.4 255.255.255.0

 zone-member security inside

 ip ospf network point-to-multipoint

 snmp trap link-status

 frame-relay interface-dlci 405

!

interface FastEthernet0/1

 ip vrf forwarding vrf1

 no ip address

 zone-member security inside

 duplex auto

 speed auto

 bridge-group 1

!

interface Serial0/1

 ip vrf forwarding vrf1

 ip address 136.4.45.4 255.255.255.0

 zone-member security inside

 encapsulation ppp

 ip ospf cost 9999

!

interface BVI1

 ip vrf forwarding vrf1

 ip address 136.4.255.4 255.255.255.0

!

router ospf 1 vrf vrf1

 router-id 150.4.4.4

 log-adjacency-changes

 network 10.4.4.4 0.0.0.0 area 0

 network 136.4.0.4 0.0.0.0 area 0

 network 136.4.45.4 0.0.0.0 area 0

 network 136.4.255.4 0.0.0.0 area 0

 network 150.4.4.4 0.0.0.0 area 0

!

ip forward-protocol nd

!

!

ip http server

no ip http secure-server

!

!

!

!

!

control-plane

!

bridge 1 protocol ieee

bridge 1 route ip

!

!

line con 0

 exec-timeout 0 0

 privilege level 15

 logging synchronous level 0 limit 20

line aux 0

line vty 0 4

 session-timeout 5

 password cisco

 login

 transport input telnet ssh

!

!

end

Sign In or Register to comment.