We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 644 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

492 Sign Ups in the last 30 days

100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: ,

Forum Replies

  1. Hi Matt,

    It’s in the policy-map, take a look below:

    policy-map type inspect LAN-TO-WAN
     class type inspect ICMP
     class class-default

    The output above is from the running configuration. Here’s how to change it:

    R2(config)#policy-map type inspect LAN-TO-WAN
    R2(config-pmap)#class class-default                
    Policy-map class configuration commands:
      drop  Drop the packet
      exit  Exit from class action configuration mode
      no    Negate or set default values of a command
      pass  Pass the packet

    The pa

    ... Continue reading in our forum

  2. Hi Rene,

    I’m wanting to include a section in my ZBPF to deny access to certain URLs. Some websites are suggesting to use a parameter-map type regex whilst others are suggesting using a class-map match-any.

    parameter-map type regex url-blacklist-pmap
     pattern *.example.com
    class-map match-any URL_BLOCK
     match protocol http host "example.com"

    I am interested in doing this to try and block various telemetry attempts by 3rd parties as the hosts file is often quite useless at this. Some use URLs hardcoded with their phone home addresses inside

    ... Continue reading in our forum

  3. Hi Rene,
    why did you use many “inspect” command , in the class-map , in the policy-map (2 times) and in the zone-pair
    which one of them should be the one to allow the return traffic ? and which one of them can I replace with drop or pass?

    Also regarding the WAN-TO-SELF should I create LAN-To-SELF deny access from the inside zone?
    Thanks a lot

  4. Hi Ali and Matt,

    About the many inspect commands…the thing is that the class-map that is used for inspection is a different one than the regular class-map. The same thing applies to the policy-map. For example, take a look at this code:

    policy-map type inspect LAN-TO-WAN
     class type inspect ICMP

    The “policy-map type inspect” part only refers to the policy-map called LAN-TO-WAN and specifies that it’s an “inspect type” policy-map. The same thing applies to the class-map we use here.

    The only command that does inspection, is the “inspect” command.


    ... Continue reading in our forum

59 more replies! Ask a question or join the discussion by visiting our Community Forum