In the network diagram below, there are no routes configured on the routers, yet there should be connectivity among all the routers; therefore, NAT is configured on R1. Zone-based policy firewall (ZBF) is also enabled on R1. TCP, UDP and ICMP traffic should be inspected from the inside to the outside. ICMP from R3 to R2 is the only traffic that should be inspected from the outside to the inside. All other traffic should be dropped.
There are a couple of configuration errors on R1, can you spot them and fix the config? The winner gets 1,500 Naira airtime to any Nigerian phone number. Please read contest rules here.
ip access-list extended OUT_TO_IN_ACL permit icmp host 192.168.13.3 host 192.168.13.2 ! class-map type inspect match-all IN_TO_OUT_CMAP match protocol tcp match protocol udp match protocol icmp class-map type inspect match-all OUT_TO_IN_CMAP match access-group name OUT_TO_IN_ACL ! policy-map type inspect IN_TO_OUT_PMAP class type inspect IN_TO_OUT_CMAP drop class class-default inspect policy-map type inspect OUT_TO_IN_PMAP class type inspect OUT_TO_IN_CMAP inspect class class-default drop ! zone security inside zone security outside ! zone-pair security ZP_IN_TO_OUT source inside destination outside service-policy type inspect IN_TO_OUT_PMAP zone-pair security ZP_OUT_TO_IN source outside destination inside service-policy type inspect OUT_TO_IN_PMAP ! interface fa0/0 ip address 192.168.12.1 255.255.255.0 ip nat outside zone-member security inside ! interface fa0/1 ip address 192.168.13.1 255.255.255.0 ip nat inside zone-member security outside ! ip nat source static 192.168.12.2 192.168.13.2 ip nat source static 192.168.13.3 192.168.12.3
Hint: R2 has an IP address of 192.168.12.2. R3 has an IP address of 192.168.13.3.
Note: You don’t have to paste the entire working config. Just highlight the parts with the errors and the fix for those errors.
Update: This contest is now closed. The solution has been posted here.
The permit icmp host command on the second line is configured with the wrong IP address.
LikeLiked by 1 person
Okay, Since no one cares abt the recharge card.. I think i found a few fixes.
ip access-list extended OUT_TO_IN_ACL
permit icmp host 192.168.13.3 host 192.168.12.2
policy-map type inspect IN_TO_OUT_PMAP
class type inspect IN_TO_OUT_CMAP
INSPECT
class class-default
DROP
interface fa0/0
ip address 192.168.12.1 255.255.255.0
ip nat INSIDE
zone-member security inside
!
interface fa0/1
ip address 192.168.13.1 255.255.255.0
ip nat OUTSIDE
zone-member security outside
ip nat INSIDE source static 192.168.12.2 192.168.13.1
LikeLike
1) Wrong IP destination IP address in access list
ip access-list extended OUT_TO_IN_ACL
permit icmp host 192.168.13.3 host 192.168.12.2
2) Wrong action in policy map
policy-map type inspect IN_TO_OUT_PMAP
class type inspect IN_TO_OUT_CMAP
inspect
class class-default
drop
3) Wrong NAT tags on interfaces
interface fa0/0
ip nat inside
!
interface fa0/1
ip nat outside
4) Wrong NATing
ip nat source static 192.168.12.2 192.168.13.1
ip nat source static 192.168.13.3 192.168.12.1
LikeLike
in the class-map :
class-map type inspect match-all OUT_TO_IN_CMAP
match access-group name OUT_TO_IN_ACL
It shouldn’t match access-group, it should match access-list name
LikeLike