Sometimes the logic doesn't take. So you have to remove the policy from the zone-pair and re-apply. That logic is completed when you reload so that works too.
Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Managing Partner / Sr. Instructor - IPexpert, Inc. Mailto: <mailto:[email protected]> [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: <http://www.ipexpert.com/chat> www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at <http://www.ipexpert.com/communities> www.ipexpert.com/communities and our public website at <http://www.ipexpert.com/> www.ipexpert.com From: [email protected] [mailto:[email protected]] On Behalf Of Jimmy Larsson Sent: Monday, August 23, 2010 9:20 AM To: Yogesh Gawankar Cc: OSL Security Subject: Re: [OSL | CCIE_Security] ZBFW Yes, I reloaded the router and it started to work. And I have no idea why. ;) I first created the policy-maps with only a class-default with action drop. That killed everything of course. So I added the class "OSPF" afterwards and as far as I know class-default will always be the last one, and the newly created class was inserted above class class-default. At least that how it looks in the config. But can it be this that causes my problem? Also, modifying the acl for a class-map while it is in use shouldnt confuse the router, right? /Jimmy 2010/8/23 Yogesh Gawankar <[email protected]> JImmy Maybe try reapplying the policy maps. Thanks and regards Yogesh Gawankar --- On Mon, 8/23/10, Jimmy Larsson <[email protected]> wrote: From: Jimmy Larsson <[email protected]> Subject: [OSL | CCIE_Security] ZBFW To: "OSL Security" <[email protected]> Date: Monday, August 23, 2010, 10:56 PM Guys! Can anyone see what I am doing wrong here? My router R1 has 4 interfaces and ongoing OSPF-neighborships. I add ZBFW that simply places 2 interfaces in zone "INSIDE" and 2 in zone "OUTSIDE". Also, I mess around with the self-zone. On all policy-maps I have added an "OSPF"-class that right now matches any traffic since I cannot get it to work. Even then all traffic is dropped on class-default. Why? Log messages: *Aug 23 12:56:47.023: %FW-6-LOG_SUMMARY: 7 packets were dropped from 192.168.12.2:0 <http://192.168.12.2:0/> => 224.0.0.5:0 <http://224.0.0.5:0/> (target:class)-(INSIDE->SELF:class-default) *Aug 23 12:56:47.023: %FW-6-LOG_SUMMARY: 7 packets were dropped from 192.168.14.4:0 <http://192.168.14.4:0/> => 224.0.0.5:0 <http://224.0.0.5:0/> (target:class)-(OUTSIDE->SELF:class-default) *Aug 23 12:56:47.023: %FW-6-LOG_SUMMARY: 7 packets were dropped from 192.168.169.10:0 <http://192.168.169.10:0/> => 224.0.0.5:0 <http://224.0.0.5:0/> (target:class)-(SELF->OUTSIDE:class-default) *Aug 23 12:56:47.027: %FW-6-LOG_SUMMARY: 6 packets were dropped from 192.168.12.2:0 <http://192.168.12.2:0/> => 192.168.12.1:0 <http://192.168.12.1:0/> (target:class)-(INSIDE->SELF:class-default) *Aug 23 12:56:47.027: %FW-6-LOG_SUMMARY: 6 packets were dropped from 192.168.13.3:0 <http://192.168.13.3:0/> => 192.168.13.1:0 <http://192.168.13.1:0/> (target:class)-(INSIDE->SELF:class-default) *Aug 23 12:56:47.027: %FW-6-LOG_SUMMARY: 6 packets were dropped from 192.168.13.3:0 <http://192.168.13.3:0/> => 224.0.0.5:0 <http://224.0.0.5:0/> (target:class)-(INSIDE->SELF:class-default) *Aug 23 12:56:47.027: %FW-6-LOG_SUMMARY: 6 packets were dropped from 192.168.14.1:0 <http://192.168.14.1:0/> => 224.0.0.5:0 <http://224.0.0.5:0/> (target:class)-(SELF->OUTSIDE:class-default) *Aug 23 12:56:47.027: %FW-6-LOG_SUMMARY: 6 packets were dropped from 192.168.169.1:0 <http://192.168.169.1:0/> => 224.0.0.5:0 <http://224.0.0.5:0/> (target:class)-(OUTSIDE->SELF:class-default) One of the policy-maps: R1#sh policy-map type insp zone-pair INSIDE->SELF policy exists on zp INSIDE->SELF Zone-pair: INSIDE->SELF Service-policy inspect : INSIDE->SELF Class-map: OSPF (match-all) Match: access-group name OSPF Pass 0 packets, 0 bytes Class-map: class-default (match-any) Match: any Drop 368 packets, 21968 bytes R1# My OSPF access-list: R1#sh access-l OSPF Extended IP access list OSPF 20 permit ip any any (107 matches) R1# And the full config: Building configuration... Current configuration : 5451 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R1 ! boot-start-marker boot-end-marker ! logging count logging message-counter syslog logging buffered 4096 no logging rate-limit ! no aaa new-model ! crypto pki trustpoint TP-self-signed-2178368166 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-2178368166 revocation-check none rsakeypair TP-self-signed-2178368166 ! ! crypto pki certificate chain TP-self-signed-2178368166 certificate self-signed 01 3082023A 308201A3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 32313738 33363831 3636301E 170D3130 30383233 31323238 30355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 31373833 36383136 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100CFFF 23FB8BBB 4357436C D507EA26 8E823113 1DA9C415 A07CD699 83C72152 4E07AB9C CE06EB9C 017DF40C D47AF894 97F9EAF3 DE0D3331 C5A432B8 95524CB7 C6517E90 E4D704B3 0DD3535E EEAC60B3 2680C4CF 187A066B 0982B01E 3C6EC186 D6221EB7 21A94B63 FAC4324F A06EF53F 4C8EFA73 13366BA7 22A2A952 4C6FFE12 20810203 010001A3 62306030 0F060355 1D130101 FF040530 030101FF 300D0603 551D1104 06300482 02523130 1F060355 1D230418 30168014 D87EBD8F FDDDC2D2 A814D2A6 66A948EE DBDCA738 301D0603 551D0E04 160414D8 7EBD8FFD DDC2D2A8 14D2A666 A948EEDB DCA73830 0D06092A 864886F7 0D010104 05000381 81007D8B 601E0E43 E0729D45 F44E0B7D 98283595 126EE6A8 C2A7EAF4 962510DA C90120F2 82EE7A3F DB267CBA FEBAB878 D87B66B3 B91F37E7 CBAF041B 5E79FF6C 216D2759 A279A03C 471F2130 5B23C00C BFF62BA6 D8C7D034 BE0C34F6 F773F1BA C8E0389E 18C4D8D7 0D35C714 90CE8BD9 2B527335 5BC66E78 99F46DE0 F84FBA2B 06FA quit dot11 syslog ip source-route ! ! ! ! ip cef no ip domain lookup ip inspect log drop-pkt no ipv6 cef ! multilink bundle-name authenticated ! ! ! vtp domain KVISTOFTA vtp mode transparent ! ! ! archive log config hidekeys ! ! vlan 4,12,14 ! ! class-map type inspect match-all OSPF match access-group name OSPF ! ! policy-map type inspect INSIDE->SELF class type inspect OSPF pass class class-default drop log policy-map type inspect SELF->INSIDE class type inspect OSPF pass class class-default drop log policy-map type inspect OUTSIDE->INSIDE class type inspect OSPF pass class class-default drop log policy-map type inspect INSIDE->OUTSIDE class type inspect OSPF pass class class-default drop log policy-map type inspect OUTSIDE->SELF class type inspect OSPF pass class class-default drop log policy-map type inspect SELF->OUTSIDE class type inspect OSPF pass class class-default drop log ! zone security INSIDE zone security OUTSIDE zone-pair security OUTSIDE->INSIDE source OUTSIDE destination INSIDE service-policy type inspect OUTSIDE->INSIDE zone-pair security INSIDE->OUTSIDE source INSIDE destination OUTSIDE service-policy type inspect INSIDE->OUTSIDE zone-pair security OUTSIDE->SELF source OUTSIDE destination self service-policy type inspect OUTSIDE->SELF zone-pair security SELF->OUTSIDE source self destination OUTSIDE service-policy type inspect SELF->OUTSIDE zone-pair security INSIDE->SELF source INSIDE destination self service-policy type inspect INSIDE->SELF zone-pair security SELF->INSIDE source self destination INSIDE service-policy type inspect SELF->INSIDE ! ! ! interface Loopback0 ip address 1.1.1.1 255.255.255.255 ! interface Loopback10 ip address 10.0.0.1 255.255.255.255 ! interface FastEthernet0 no ip address duplex auto speed auto ! interface FastEthernet0.12 encapsulation dot1Q 12 ip address 192.168.12.1 255.255.255.0 zone-member security INSIDE ! interface FastEthernet0.13 encapsulation dot1Q 13 ip address 192.168.13.1 255.255.255.0 zone-member security INSIDE ! interface FastEthernet0.14 encapsulation dot1Q 14 ip address 192.168.14.1 255.255.255.0 zone-member security OUTSIDE ! interface FastEthernet0.169 encapsulation dot1Q 169 ip address 192.168.169.10 255.255.255.0 zone-member security OUTSIDE ! interface FastEthernet1 no ip address no ip unreachables shutdown duplex auto speed auto ! interface FastEthernet2 switchport mode trunk ! interface FastEthernet3 ! interface FastEthernet4 ! interface FastEthernet5 ! interface FastEthernet6 ! interface FastEthernet7 ! interface FastEthernet8 ! interface FastEthernet9 ! interface Vlan1 no ip address ! interface Async1 no ip address encapsulation slip ! router ospf 1 log-adjacency-changes network 192.168.0.0 0.0.255.255 area 0 ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 192.168.1.1 no ip http server ip http secure-server ! ! ! ip access-list extended OSPF permit ip any any ! ip access-list logging interval 1 logging dmvpn ! ! ! ! ! ! control-plane ! alias exec srs show run | sect alias exec siib show ip int brie | excl unass ! line con 0 logging synchronous line 1 modem InOut stopbits 1 speed 115200 flowcontrol hardware line aux 0 line vty 0 4 login ! ! ! end What is going on? Why is all traffic hitting class-default even when I have a class that matches all traffic above class-default? /Jimmy -- ------- Jimmy Larsson Ryavagen 173 s-26030 Vallakra Sweden http://blogg.kvistofta.nu <http://blogg.kvistofta.nu/> ------- -----Inline Attachment Follows----- _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com -- ------- Jimmy Larsson Ryavagen 173 s-26030 Vallakra Sweden http://blogg.kvistofta.nu -------
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
