that's why I sent a second message following up... I had copied and pasted the wrong snippet of code...
The code is correct, hence the reason I get the error: %No specific protocol or access-group configured in class TEST-Inbound-CM for inspection. All packets will be dropped I have a reverse ZBF rule for traffic heading the other direction... Pretty much, I have a network on both sides of the ZBF FW, that I want to pass unrestricted, and I'm not exactly sure to go about doing that... -Garrett On Mon, Oct 10, 2011 at 1:24 PM, Fawad Khan <[email protected]> wrote: > your configured class-map name is TEST-Outbound-CM > > > however the one applied under the policy map is TEST-Inbound-CM.. > > > from config standpoint,,, wrong CM is applied to the policy map.. This is > common issue with IOS... even if something doesnt exist in the > configuration, IOS accepts it as part of the command... However ASA is more > hirerichal and does not accept any thing as an arguement which is not > configured before. > > FNK > > On Mon, Oct 10, 2011 at 1:43 PM, Garrett Skjelstad > <[email protected]>wrote: > >> I'm trying to get a zone based firewall that would permit all protocols, >> from a specific network, >> >> However, when I use the inspect statement, I get an error on the reload >> that it's not valid. >> >> <snip> >> %No specific protocol or access-group configured in class TEST-Outbound-CM >> for inspection. All packets will be dropped >> %No specific protocol or access-group configured in class TEST-Inbound-CM >> for inspection. All packets will be dropped >> </snip> >> >> <pertinent code> >> policy-map type inspect Out-2-In-PM >> class type inspect TEST-Inbound-CM >> inspect >> class class-default >> drop >> >> zone-pair security outzone-to-inzone source out-zone destination in-zone >> service-policy type inspect Out-2-In-PM >> >> class-map type inspect match-any TEST-Outbound-CM >> match access-group name TEST-DestNetworks-ACL >> >> ip access-list extended TEST-DestNetworks-ACL >> permit ip any 172.30.0.0 0.0.255.255 >> permit ip any 172.31.0.0 0.0.255.255 >> </pertinent code> >> >> Am I using the wrong type of class map? >> >> Should I change inspect to be "pass", and that would have it work? >> >> Am I totally barking up the wrong tree? >> -Garrett >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com >> > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
