Garrett, did you try rebooting the box.. ??? ZFW have shown very weird behaviour at times and a reboot just fixes everything... (probably an ex-MS programmer wrote the code for ZFW in IOS ).
FNK On Mon, Oct 10, 2011 at 5:34 PM, Garrett Skjelstad <[email protected]>wrote: > that's why I sent a second message following up... I had copied and pasted > the wrong snippet of code... > > The code is correct, hence the reason I get the error: > > > %No specific protocol or access-group configured in class TEST-Inbound-CM > for inspection. All packets will be dropped > > I have a reverse ZBF rule for traffic heading the other direction... > > Pretty much, I have a network on both sides of the ZBF FW, that I want to > pass unrestricted, and I'm not exactly sure to go about doing that... > > -Garrett > > > On Mon, Oct 10, 2011 at 1:24 PM, Fawad Khan <[email protected]> wrote: > >> your configured class-map name is TEST-Outbound-CM >> >> >> however the one applied under the policy map is TEST-Inbound-CM.. >> >> >> from config standpoint,,, wrong CM is applied to the policy map.. This is >> common issue with IOS... even if something doesnt exist in the >> configuration, IOS accepts it as part of the command... However ASA is more >> hirerichal and does not accept any thing as an arguement which is not >> configured before. >> >> FNK >> >> On Mon, Oct 10, 2011 at 1:43 PM, Garrett Skjelstad <[email protected] >> > wrote: >> >>> I'm trying to get a zone based firewall that would permit all protocols, >>> from a specific network, >>> >>> However, when I use the inspect statement, I get an error on the reload >>> that it's not valid. >>> >>> <snip> >>> %No specific protocol or access-group configured in class >>> TEST-Outbound-CM for inspection. All packets will be dropped >>> %No specific protocol or access-group configured in class TEST-Inbound-CM >>> for inspection. All packets will be dropped >>> </snip> >>> >>> <pertinent code> >>> policy-map type inspect Out-2-In-PM >>> class type inspect TEST-Inbound-CM >>> inspect >>> class class-default >>> drop >>> >>> zone-pair security outzone-to-inzone source out-zone destination in-zone >>> service-policy type inspect Out-2-In-PM >>> >>> class-map type inspect match-any TEST-Outbound-CM >>> match access-group name TEST-DestNetworks-ACL >>> >>> ip access-list extended TEST-DestNetworks-ACL >>> permit ip any 172.30.0.0 0.0.255.255 >>> permit ip any 172.31.0.0 0.0.255.255 >>> </pertinent code> >>> >>> Am I using the wrong type of class map? >>> >>> Should I change inspect to be "pass", and that would have it work? >>> >>> Am I totally barking up the wrong tree? >>> -Garrett >>> >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, please >>> visit www.ipexpert.com >>> >>> Are you a CCNP or CCIE and looking for a job? Check out >>> www.PlatinumPlacement.com >>> >> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
