That's how I got the error message reported in regarding all packets dropped...
Sent from my iPhone On Oct 10, 2011, at 14:41, Fawad Khan <[email protected]> wrote: > Garrett, > > did you try rebooting the box.. ??? ZFW have shown very weird behaviour at > times and a reboot just fixes everything... (probably an ex-MS programmer > wrote the code for ZFW in IOS ). > > > > FNK > > > > On Mon, Oct 10, 2011 at 5:34 PM, Garrett Skjelstad <[email protected]> > wrote: > that's why I sent a second message following up... I had copied and pasted > the wrong snippet of code... > > The code is correct, hence the reason I get the error: > > > %No specific protocol or access-group configured in class TEST-Inbound-CM for > inspection. All packets will be dropped > > I have a reverse ZBF rule for traffic heading the other direction... > > Pretty much, I have a network on both sides of the ZBF FW, that I want to > pass unrestricted, and I'm not exactly sure to go about doing that... > > -Garrett > > > On Mon, Oct 10, 2011 at 1:24 PM, Fawad Khan <[email protected]> wrote: > your configured class-map name is TEST-Outbound-CM > > > however the one applied under the policy map is TEST-Inbound-CM.. > > > from config standpoint,,, wrong CM is applied to the policy map.. This is > common issue with IOS... even if something doesnt exist in the configuration, > IOS accepts it as part of the command... However ASA is more hirerichal and > does not accept any thing as an arguement which is not configured before. > > FNK > > On Mon, Oct 10, 2011 at 1:43 PM, Garrett Skjelstad <[email protected]> > wrote: > I'm trying to get a zone based firewall that would permit all protocols, from > a specific network, > > However, when I use the inspect statement, I get an error on the reload that > it's not valid. > > <snip> > %No specific protocol or access-group configured in class TEST-Outbound-CM > for inspection. All packets will be dropped > %No specific protocol or access-group configured in class TEST-Inbound-CM for > inspection. All packets will be dropped > </snip> > > <pertinent code> > policy-map type inspect Out-2-In-PM > class type inspect TEST-Inbound-CM > inspect > class class-default > drop > > zone-pair security outzone-to-inzone source out-zone destination in-zone > service-policy type inspect Out-2-In-PM > > class-map type inspect match-any TEST-Outbound-CM > match access-group name TEST-DestNetworks-ACL > > ip access-list extended TEST-DestNetworks-ACL > permit ip any 172.30.0.0 0.0.255.255 > permit ip any 172.31.0.0 0.0.255.255 > </pertinent code> > > Am I using the wrong type of class map? > > Should I change inspect to be "pass", and that would have it work? > > Am I totally barking up the wrong tree? > -Garrett > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com > > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
