Hello Krishna,
*Aug 6 01:03:48.378: %FW-6-DROP_PKT: Dropping http session 204.12.1.3:3757
183.1.46.100:80 on zone-pair INBOUND class class-default due to policy match
failure with ip ident 61538 tcpflags 0xB002 seq.no 23080186 ack 0
Policy Map type inspect INBOUND
Class HTTP-SERVER
Inspect
Class TRACE
Inspect
Class class-default
Class Map type inspect match-all HTTP-SERVER (id 2)
Match access-group 100
Match protocol http
Match protocol https
Extended IP access list 100
10 permit tcp any host 183.1.46.100 eq 443
20 permit tcp any host 183.1.46.100 eq www
Zone-pair name INBOUND
Source-Zone outside Destination-Zone inside
service-policy INBOUND
As stated before, if you have match ALL in your class map, you require an HTTP
and HTTPS header inside of the packet, the packet only will come with http
header, hence zone based will drop it.
A way to do it, would be separating them,
Class Map type inspect match-all HTTP-SERVER (id 2)
Match access-group 100
Match protocol http
Class Map type inspect match-all HTTPS-SERVER (id 2)
Match access-group 100
Match protocol https
Then applying the inspect, of course the ACL will only have the corresponding
protocol, or just IP, it will match the source/destination IP either way (if no
protocol is specified on the Class map)
Mike
Date: Mon, 6 Aug 2012 09:57:52 +1000
Subject: Re: [OSL | CCIE_Security] Zone based firewall
From: [email protected]
To: [email protected]
hi Mike,
i check i am able to pass my http and https traffic through this configuration.
if my solution is wrong then how it will work can you please explain me.
i want to understand what is my mistake.
regardskrishna
On Mon, Aug 6, 2012 at 9:16 AM, Mike Rojas <[email protected]> wrote:
Hello Krishna
Mmm, I see a problem there:
class-map type inspect match-all test match protocol http match protocol https
match access-group name test
You will be expecting a packet that comes with protocols http and https on the
same packet, hence it will drop all http/https traffic.
Mike.
Date: Mon, 6 Aug 2012 09:13:11 +1000
Subject: Re: [OSL | CCIE_Security] Zone based firewall
From: [email protected]
To: [email protected]
hi Mike,
please find the solution .
class-map type inspect match-all test match protocol http match protocol https
match access-group name test
!!policy-map type inspect test class type inspect test inspect
ip access-list extended test permit tcp any any eq 443 permit tcp any any eq www
deny ip any any!
interface FastEthernet0/0 no ip address zone-member security internal duplex
auto speed auto!
interface FastEthernet0/1
no ip address zone-member security external duplex auto speed auto
zone security internalzone security externalzone-pair security internal source
external destination internal
service-policy type inspect test
i tried it will inspect the 443 and 80 traffic.
regardskrishna
On Mon, Aug 6, 2012 at 4:34 AM, Mike Rojas <[email protected]> wrote:
Couple of questions.
I saw an exercise that they asked you to permit (Truly hate that word when it
comes to ZONE BASED FIREWALL) trace route from outside to inside, on the
solution they put that they need to inspect from inside to outside ICMP but
from outside to inside they put pass on it.
Life experience teach me that if you have something being inspected but from
the other zone pair, it is passing it, the firewall will drop it. I dont know
why they do it like that. I just put inspect on it.
Another thing is with servers, when they tell you to allow only to one server
on port 443 and 80. If you do it with only an access list, it says "all
protocols will be inspected" which sounds fine by me, but I know I have to
narrow it down using ACL plus the protocol. On the solution it was using
TCP+the ACL, it was not inspecting the protocol.
Mike
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
