Ivan, I could find a reference with this information:
The reported error message is just seen upon bootup. Reason for this is router loads the config from top to bottom. Therefore, by the time it executes the class-map, it has not read the ACL yet. Therefore giving warning that there's "No specific protocol of access-group configured on the class" Can you confirm that the router works as expected after the complete bootup process? Tnx Arie -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Ivan Poddubnyy Sent: Thursday, April 22, 2010 07:30 To: Cisco-nsp Subject: [c-nsp] IOS 15.1 and 'inspect' rule (zone-based firewall) Hi all, I couldn't find explanation to this oddity on TAC, I would appreciate some help. I'm running (migrating to) 15.1 on Cisco 2821 router. The router configured with zone-based firewall. The config has following lines: -------------- ... parameter-map type inspect audit audit-trail on alert off ... class-map type inspect match-all cls_10.0.128.0 match access-group name acl_10.0.128.0 ... policy-map type inspect pol-OutsideToDMZ class type inspect cls_10.0.128.0 inspect audit class class-default drop log ... ip access-list extended acl_10.0.128.0 permit ip 10.0.128.0 0.0.15.255 10.0.80.0 0.0.0.255 ... -------------- The way I'm reading it is that class-map is configured with named ACL. Then the class-map is applied to policy-map with action 'inspect'. There's no protocol specified thus all protocols should be inspected (this is what I want). Here is the problem. When router is booting up the following message appears on the console: %No specific protocol or access-group configured in class cls_10.0.128.0 for inspection. All packets will be dropped IMO this is not correct: there's ACL configured in class-map. Before (in 12.4) this message was different -- it was about "no protocols specified, all protocols will be inspected". Has something changed in the way ZBF behaves in 15.x? And is it documented anywhere? I was not able to find the information. Any help is appreciated! Thank you! -- Ivan Poddubnyy Sr. Systems Administrator Symantec Corporation / EHG _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
