Arie,

No, it didn't work as expected.

However, I got it working by adding another class-map and modifying existing class-map.

Here how it looks now:
------------------------------
...
parameter-map type inspect audit
 audit-trail on
 alert off
...
class-map type inspect match-any cls_ip_protocols
 match protocol icmp
 match_protocol tcp
 match protocol udp
class-map type inspect match-all cls_10.0.128.0
 match access-group name acl_10.0.128.0
 match class-map cls_ip_protocols
...
policy-map type inspect pol-OutsideToDMZ
 class type inspect cls_10.0.128.0
  inspect audit
 class class-default
  drop log
...
ip access-list extended acl_10.0.128.0
 permit ip 10.0.128.0 0.0.15.255 10.0.80.0 0.0.0.255
...
--------------

The new class-map fixes it.

BTW, what Brian suggested in his reply partially answered the question. I read the document, but there's an example there that has only ACL applied to the policy-map (thus, like in my case, it'll generate "all packets will be dropped" message). I'm talking about the example after this line in the document:

"By contrast, a similar configuration that adds application-specific classes provides more granular application statistics and control, and still accommodates the same breadth of services that was shown in the first example by defining the last-chance class-map matching only the ACL as the last chance in the policy-map:"

Anyways, the problem seems to be resolved. Thank you!

--
Ivan Poddubnyy
Sr. Systems Administrator
Symantec Corporation / EHG


Arie Vayner (avayner) wrote:
Ivan,

I could find a reference with this information:

The reported error message is just seen upon bootup. Reason for this is
router loads the config from top to bottom. Therefore, by the time it
executes the class-map, it has not read the ACL yet. Therefore giving
warning that there's "No specific protocol of access-group configured on
the class"

Can you confirm that the router works as expected after the complete
bootup process?

Tnx
Arie

-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of Ivan Poddubnyy
Sent: Thursday, April 22, 2010 07:30
To: Cisco-nsp
Subject: [c-nsp] IOS 15.1 and 'inspect' rule (zone-based firewall)

Hi all,

I couldn't find explanation to this oddity on TAC, I would appreciate
some help.

I'm running (migrating to) 15.1 on Cisco 2821 router. The router
configured with zone-based firewall.

The config has following lines:

--------------
...
parameter-map type inspect audit
audit-trail on
alert off
...
class-map type inspect match-all cls_10.0.128.0
match access-group name acl_10.0.128.0
...
policy-map type inspect pol-OutsideToDMZ
class type inspect cls_10.0.128.0
inspect audit
class class-default
drop log
...
ip access-list extended acl_10.0.128.0
permit ip 10.0.128.0 0.0.15.255 10.0.80.0 0.0.0.255
...
--------------

The way I'm reading it is that class-map is configured with named ACL.
Then the class-map is applied to policy-map with action 'inspect'.
There's no protocol specified thus all protocols should be inspected
(this is what I want).

Here is the problem. When router is booting up the following message
appears on the console:

%No specific protocol or access-group configured in class cls_10.0.128.0

for inspection. All packets will be dropped


IMO this is not correct: there's ACL configured in class-map.

Before (in 12.4) this message was different -- it was about "no
protocols specified, all protocols will be inspected".

Has something changed in the way ZBF behaves in 15.x? And is it
documented anywhere? I was not able to find the information.

Any help is appreciated! Thank you!

--
Ivan Poddubnyy
Sr. Systems Administrator
Symantec Corporation / EHG
_______________________________________________
cisco-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list  [email protected]
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Reply via email to