I am attempting to migrate from CBAC to ZBFW. I'm having some difficulties. I was hoping to get answers to the following questions.
1) Based on my confing, is udp port 5060 allowed to go into the Self zone and the INSIDE zone? 2) Whenever I try to allow icmp AND dns from the self zone to outside, I get the error below. How do I fix this? %Protocol configured in class-map SELF-OUT cannot be configured for the self zone with inspect action. Please remove the protocol and retry 3) I had some PCs that were able to browse the internet but I never saw connections when I ran "sh ip nat translation". Why?? 4) Is IPSec allowed to come in correctly? class-map type inspect match-all VoIP match access-group name VoIP match access-group name VoIP-OUT-TO-IN class-map type inspect match-any IN-TO-OUT-ALLOW-ALL-CLASS match protocol tcp match protocol udp match protocol icmp class-map type inspect match-any OUTSIDE-TO-IN-CLASS match access-group name VoIP-OUT-TO-IN class-map type inspect match-all SSH match protocol ssh match access-group name SSH class-map type inspect match-all IPSEC match access-group name IPSEC class-map type inspect match-any SELF-OUT match protocol icmp match protocol dns --> currently removed ! policy-map type inspect SELF-OUTSIDE-POLICY class type inspect SELF-OUT inspect class class-default pass policy-map type inspect OUT-TO-IN-POLICY class type inspect OUTSIDE-TO-IN-CLASS pass class class-default drop log policy-map type inspect IN-TO-OUT-POLICY class type inspect IN-TO-OUT-ALLOW-ALL-CLASS inspect class class-default drop log policy-map type inspect OUTSIDE-SELF class type inspect IPSEC pass class type inspect SSH pass class type inspect VoIP pass class class-default drop log ! zone security INSIDE zone security OUTSIDE zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE service-policy type inspect IN-TO-OUT-POLICY zone-pair security OUTSIDE-SELF source OUTSIDE destination self service-policy type inspect OUTSIDE-SELF zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE service-policy type inspect OUT-TO-IN-POLICY zone-pair security SELF-TO-OUT source self destination OUTSIDE service-policy type inspect SELF-OUTSIDE-POLICY ! ip nat inside source list noNAT interface GigabitEthernet0/1 overload ip route 0.0.0.0 0.0.0.0 x.x.x.x ip route 10.1.0.0 255.255.0.0 Tunnel32 ip route 192.168.1.0 255.255.255.0 Tunnel31 ip route 192.168.2.0 255.255.255.0 Tunnel32 ip route 192.168.10.0 255.255.255.0 Tunnel31 ! ip access-list extended IPSEC permit esp any any permit udp any any eq isakmp permit udp any any eq non500-isakmp ip access-list extended SSH permit tcp any any eq 22 ip access-list extended VoIP permit udp any host 49.x.x.x eq 5060 ip access-list extended VoIP-OUT-TO-IN permit udp any any eq 5060 ! access-list 23 permit 10.10.10.0 0.0.0.7 access-list 131 permit gre host x.x.x.x host 64.x.x.x.x access-list 175 deny ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255 access-list 175 deny ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255 access-list 175 deny ip 192.168.3.0 0.0.0.255 192.168.41.0 0.0.0.255 access-list 175 permit ip 192.168.3.0 0.0.0.255 any ! route-map noNAT permit 41 match ip address 175 ! _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
