[c-nsp] IOS 15.1 and 'inspect' rule (zone-based firewall)
Ivan Poddubnyy
ivan_poddubnyy at symantec.com
Thu Apr 22 00:30:20 EDT 2010
Hi all,
I couldn't find explanation to this oddity on TAC, I would appreciate
some help.
I'm running (migrating to) 15.1 on Cisco 2821 router. The router
configured with zone-based firewall.
The config has following lines:
--------------
...
parameter-map type inspect audit
audit-trail on
alert off
...
class-map type inspect match-all cls_10.0.128.0
match access-group name acl_10.0.128.0
...
policy-map type inspect pol-OutsideToDMZ
class type inspect cls_10.0.128.0
inspect audit
class class-default
drop log
...
ip access-list extended acl_10.0.128.0
permit ip 10.0.128.0 0.0.15.255 10.0.80.0 0.0.0.255
...
--------------
The way I'm reading it is that class-map is configured with named ACL.
Then the class-map is applied to policy-map with action 'inspect'.
There's no protocol specified thus all protocols should be inspected
(this is what I want).
Here is the problem. When router is booting up the following message
appears on the console:
%No specific protocol or access-group configured in class cls_10.0.128.0
for inspection. All packets will be dropped
IMO this is not correct: there's ACL configured in class-map.
Before (in 12.4) this message was different -- it was about "no
protocols specified, all protocols will be inspected".
Has something changed in the way ZBF behaves in 15.x? And is it
documented anywhere? I was not able to find the information.
Any help is appreciated! Thank you!
--
Ivan Poddubnyy
Sr. Systems Administrator
Symantec Corporation / EHG
More information about the cisco-nsp
mailing list