[c-nsp] IOS 15.1 and 'inspect' rule (zone-based firewall)

Thu Apr 22 19:07:04 EDT 2010

Arie,

No, it didn't work as expected.

However, I got it working by adding another class-map and modifying 
existing class-map.

Here how it looks now:
------------------------------
...
parameter-map type inspect audit
  audit-trail on
  alert off
...
class-map type inspect match-any cls_ip_protocols
  match protocol icmp
  match_protocol tcp
  match protocol udp
class-map type inspect match-all cls_10.0.128.0
  match access-group name acl_10.0.128.0
  match class-map cls_ip_protocols
...
policy-map type inspect pol-OutsideToDMZ
  class type inspect cls_10.0.128.0
   inspect audit
  class class-default
   drop log
...
ip access-list extended acl_10.0.128.0
  permit ip 10.0.128.0 0.0.15.255 10.0.80.0 0.0.0.255
...
--------------

The new class-map fixes it.

BTW, what Brian suggested in his reply partially answered the question. 
I read the document, but there's an example there that has only ACL 
applied to the policy-map (thus, like in my case, it'll generate "all 
packets will be dropped" message). I'm talking about the example after 
this line in the document:

"By contrast, a similar configuration that adds application-specific 
classes provides more granular application statistics and control, and 
still accommodates the same breadth of services that was shown in the 
first example by defining the last-chance class-map matching only the 
ACL as the last chance in the policy-map:"

Anyways, the problem seems to be resolved. Thank you!

--
Ivan Poddubnyy
Sr. Systems Administrator
Symantec Corporation / EHG

Arie Vayner (avayner) wrote:
> Ivan,
>
> I could find a reference with this information:
>
> The reported error message is just seen upon bootup. Reason for this is
> router loads the config from top to bottom. Therefore, by the time it
> executes the class-map, it has not read the ACL yet. Therefore giving
> warning that there's "No specific protocol of access-group configured on
> the class"
>
> Can you confirm that the router works as expected after the complete
> bootup process?
>
> Tnx
> Arie
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ivan Poddubnyy
> Sent: Thursday, April 22, 2010 07:30
> To: Cisco-nsp
> Subject: [c-nsp] IOS 15.1 and 'inspect' rule (zone-based firewall)
>
> Hi all,
>
> I couldn't find explanation to this oddity on TAC, I would appreciate
> some help.
>
> I'm running (migrating to) 15.1 on Cisco 2821 router. The router
> configured with zone-based firewall.
>
> The config has following lines:
>
> --------------
> ...
> parameter-map type inspect audit
> audit-trail on
> alert off
> ...
> class-map type inspect match-all cls_10.0.128.0
> match access-group name acl_10.0.128.0
> ...
> policy-map type inspect pol-OutsideToDMZ
> class type inspect cls_10.0.128.0
> inspect audit
> class class-default
> drop log
> ...
> ip access-list extended acl_10.0.128.0
> permit ip 10.0.128.0 0.0.15.255 10.0.80.0 0.0.0.255
> ...
> --------------
>
> The way I'm reading it is that class-map is configured with named ACL.
> Then the class-map is applied to policy-map with action 'inspect'.
> There's no protocol specified thus all protocols should be inspected
> (this is what I want).
>
> Here is the problem. When router is booting up the following message
> appears on the console:
>
> %No specific protocol or access-group configured in class cls_10.0.128.0
>
> for inspection. All packets will be dropped
>
>
> IMO this is not correct: there's ACL configured in class-map.
>
> Before (in 12.4) this message was different -- it was about "no
> protocols specified, all protocols will be inspected".
>
> Has something changed in the way ZBF behaves in 15.x? And is it
> documented anywhere? I was not able to find the information.
>
> Any help is appreciated! Thank you!
>
> --
> Ivan Poddubnyy
> Sr. Systems Administrator
> Symantec Corporation / EHG
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>