[c-nsp] Zone Based Firewall default-class
Jay Nakamura
zeusdadog at gmail.com
Fri Jul 9 16:08:08 EDT 2010
I have a strange problem with ZBFW or I am just missing something obvious.
3845 running 12.4(24)T advipservices
I am trying to apply a firewall rule between two entities. Since I am
not 100% sure what all traffic is passing through the two, I wanted to
write rules for what I know and pass anything I don't know but log it
so I can find out if that's suppose to be there or not.
policy-map type inspect InPMAP
class type inspect GeneralInCMAP
inspect
class class-default
pass log
policy-map type inspect OutPMAP
class type inspect GeneralOutCMAP
inspect
class class-default
pass log
zone security Inside
zone security Other
zone-pair security Other-to-Inside source Other destination Inside
service-policy type inspect InPMAP
zone-pair security Inside-to-Other source Inside destination Other
service-policy type inspect OutPMAP
However, once I apply the zone, I get this
Jul 9 15:04:51 192.168.1.253 266: Jul 9 15:04:50 EDT:
%FW-6-LOG_SUMMARY: 5 packets were dropped from 192.168.1.143:1888 =>
172.16.20.24:1433 (target:class)-(Inside-to-Other:class-default)
Jul 9 15:04:51 192.168.1.253 267: Jul 9 15:04:50 EDT:
%FW-6-LOG_SUMMARY: 5 packets were passed from 172.16.20.24:1433 =>
192.168.1.102:2583 (target:class)-(Other-to-Inside:class-default)
So, one direction, it's passing traffic as intended but the other
direction it's dropping it on "class-default"
What am I doing wrong? Or do I need to create a class-map that allows
everything and pass it in that class?
Is this a bug?
More information about the cisco-nsp
mailing list