[c-nsp] Zone Based Firewall default-class

Luan Nguyen luan at netcraftsmen.net
Fri Jul 9 17:31:31 EDT 2010 

Maybe class-default only allow traffic initiate from the zone and not return
traffic?  Check your log again...
Try your "Or", and try upgrade to T3 see if that makes a different.


------------------------------
Luan Nguyen
Chesapeake NetCraftsmen, LLC.
------------------------------


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jay Nakamura
Sent: Friday, July 09, 2010 4:08 PM
To: cisco-nsp
Subject: [c-nsp] Zone Based Firewall default-class

I have a strange problem with ZBFW or I am just missing something obvious.

3845 running 12.4(24)T advipservices

I am trying to apply a firewall rule between two entities.  Since I am
not 100% sure what all traffic is passing through the two, I wanted to
write rules for what I know and pass anything I don't know but log it
so I can find out if that's suppose to be there or not.


policy-map type inspect InPMAP
 class type inspect GeneralInCMAP
  inspect
 class class-default
  pass log

policy-map type inspect OutPMAP
 class type inspect GeneralOutCMAP
  inspect
 class class-default
  pass log


zone security Inside
zone security Other

zone-pair security Other-to-Inside source Other destination Inside
 service-policy type inspect InPMAP
zone-pair security Inside-to-Other source Inside destination Other
 service-policy type inspect OutPMAP

However, once I apply the zone, I get this

Jul  9 15:04:51 192.168.1.253 266: Jul  9 15:04:50 EDT:
%FW-6-LOG_SUMMARY: 5 packets were dropped from 192.168.1.143:1888 =>
172.16.20.24:1433 (target:class)-(Inside-to-Other:class-default)
Jul  9 15:04:51 192.168.1.253 267: Jul  9 15:04:50 EDT:
%FW-6-LOG_SUMMARY: 5 packets were passed from 172.16.20.24:1433 =>
192.168.1.102:2583 (target:class)-(Other-to-Inside:class-default)

So, one direction, it's passing traffic as intended but the other
direction it's dropping it on "class-default"

What am I doing wrong?  Or do I need to create a class-map that allows
everything and pass it in that class?

Is this a bug?
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

__________ Information from ESET NOD32 Antivirus, version of virus signature
database 5266 (20100709) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com


 

__________ Information from ESET NOD32 Antivirus, version of virus signature
database 5266 (20100709) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com
 
 

__________ Information from ESET NOD32 Antivirus, version of virus signature
database 5266 (20100709) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com

More information about the cisco-nsp mailing list