This is driving us nuts. I have configured a Zone Based Firewall policy on an 800 series router but its not behaving as we expected.
For traffic coming in from the outside to the inside i have a class-map that matches an ACL and a match protocol.
The match protocol states match protocol http. I have a user defined entry for HTTP - ip port-map http port 7777.
So, if i telnet in on 7777, the packet passes the outside in ACL, then its NAT'd then it hits the ZBW but the packet is permitted. I would of thought the packet would be dropped as Telnet 7777 is not an HTTP request on TCP 777. If i change the ip port-map http
port 7777 to ip port-map ftp port 7777 and try again - telnet in on 7777 the packet is dropped as i would of expected with the following message
Sep 15 08:11:27.849: %FW-6-DROP_PKT: Dropping ftp session x.x.x.x:58923 x.x.x.x:7777 on zone-pair Extern-Intern class class-default due to policy match failure with ip ident 16073 tcpflags 0x7002 seq.no 383992111 ack 0
Has anyone got any ideas why the inspect doesn't work correctly with the user defined HTTP port map?
I've been reading lots of documentation but not found the answer yet.
So your class-map is match-all. once you telnet on port 7777 you need to send a "get" request and then see if the inspection drops it as expected.