03-22-2012 06:27 AM - edited 03-11-2019 03:45 PM
Hi , I have simple rules in ZBF
class-map type inspect match-all DMZ310_TO_INTERNET_PASS
match access-group name DMZ310_TO_INTERNET_PASS
!
class-map type inspect match-all DMZ310->INTERNET_INSP_COMB
match access-group name DMZ310_TO_INTERNET_INSPECT
match class-map DMZ310->INT_INSPECTION_PROTOCOLS
!
class-map type inspect match-any DMZ310->INT_INSPECTION_PROTOCOLS
description ---=============
match protocol tcp
match protocol icmp
match protocol dns
match protocol user-nashssh
match protocol http
match protocol udp
!
policy-map type inspect DMZ310->INTERNET_POLICY
class type inspect DMZ310_TO_INTERNET_PASS
pass
class type inspect DMZ310->INTERNET_INSP_COMB
inspect
class class-default
drop
!
zone security INTERNET
!
zone security DMZ310
!
zone-pair security DMZ310->INTERNET source DMZ310 destination INTERNET
service-policy type inspect DMZ310->INTERNET_POLICY
!
interface GigabitEthernet0/1.310
encapsulation dot1Q 310
ip address 1.1.1.2 255.255.255.128
ip nat outside
ip virtual-reassembly in
zone-member security DMZ310
standby 3 ip 1.1.1.1
standby 3 priority 15
standby 3 preempt
ip policy route-map BGP-DEFAULT-ROUTE
service-policy input POLICE_DMZ310_IN
service-policy output POLICE_DMZ310_OUT
!
interface GigabitEthernet0/1.301
description -=ISP=-
encapsulation dot1Q 301
ip address 2.2.2.2 255.255.255.252
ip flow ingress
ip nat outside
ip virtual-reassembly in
zone-member security INTERNET
!
ip access-list extended DMZ310_TO_INTERNET_INSPECT
permit icmp host 1.1.1.5 any
permit ip host 1.1.1.5 any
deny ip any any
1)From host 1.1.1.5 I can ping any host to INTERNET, and I see my session, but when I try ant TCP connection it's faild, no session I can see.
2)If I add this host to my passing ACL DMZ310_TO_INTERNET_PASS and backpassACL INTERNET_TO_DMZ310_PASS
permit icmp host 1.1.1.5 any
permit ip host 1.1.1.5 any
it works, TCP works
why so?
thanks
03-22-2012 08:36 AM
Don't know if this is just been left since you did your "pass-test", but:
policy-map type inspect DMZ310->INTERNET_POLICY
class type inspect DMZ310_TO_INTERNET_PASS <----------------- Is treated before the inspect statement at the row after it
pass
class type inspect DMZ310->INTERNET_INSP_COMB
inspect
class class-default
drop
And that class-map I'm pointing at matches a access-list that doesn't exist atm.
03-22-2012 10:45 PM
If you mean that I should just change PASS and put it after INSPECT, I did this, but nothing change
policy-map type inspect DMZ310->INTERNET_POLICY
class type inspect DMZ310->INTERNET_INSP_COMB
inspect
class type inspect DMZ310_TO_INTERNET_PASS
pass
class class-default
drop
In fact in my acl in this rule
class type inspect DMZ310_TO_INTERNET_PASS
exist
I just forget to paste in my config in this discussion
access list DMZ310_TO_INTERNET_PASS
permit ip host 1.1.1.10 any
deny ip any any
03-22-2012 08:43 AM
And I would remove the "permit icmp host 1.1.1.5 any from the "DMZ310_TO_INTERNET_INSPECT" access-list:
ip access-list extended DMZ310_TO_INTERNET_INSPECT
permit ip host 1.1.1.5 any
Because you already have ICMP in the "DMZ310->INT_INSPECTION_PROTOCOLS" class-map and maybe that is doing something weird, I don't know, worth a try!
03-22-2012 10:46 PM
And this I try to do, but nothing change
03-22-2012 10:51 PM
Well I think it's just a bug, because I just copy all my rules (policy-map,class-maps,ACLs), change they names(add 1 at the end)(router change their ID's I suppose), and point this to my zone-pair security and it works fine!
class-map type inspect match-all DMZ310_TO_INTERNET_PASS1
match access-group name DMZ310_TO_INTERNET_PASS1
!
class-map type inspect match-all DMZ310->INTERNET_INSP_COMB1
match access-group name DMZ310_TO_INTERNET_INSPECT1
match class-map DMZ310->INT_INSPECTION_PROTOCOLS1
!
class-map type inspect match-any DMZ310->INT_INSPECTION_PROTOCOLS1
description ---=============
match protocol tcp
match protocol icmp
match protocol dns
match protocol user-nashssh
match protocol http
match protocol udp
!
policy-map type inspect DMZ310->INTERNET_POLICY1
class type inspect DMZ310_TO_INTERNET_PASS1
pass
class type inspect DMZ310->INTERNET_INSP_COMB1
inspect
class class-default
drop
!
zone security INTERNET
!
zone security DMZ310
!
zone-pair security DMZ310->INTERNET source DMZ310 destination INTERNET
service-policy type inspect DMZ310->INTERNET_POLICY1
!
interface GigabitEthernet0/1.310
encapsulation dot1Q 310
ip address 1.1.1.2 255.255.255.128
ip nat outside
ip virtual-reassembly in
zone-member security DMZ310
standby 3 ip 1.1.1.1
standby 3 priority 15
standby 3 preempt
ip policy route-map BGP-DEFAULT-ROUTE
service-policy input POLICE_DMZ310_IN
service-policy output POLICE_DMZ310_OUT
!
interface GigabitEthernet0/1.301
description -=ISP=-
encapsulation dot1Q 301
ip address 2.2.2.2 255.255.255.252
ip flow ingress
ip nat outside
ip virtual-reassembly in
zone-member security INTERNET
!
ip access-list extended DMZ310_TO_INTERNET_INSPECT1
permit icmp host 1.1.1.5 any
permit ip host 1.1.1.5 any
deny ip any any
03-23-2012 02:26 AM
Ok, good! Thats good to know
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide