cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2647
Views
4
Helpful
10
Replies

1921 ZBFW - %No specific protocol or access-group

bellscott
Level 1
Level 1

Quick question, upon rebooting my router I can see the following show up in the logs

%No specific protocol or access-group configured in class CMAP-Z_to_WAN for inspection. All packets will be dropped

%No specific protocol or access-group configured in class CMAP-WAN_to_Z1 for inspection. All packets will be dropped

%No specific protocol or access-group configured in class CMAP-Z2_to_WAN for inspection. All packets will be dropped

%No specific protocol or access-group configured in class CMAP-WAN_to_Z2 for inspection. All packets will be dropped

%No specific protocol or access-group configured in class CMAP-Z2_to_DMZ for inspection. All packets will be dropped

%No specific protocol or access-group configured in class CMAP-DMZ_to_Z2 for inspection. All packets will be dropped

%No specific protocol or access-group configured in class CMAP-DMZ_to_WAN for inspection. All packets will be dropped

Please see attachment for my configuration and any advice on where I have gone wrong, much appreciated.

10 Replies 10

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Bell,

I have done some research and here is what I have found:

specifying only an ACL as firewall match criteria  will not enable ALGs to correctly deal with services such as FTP, SIP,

etc, as described here, under the 'Applying an ACL as Match Criteria'.

So basically if you add a match protocol X  you should not receive that message, this seems to start at versions 15

I also found this:

The reported error message is just seen upon bootup. Reason for this is  router loads the config from top to bottom. Therefore, by the time it  executes the class-map, it has not read the ACL yet. Therefore giving  warning that there's "No specific protocol of access-group configured on  the class"

My question is while you get those logs, does ZBFW works normall or its completely down?

Regards,

Julio

Do rate all the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Have not tested the ZBFW yet. I will report back with results.

Was after confirmation on my concerns before taking to testing so I am fully prepared.

Hello Bell,

Perfect, Just let me know the result. I would be more than glad to help

Regards,

Rate the helpful posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

The ZBFW seems to be working fine.

Is there anything special I have to do with NAT in conjunction with ZBFW?

int g0/1

ip nat outside

!

int vlan 10

ip nat inside

!

int vlan 20

ip nat inside

!

ip nat source list IP-NAT interface GigabitEthernet0/1 overload

!

ip access-list standard IP-NAT

permit 10.3.3.0 0.0.0.255

permit 10.6.6.0 0.0.0.255

!

Hello Bell,

Nop at all, The configuration for the NAT looks good and that is all you need . It is not going to affect something on the ZBFW.

Let us know if there is something else you need, if not please mark the question as answered and rate all the helpful posts

Just remember any other question just let me know.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

My final question is around port forwarding and whether I need to specifically configure anything further for this in conjuntion with my ZBFW. This is so the client is able to FTP + RDP to hosts in his private address range... (Do not ask why )

ip nat inside source list 1 interface GigabitEthernet0/1 overload

ip nat inside source static tcp 10.6.6.15 25 interface GigabitEthernet0/1 25

ip nat inside source static tcp 10.3.3.109 80 interface GigabitEthernet0/1 80

ip nat inside source static tcp 10.3.3.105 443 interface GigabitEthernet0/1 444

ip nat inside source static tcp 10.6.6.20 20 interface GigabitEthernet0/1 20

ip nat inside source static tcp 10.6.6.20 21 interface GigabitEthernet0/1 21

This is based on my ACL-WAN_to_Z1 and ACL-WAN_to_Z2

Will this ensure that passive-ftp traffic is handled as per the ACL and port ranges

  "permit tcp any host 10.6.6.20 range 30000 32000"

Thanks

bellscott
Level 1
Level 1

For anyone reading, this is the cut down version of my ZBFW + ACL + NAT for WAN to Inside Zone 2 traffic. This is allowing Active+Passive FTP traffic through on Zone 2 (vlan 20) on the ports detailed below.

!

class-map type inspect match-any CMAP-WAN_to_Z2

match access-group name ACL-WAN_to_Z2

!

policy-map type inspect PMAP-WAN_to_Z2

class type inspect CMAP-WAN_to_Z2

  inspect

class class-default

  drop

!

zone security WAN

zone security Z2

!

zone-pair security ZP-WAN_to_Z2 source WAN destination Z2

service-policy type inspect PMAP-WAN_to_Z2

!

interface GigabitEthernet0/1

description WAN

ip address 203.x.x.x 255.255.255.0

ip nat outside

zone-member security WAN

!

interface Vlan20

description Z2

ip address 10.6.6.254 255.255.255.0

ip nat inside

zone-member security Z2

!

ip nat inside source list 1 interface GigabitEthernet0/1 overload

ip nat inside source static tcp 10.6.6.20 20 interface GigabitEthernet0/1 20

ip nat inside source static tcp 10.6.6.20 21 interface GigabitEthernet0/1 21

!

ip access-list extended ACL-WAN_to_Z2

permit tcp any host 10.6.6.20 range ftp-data ftp

permit tcp any host 10.6.6.20 range 30000 32000

!

access-list 1 remark NAT_ACL Category=2

access-list 1 permit 10.6.6.0 0.0.0.255

!

If anyone wants to point anything out, I'm keen to listen.

Message was edited: Corrected CMAP+PMAP Naming

Hello,

I did not see the action applied to the class map inside the policy

It should be like this:

policy-map type inspect PMAP-WAN_to_Z2

class  CMAP-WAN_to_Z2

      inspect

If that is the case you are good to go.

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hello.

This config makes no sence at the moment.

zone-pair security ZP-Z2_to_WAN source Z2 destination WAN

service-policy type inspect PMAP-Z2_to_WAN <-

policy-map type inspect PMAP-WAN_to_Z2 <-

They are not the same, which I guess you would like them to be?

When you have changed this I would suggest that you match the protocol in the class-map isntead
of matching port-numbers. This activates layer 7 inspetion and is much safer.

ex:
class-map type inspect FTP_CMAP
match protocol ftp

edit: Julio saw something I didn't

Have updated my CLI with the correct SOURCE > DESTINATIONS.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: