05-24-2012 10:06 PM - edited 03-11-2019 04:11 PM
Quick question, upon rebooting my router I can see the following show up in the logs
%No specific protocol or access-group configured in class CMAP-Z_to_WAN for inspection. All packets will be dropped
%No specific protocol or access-group configured in class CMAP-WAN_to_Z1 for inspection. All packets will be dropped
%No specific protocol or access-group configured in class CMAP-Z2_to_WAN for inspection. All packets will be dropped
%No specific protocol or access-group configured in class CMAP-WAN_to_Z2 for inspection. All packets will be dropped
%No specific protocol or access-group configured in class CMAP-Z2_to_DMZ for inspection. All packets will be dropped
%No specific protocol or access-group configured in class CMAP-DMZ_to_Z2 for inspection. All packets will be dropped
%No specific protocol or access-group configured in class CMAP-DMZ_to_WAN for inspection. All packets will be dropped
Please see attachment for my configuration and any advice on where I have gone wrong, much appreciated.
05-24-2012 11:28 PM
Hello Bell,
I have done some research and here is what I have found:
specifying only an ACL as firewall match criteria will not enable ALGs to correctly deal with services such as FTP, SIP,
etc, as described here, under the 'Applying an ACL as Match Criteria'.
So basically if you add a match protocol X you should not receive that message, this seems to start at versions 15
I also found this:
The reported error message is just seen upon bootup. Reason for this is router loads the config from top to bottom. Therefore, by the time it executes the class-map, it has not read the ACL yet. Therefore giving warning that there's "No specific protocol of access-group configured on the class"
My question is while you get those logs, does ZBFW works normall or its completely down?
Regards,
Julio
Do rate all the helpful posts
05-25-2012 04:16 PM
Have not tested the ZBFW yet. I will report back with results.
Was after confirmation on my concerns before taking to testing so I am fully prepared.
05-25-2012 04:37 PM
Hello Bell,
Perfect, Just let me know the result. I would be more than glad to help
Regards,
Rate the helpful posts
Julio
05-28-2012 02:23 PM
The ZBFW seems to be working fine.
Is there anything special I have to do with NAT in conjunction with ZBFW?
int g0/1
ip nat outside
!
int vlan 10
ip nat inside
!
int vlan 20
ip nat inside
!
ip nat source list IP-NAT interface GigabitEthernet0/1 overload
!
ip access-list standard IP-NAT
permit 10.3.3.0 0.0.0.255
permit 10.6.6.0 0.0.0.255
!
05-28-2012 02:44 PM
Hello Bell,
Nop at all, The configuration for the NAT looks good and that is all you need . It is not going to affect something on the ZBFW.
Let us know if there is something else you need, if not please mark the question as answered and rate all the helpful posts
Just remember any other question just let me know.
Julio
05-28-2012 10:31 PM
My final question is around port forwarding and whether I need to specifically configure anything further for this in conjuntion with my ZBFW. This is so the client is able to FTP + RDP to hosts in his private address range... (Do not ask why )
ip nat inside source list 1 interface GigabitEthernet0/1 overload
ip nat inside source static tcp 10.6.6.15 25 interface GigabitEthernet0/1 25
ip nat inside source static tcp 10.3.3.109 80 interface GigabitEthernet0/1 80
ip nat inside source static tcp 10.3.3.105 443 interface GigabitEthernet0/1 444
ip nat inside source static tcp 10.6.6.20 20 interface GigabitEthernet0/1 20
ip nat inside source static tcp 10.6.6.20 21 interface GigabitEthernet0/1 21
This is based on my ACL-WAN_to_Z1 and ACL-WAN_to_Z2
Will this ensure that passive-ftp traffic is handled as per the ACL and port ranges
"permit tcp any host 10.6.6.20 range 30000 32000"
Thanks
05-29-2012 01:49 PM
For anyone reading, this is the cut down version of my ZBFW + ACL + NAT for WAN to Inside Zone 2 traffic. This is allowing Active+Passive FTP traffic through on Zone 2 (vlan 20) on the ports detailed below.
!
class-map type inspect match-any CMAP-WAN_to_Z2
match access-group name ACL-WAN_to_Z2
!
policy-map type inspect PMAP-WAN_to_Z2
class type inspect CMAP-WAN_to_Z2
inspect
class class-default
drop
!
zone security WAN
zone security Z2
!
zone-pair security ZP-WAN_to_Z2 source WAN destination Z2
service-policy type inspect PMAP-WAN_to_Z2
!
interface GigabitEthernet0/1
description WAN
ip address 203.x.x.x 255.255.255.0
ip nat outside
zone-member security WAN
!
interface Vlan20
description Z2
ip address 10.6.6.254 255.255.255.0
ip nat inside
zone-member security Z2
!
ip nat inside source list 1 interface GigabitEthernet0/1 overload
ip nat inside source static tcp 10.6.6.20 20 interface GigabitEthernet0/1 20
ip nat inside source static tcp 10.6.6.20 21 interface GigabitEthernet0/1 21
!
ip access-list extended ACL-WAN_to_Z2
permit tcp any host 10.6.6.20 range ftp-data ftp
permit tcp any host 10.6.6.20 range 30000 32000
!
access-list 1 remark NAT_ACL Category=2
access-list 1 permit 10.6.6.0 0.0.0.255
!
If anyone wants to point anything out, I'm keen to listen.
Message was edited: Corrected CMAP+PMAP Naming
05-29-2012 02:08 PM
Hello,
I did not see the action applied to the class map inside the policy
It should be like this:
policy-map type inspect PMAP-WAN_to_Z2
class CMAP-WAN_to_Z2
inspect
If that is the case you are good to go.
Regards,
05-29-2012 02:15 PM
Hello.
This config makes no sence at the moment.
zone-pair security ZP-Z2_to_WAN source Z2 destination WAN
service-policy type inspect PMAP-Z2_to_WAN <-
policy-map type inspect PMAP-WAN_to_Z2 <-
They are not the same, which I guess you would like them to be?
When you have changed this I would suggest that you match the protocol in the class-map isntead
of matching port-numbers. This activates layer 7 inspetion and is much safer.
ex:
class-map type inspect FTP_CMAP
match protocol ftp
edit: Julio saw something I didn't
05-29-2012 02:37 PM
Have updated my CLI with the correct SOURCE > DESTINATIONS.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide