×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

CSM - Bug deploying ZoneBased Firewall Rules to Router

Answered Question
Dec 20th, 2013
User Badges:

Hi,


When I try to deploy ZBFW rules to my router, CSM gives me the following error:


%No specific protocol or access-group configured in class CSM_ZBF_CLASS_MAP_6 for inspection. All packets will be dropped


CSM_ZBF_CLASS_MAP_6


It is also deploying strange commands like:


class-map type inspect match-all CSM_ZBF_CLASS_MAP_4

match access-group name ###CMAP_ACLNAME6

no match access-group name CSM_ZBF_CMAP_ACL_4

exit



Have you ever seen it before? Why is it asking about and ACL that does not exist? Why is it issuing strange commands?

I may provide you with further information, if you wish.

Thank you.

Correct Answer by Julio Carvajal about 3 years 8 months ago

Hello Leonardo,


I will never recommend to do any Firewall Configuration via SDM, CCP or SDM. Things will just not work as they should (All of this based on my experience).


I have seen both of them in the past.


I would recommend to provide us the config and then we will tell you if we see something strange but try to do this via CLI (Trust me, U need this)



For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at [email protected]

Cheers,

Julio Carvajal Segura

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 2 (2 ratings)
Loading.
Correct Answer
Julio Carvajal Fri, 12/20/2013 - 17:02
User Badges:
  • Purple, 4500 points or more

Hello Leonardo,


I will never recommend to do any Firewall Configuration via SDM, CCP or SDM. Things will just not work as they should (All of this based on my experience).


I have seen both of them in the past.


I would recommend to provide us the config and then we will tell you if we see something strange but try to do this via CLI (Trust me, U need this)



For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at [email protected]

Cheers,

Julio Carvajal Segura

leonardomachado Tue, 12/24/2013 - 03:05
User Badges:

But that is the main reason of CSM product existence! It should centralize security configuration. I have 40 routers to manage and I definitely cannot manage Zone Based Firewall and ACL via CLI in this scenario. I have never faced any problem with ASDM while managing my ASA and FWSM.

Julio Carvajal Tue, 12/24/2013 - 09:06
User Badges:
  • Purple, 4500 points or more

So my answer was sort of useful hahaha.



The configuration of ZBFW is pretty complex and involves the definition of multiple parameters.


As I said my recommendation will always be do it from CLI, if you do not know how or need assitance with that then get Cisco TAC on the line or get someone that knows about it.


From the first log you posted  I have seen it in the past when using an ACL to match traffic and have not cause any issues.


Now for this:

class-map type inspect match-all CSM_ZBF_CLASS_MAP_4

match access-group name ###CMAP_ACLNAME6

no match access-group name CSM_ZBF_CMAP_ACL_4

exit


It's just removing the use of an ACL to then match another traffic with a different ACL so not big deal.


The only way to detemrine whether the configuration is good or not is to analize the entire configuration with what you are trying to do!!



Looking for some Networking Assistance? 
Contact me directly at [email protected]

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

leonardomachado Wed, 02/19/2014 - 05:29
User Badges:

The problem was that INSPECT rules need INSPECT protocols to be specified ! Otherwise it must me PASS flow


In my opinion it's a bug or bad programing in CSM interface. If inspect NEED a protocol it should be forced to input this information before deploying it!


Anyway, thks for helping.

Actions

This Discussion