Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cannot keep P2P blocked with ZFW

I have configured a router with ZFW and from my testing I can confirm that almost everything is working the way it should except the P2P blocking. It doesn't seem to block anything in the P2P arena and I've tried Gnutella, Kazaa, and Bittorent and all of them are able to make a connection, search and download. I even have DPI enabled to make sure it can't use http but it still manages to get out.

Once in a while the router does log a message (below) but it's not consistent.

*Feb 19 20:26:15.689: %APPFW-6-P2P_PORT_HOP: gnutella using 9699 port -  tcp session on zone-pair in-out class CM_INSPECT

Feb 19 20:26:48.641: %FW-6-LOG_SUMMARY: 1 packet were dropped from => (target:class)-(in-out:CM_P2P)

class-map type inspect match-any CM_INSPECT
match protocol dns
match protocol https
match protocol icmp
match protocol imap
match protocol tcp
match protocol udp

class-map type inspect match-all CM_HTTP
match protocol http

class-map type inspect http match-any CM_PORTMISUSE
match  request port-misuse p2p
match  request port-misuse tunneling
match  req-resp protocol-violation

class-map type inspect match-any CM_P2P
match protocol edonkey signature
match protocol gnutella signature
match protocol kazaa2 signature
match protocol fasttrack signature
match protocol bittorrent signature
match protocol gnutella

policy-map type inspect http PM_HTTPDPI
class type inspect http CM_PORTMISUSE

policy-map type inspect PM_INSPECT
class type inspect CM_P2P
  drop log
class type inspect CM_HTTP
  service-policy http PM_HTTPDPI
class type inspect CM_INSPECT
class class-default
zone security outside
zone security inside

zone-pair security in-out source inside destination outside
service-policy type inspect PM_INSPECT

interface BVI1
ip address
ip nat inside
ip virtual-reassembly
zone-member security inside

interface FastEthernet4
ip address dhcp
ip nat outside
ip virtual-reassembly
zone-member security outside
speed 100

Any help is appreciated!!

Cisco Employee

Re: Cannot keep P2P blocked with ZFW