Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

CSM - Bug deploying ZoneBased Firewall Rules to Router

Hi,

When I try to deploy ZBFW rules to my router, CSM gives me the following error:

%No specific protocol or access-group configured in class CSM_ZBF_CLASS_MAP_6 for inspection. All packets will be dropped

CSM_ZBF_CLASS_MAP_6

It is also deploying strange commands like:

class-map type inspect match-all CSM_ZBF_CLASS_MAP_4

match access-group name ###CMAP_ACLNAME6

no match access-group name CSM_ZBF_CMAP_ACL_4

exit

Have you ever seen it before? Why is it asking about and ACL that does not exist? Why is it issuing strange commands?

I may provide you with further information, if you wish.

Thank you.

1 ACCEPTED SOLUTION

Accepted Solutions

CSM - Bug deploying ZoneBased Firewall Rules to Router

Hello Leonardo,

I will never recommend to do any Firewall Configuration via SDM, CCP or SDM. Things will just not work as they should (All of this based on my experience).

I have seen both of them in the past.

I would recommend to provide us the config and then we will tell you if we see something strange but try to do this via CLI (Trust me, U need this)

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
4 REPLIES

CSM - Bug deploying ZoneBased Firewall Rules to Router

Hello Leonardo,

I will never recommend to do any Firewall Configuration via SDM, CCP or SDM. Things will just not work as they should (All of this based on my experience).

I have seen both of them in the past.

I would recommend to provide us the config and then we will tell you if we see something strange but try to do this via CLI (Trust me, U need this)

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Community Member

CSM - Bug deploying ZoneBased Firewall Rules to Router

But that is the main reason of CSM product existence! It should centralize security configuration. I have 40 routers to manage and I definitely cannot manage Zone Based Firewall and ACL via CLI in this scenario. I have never faced any problem with ASDM while managing my ASA and FWSM.

CSM - Bug deploying ZoneBased Firewall Rules to Router

So my answer was sort of useful hahaha.

The configuration of ZBFW is pretty complex and involves the definition of multiple parameters.

As I said my recommendation will always be do it from CLI, if you do not know how or need assitance with that then get Cisco TAC on the line or get someone that knows about it.

From the first log you posted  I have seen it in the past when using an ACL to match traffic and have not cause any issues.

Now for this:

class-map type inspect match-all CSM_ZBF_CLASS_MAP_4

match access-group name ###CMAP_ACLNAME6

no match access-group name CSM_ZBF_CMAP_ACL_4

exit

It's just removing the use of an ACL to then match another traffic with a different ACL so not big deal.

The only way to detemrine whether the configuration is good or not is to analize the entire configuration with what you are trying to do!!

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Community Member

CSM - Bug deploying ZoneBased Firewall Rules to Router

The problem was that INSPECT rules need INSPECT protocols to be specified ! Otherwise it must me PASS flow

In my opinion it's a bug or bad programing in CSM interface. If inspect NEED a protocol it should be forced to input this information before deploying it!

Anyway, thks for helping.

377
Views
2
Helpful
4
Replies
CreatePlease to create content