Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

inspection_default h323 ras - how to exclude a network

hi,

in my firewall blade , i've configured the inspection:

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

  inspect dns maximum-length 512

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect skinny

  inspect smtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

!

service-policy global_policy global

The problem is that same object of my network not work with this feature:

show service-policy global

Global policy:
  Service-policy: global_policy
    Class-map: inspection_default
      Inspect: dns maximum-length 512, packet 25932093, drop 0, reset-drop 0
      Inspect: ftp, packet 659, drop 0, reset-drop 0
      Inspect: h323 h225, packet 1336680, drop 0, reset-drop 35
      Inspect: h323 ras, packet 39160944, drop 9650, reset-drop 0
      Inspect: netbios, packet 1663045, drop 0, reset-drop 0
      Inspect: rsh, packet 0, drop 0, reset-drop 0
      Inspect: skinny, packet 0, drop 0, reset-drop 0

-------------------------------------------------------

i wan't simply exclude from a policy a network 192.168.54.0/24

in a route-map (and an access-list) i can use a match case for to exclude a network, but in my case that workaround can i use for to leave the Inspection control for all network but not for the sigle network ?

Thanks for your help

FCostalunga

1 REPLY

inspection_default h323 ras - how to exclude a network

Ok The solution should be like this-

Call ACL under class-map inspection_default.

STEP-1

acces-list xxxx deny tcp  

access-list xxxx  permit ip any any

This will be for whatever you dont want to match.

STEP-2

class-map inspection_default

match default-inspection-traffic

match access-list xxxxx

The condition on class-map inspection would be traffic must match under both the match statement.

Traffic being denied under ACL would be exempt from Inspection.

Thanks

Ajay

416
Views
0
Helpful
1
Replies
CreatePlease to create content