Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ZBF Class-map and different way of doing them

Hi People just though i would ask a question on how to set up a ZBF. (question at the end of example config's)

i have been playing with this for a while now and like to get advice over what way is the recomended way of doing multiple matchs

ok we we all know the basic

class-map type inspect match-any ZBF_CM_ICMP

match protocol icmp

policy-map type inspect ZBF_PM_EXTERNAL->DMZ

class type inspect ZBF_CM_ICMP

  inspect

and then the ZP dont need to show, this is a simple map using nbar fair enough

then we could a mulitiple matches

class-map type inspect match-any ZBF_CM_STD_DMZ_PORTS

match protocol icmp

match protocol http

match protocol dns

match protocol https

policy-map type inspect ZBF_PM_DMZ->EXTERNAL

class type inspect ZBF_CM_STD_DMZ_PORTS

  inspect

Ok still easy to understand but now come the bit that a little more copmplex non NBAR matches

ip access-list extended AL_RDP_PORT

permit tcp any any eq 3389

class-map type inspect match-all ZBF_CM_RDP

match access-group name AL_RDP_PORT

policy-map type inspect ZBF_PM_EXTERNAL->DMZ

class type inspect ZBF_CM_RDP

  inspect

This config is now using an access list because NBAR dosent have the protocol in it then map the AL to the CM then CM to PM. next is example is what i setup to get more non NBAR ports and only for 1 host

ip access-list extended AL_HOST_IP_IN

permit ip any host 11.11.11.11

ip access-list extended AL_ISATAP

permit 41 any any

ip access-list extended AL_TEREDO

permit udp any any eq 3544

class-map type inspect match-ANY ZBF_CM_DirectAccess_Protocols

description Nested Class Map

match access-group name AL_ISATAP

match access-group name AL_TEREDO

match protocol https

class-map type inspect match-ALL ZBF_CM_APP_IN

match access-group name AL_HOST_IP_IN

match access-group name ZBF_CM_DirectAccess_Protocols

policy-map type inspect ZBF_PM_EXTERNAL->DMZ

class type inspect ZBF_CM_APP_IN

  inspect                                                                                                      (or pass with rule for other direction)

THis is what i setup and it works not for this example but the rule flow i then was having issues with DMVPN and ZBF (turned out to be an iso bug annoying me) but i used CiscoCP to setup the ZBF automaticly forthe DMVPN and it ZBF rule where  same proceduare as below.

ip access-list extended AL_HOST_IP_IN

permit ip any host 11.11.11.11

ip access-list extended AL_ISATAP

permit 41 any any

ip access-list extended AL_TEREDO

permit udp any any eq 3544

class-map type inspect match-ANY CM_ISATAP

match access-group name AL_ISATAP

class-map type inspect match-ANY CM_TEREDO

match access-group name AL_TEREDO

class-map type inspect match-ANY ZBF_CM_DirectAccess_Protocols

description Nested Class Map

match class-map CM_ISATAP

match class-map CM_TEREDO

match protocol https

class-map type inspect match-ALL ZBF_CM_APP_IN

match access-group name AL_HOST_IP_IN

match access-group name ZBF_CM_DirectAccess_Protocols

policy-map type inspect ZBF_PM_EXTERNAL->DMZ

class type inspect ZBF_CM_APP_IN

  inspect

So what Cisco CP did was make yet another level of nesting rather then the match-all class map having the match access list command then made a cm with access list then the main class map had only other match class maps in it..

QUESTION:

Why did CiscoCP do the extra nesting

both ways worked but i would like to know why the cisco CP did the same thing with the other layer of CM did it do this for best practise or dose this make changed later easier i cant understand whats the advange to doing it this way... but if there is a valid reason then ill great jjust trying to understand.

thanks

regards

A very sore headed

Dave

431
Views
0
Helpful
0
Replies
CreatePlease to create content