cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
585
Views
0
Helpful
6
Replies

ZBF problem or IOS bug

Krasnoperov
Level 1
Level 1

Hi , I have simple rules in ZBF

class-map type inspect match-all DMZ310_TO_INTERNET_PASS

match access-group name DMZ310_TO_INTERNET_PASS

!

class-map type inspect match-all DMZ310->INTERNET_INSP_COMB

match access-group name DMZ310_TO_INTERNET_INSPECT

match class-map DMZ310->INT_INSPECTION_PROTOCOLS

!

class-map type inspect match-any DMZ310->INT_INSPECTION_PROTOCOLS

description ---=============

match protocol tcp

match protocol icmp

match protocol dns

match protocol user-nashssh

match protocol http

match protocol udp

!

policy-map type inspect DMZ310->INTERNET_POLICY

class type inspect DMZ310_TO_INTERNET_PASS

  pass

class type inspect DMZ310->INTERNET_INSP_COMB

  inspect

class class-default

  drop

!

zone security INTERNET

!

zone security DMZ310

!

zone-pair security DMZ310->INTERNET source DMZ310 destination INTERNET

service-policy type inspect DMZ310->INTERNET_POLICY

!

interface GigabitEthernet0/1.310

encapsulation dot1Q 310

ip address 1.1.1.2 255.255.255.128

ip nat outside

ip virtual-reassembly in

zone-member security DMZ310

standby 3 ip 1.1.1.1

standby 3 priority 15

standby 3 preempt

ip policy route-map BGP-DEFAULT-ROUTE

service-policy input POLICE_DMZ310_IN

service-policy output POLICE_DMZ310_OUT

!

interface GigabitEthernet0/1.301

description -=ISP=-

encapsulation dot1Q 301

ip address 2.2.2.2 255.255.255.252

ip flow ingress

ip nat outside

ip virtual-reassembly in

zone-member security INTERNET

!

ip access-list extended DMZ310_TO_INTERNET_INSPECT

permit icmp host 1.1.1.5 any

permit ip host 1.1.1.5 any

deny   ip any any

1)From host 1.1.1.5 I can ping any host to INTERNET, and I see my session, but when I try ant TCP connection it's faild, no session I can see.

2)If I add this host to my passing ACL DMZ310_TO_INTERNET_PASS and backpassACL INTERNET_TO_DMZ310_PASS

permit icmp host 1.1.1.5 any

permit ip host 1.1.1.5 any

it works, TCP works

why so?

thanks

6 Replies 6

Don't know if this is just been left since you did your "pass-test", but:

policy-map type inspect DMZ310->INTERNET_POLICY

class type inspect DMZ310_TO_INTERNET_PASS <----------------- Is treated before the inspect statement at the row after it

  pass

class type inspect DMZ310->INTERNET_INSP_COMB

  inspect

class class-default

  drop

And that class-map I'm pointing at matches a access-list that doesn't exist atm.

If you mean that I should just change PASS and put it after INSPECT, I did this, but nothing change

policy-map type inspect DMZ310->INTERNET_POLICY

class type inspect DMZ310->INTERNET_INSP_COMB

  inspect

class type inspect DMZ310_TO_INTERNET_PASS

  pass

class class-default

  drop

In fact in my acl in this rule

class type inspect DMZ310_TO_INTERNET_PASS

exist

I just forget to paste in my config in this discussion

access list DMZ310_TO_INTERNET_PASS

permit ip host 1.1.1.10 any

deny ip any any

And I would remove the "permit icmp host 1.1.1.5 any from the "DMZ310_TO_INTERNET_INSPECT" access-list:

ip access-list extended DMZ310_TO_INTERNET_INSPECT

permit ip host 1.1.1.5 any

Because you already have ICMP in the "DMZ310->INT_INSPECTION_PROTOCOLS" class-map and maybe that is doing something weird, I don't know, worth a try!

And this I try to do, but nothing change

Krasnoperov
Level 1
Level 1

Well I think it's just a bug, because I just copy all my rules (policy-map,class-maps,ACLs), change they names(add 1 at the end)(router change their ID's I suppose), and point this to my zone-pair security and it works fine!

class-map type inspect match-all DMZ310_TO_INTERNET_PASS1

match access-group name DMZ310_TO_INTERNET_PASS1

!

class-map type inspect match-all DMZ310->INTERNET_INSP_COMB1

match access-group name DMZ310_TO_INTERNET_INSPECT1

match class-map DMZ310->INT_INSPECTION_PROTOCOLS1

!

class-map type inspect match-any DMZ310->INT_INSPECTION_PROTOCOLS1

description ---=============

match protocol tcp

match protocol icmp

match protocol dns

match protocol user-nashssh

match protocol http

match protocol udp

!

policy-map type inspect DMZ310->INTERNET_POLICY1

class type inspect DMZ310_TO_INTERNET_PASS1

  pass

class type inspect DMZ310->INTERNET_INSP_COMB1

  inspect

class class-default

  drop

!

zone security INTERNET

!

zone security DMZ310

!

zone-pair security DMZ310->INTERNET source DMZ310 destination INTERNET

service-policy type inspect DMZ310->INTERNET_POLICY1

!

interface GigabitEthernet0/1.310

encapsulation dot1Q 310

ip address 1.1.1.2 255.255.255.128

ip nat outside

ip virtual-reassembly in

zone-member security DMZ310

standby 3 ip 1.1.1.1

standby 3 priority 15

standby 3 preempt

ip policy route-map BGP-DEFAULT-ROUTE

service-policy input POLICE_DMZ310_IN

service-policy output POLICE_DMZ310_OUT

!

interface GigabitEthernet0/1.301

description -=ISP=-

encapsulation dot1Q 301

ip address 2.2.2.2 255.255.255.252

ip flow ingress

ip nat outside

ip virtual-reassembly in

zone-member security INTERNET

!

ip access-list extended DMZ310_TO_INTERNET_INSPECT1

permit icmp host 1.1.1.5 any

permit ip host 1.1.1.5 any

deny   ip any any

Ok, good! Thats good to know

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: