So here is the deal, normally I have a pretty simple ZBF outbound configuration. Basically it's below without the bold italics. If traffic is http and the source ip isn't on a specific BYPASS-FILTER acl it gets filtered, otherwise it gets inspected and allowed.
Now I have a customer who has an incredibly large list of acl requirements and his default position on outbound traffic is deny. We have created an ACL that replicates this called inside_access_in and i have successfully applied it and have it working using the bold italics added below.
My problem is it once the ACL has allowed/denied the traffic it does not appear to be inspecting it further, this really affects FTP traffic as without inspection the connections don't always work properly. Is there a better way to do this? I don't have the full ACL below but a good example portion of it.
Thanks in advance.
class-map type inspect match-any INSIDE_ACCESS_IN match access-group name inside_access_in
class-map type inspect match-any DEFAULT-TRAFFIC
match protocol tcp match protocol udp match protocol ftp match protocol sip match protocol rtsp match protocol tftp match protocol icmp match protocol skinny class-map type inspect match-all NO-URL-FILTER match protocol http match access-group name BYPASS-FILTER class-map type inspect match-all INTERNET-INBOUND match access-group name PERMIT-INTERNET class-map type inspect match-any URL-FILTER match protocol http
policy-map type inspect PRIVATE-TO-PUBLIC class type inspect NO-URL-FILTER inspect class type inspect URL-FILTER inspect urlfilter SMARTFILTER class type inspect INSIDE_ACCESS_IN inspect class type inspect DEFAULT-TRAFFIC inspect class class-default drop
ip access-list extended inside_access_in permit ip object-group XXX_Servers any permit ip object-group XXX_NETWORK_3 any permit ip any object-group XXX_NETWORK_4 deny ip any object-group RFC1918 remark Internet Access permit tcp object-group WWWAccess any eq www 443 remark Secure http access only permit tcp object-group SecureWWW any eq 443 remark FTP Access permit object-group FTP object-group FTPAccess any remark FTP access for all users to these FTP sites permit object-group FTP any object-group FTPSites
OK Makes, senses, here is where the problem occurs, if somebody is in the top level allow anything line of the acl. At that point I am only matching presumably on basic tcp/udp inspection and when you do that ftp doesn't always work unless you also enable ftp inspection like I do in my DEFAULT-TRAFFIC class.
So how do I get around that with my acl? I can add a tcp rule for the allow anything group with eq ftp but will that trigger the proper inspection? Would I do the same thing I end up doing for ftp for any other protocols like SIP, etc that need more than base tcp/udp inspection?
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...