Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Basic Zone Firewall not working

Hello, I configured the zone based firewall as shown below (it is a C2811 router).

Topology is:

Webserver(IP:10.2.0.100)----layer2switch----(fa0/0 IP:10.2.0.1) C2811 (fa0/1:10.4.0.1) ------------layer2switch---------clientPC(IP:10.4.0.4)

Behavior:
Before applying class-map, I could ping webserver to clientPC and vice versa OK.

Issue:
I applied the config as below. I was expecting that only http traffic would go through the zonefw.

Instead, all traffic continues to flow normally. What is wrong?

hostname zonefw

no ip domain-lookup

!

class-map type inspect match-all http

match protocol http 

!

policy-map type inspect http

class type inspect http

  inspect

!

!

!

zone security internal

zone security external

zone-pair security myinbound source external destination internal

service-policy type inspect http

zone-pair security myoutbound source internal destination external

service-policy type inspect http

!

interface FastEthernet0/0

ip address 10.2.0.1 255.254.0.0

zone-member security internal

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 10.4.0.1 255.254.0.0

zone-member security external

duplex auto

speed auto

!

interface Vlan1

no ip address

shutdown

!

ip classless

!

!

3 REPLIES
Hall of Fame Super Silver

Basic Zone Firewall not working

You did not configure (or did you remove intentionally?) a class class-default. This is used by the firewall to drop (default behavior) and traffic not matching the earlier referenced class(es).

Reference.

New Member

Basic Zone Firewall not working

I see the class-default is hidden, but when I do the command below, they show up. Still no success though, it seems the class-map http is not even getting hits. All protocols are allowed at this point. Any ideas?

zonefw#sh policy-map type inspect zone-pair sessions
Zone-pair: external-internal

  Service-policy inspect : http

    Class-map: http (match-all)
      Match: protocol http 
      Inspect
    Class-map: class-default (match-any)
      Match: any
      Drop (default action)
        0 packets, 0 bytes
Zone-pair: internal-external

  Service-policy inspect : http

    Class-map: http (match-all)
      Match: protocol http 
      Inspect
    Class-map: class-default (match-any)
      Match: any
      Drop (default action)
        0 packets, 0 bytes

Hall of Fame Super Silver

Basic Zone Firewall not working

That does look odd. You do have the prerequisite security license, yes?

650
Views
0
Helpful
3
Replies
CreatePlease to create content