topic class-map type inspect match in Network Security

%FW-6-DROP_PKT: Dropping icmp session

sdawson14 — Tue, 12 Mar 2019 05:51:51 GMT

Hi All,

I am getting an error message on a Cisco 887 - *Apr 29 13:47:39.901: %FW-6-DROP_PKT: Dropping icmp session 37.157.53.34:0 192.168.1.58:0 on zone-pair ZP_WAN>LAN class class-default due to DROP action found in policy-map with ip ident 0

Unfortunately I don't know much about the zone based firewall which seems to be the problem, the firewall configuration is below:

zone security LAN
zone security WAN
zone-pair security ZP_LAN>WAN source LAN destination WAN
service-policy type inspect PM_LAN>WAN
zone-pair security ZP_WAN>LAN source WAN destination LAN
service-policy type inspect PM_WAN>LAN

What is going wrong? I am unable to SSH onto the device as well!

Any help would be amazing! Thank you all!

Simon

Hi,I think as per the ICMP

Vibhor Amrodia — Wed, 29 Apr 2015 14:38:36 GMT

Hi,

I think as per the ICMP not working through the ZBF policies , you need to either inspect the ICMP traffic or Pass this traffic through both the Inbound policies on both the interfaces.

As per the SSH not working , do you have any self zone ? If not , check the Line configuration and related SSH configuration.

Thanks and Regards,

Vibhor Amrodia

Hiyou have a policy applied

Mark Malone — Wed, 29 Apr 2015 14:40:33 GMT

you have a policy applied to the wan and lan , this policy must be blocking those specific services , you need to check exactly what the policy is at and tweak it to allow what you want or disable zone of the interface by removing the service-policy

HI. Can you please post the

Andre Neethling — Thu, 30 Apr 2015 11:39:33 GMT

HI. Can you please post the following output from your config?

These 2 policy maps:

PM_LAN>WAN
PM_WAN>LAN

And the Class Maps that are configured under those policy maps

class-map type inspect match

sdawson14 — Thu, 30 Apr 2015 15:26:17 GMT

class-map type inspect match-any CM_LAN_TRAFFIC
match protocol tcp
match protocol udp
match protocol icmp
class-map type inspect match-all CM_WAN_TRAFFIC
match access-group name ACL_WAN>LAN
!
policy-map type inspect PM_WAN>LAN
class type inspect CM_WAN_TRAFFIC
inspect
class class-default
drop log
policy-map type inspect PM_LAN>WAN
class type inspect CM_LAN_TRAFFIC
inspect
class class-default
drop log

Hi. It's quite possible that

Andre Neethling — Thu, 30 Apr 2015 17:32:10 GMT

Hi. It's quite possible that you are nit allowing ICMP from your WAN to LAN service policy. That is a good thing, unless you need to allow ping from the WAN interface. Are you aware of any icmp traffic coming in from the WAN? If not then someone is trying to ping your router. If you need to allow icmp then all you need to do is add a permit icmp line to the access list ACL_WAN>LAN