topic Gmail and Yahoo not accessible after zbfw implementation in Network Security

Gmail and Yahoo not accessible after zbfw implementation

Yadhu Tony — Tue, 12 Mar 2019 04:57:44 GMT

Hi,

I have implemented zbfw on Cisco 1800 series router. But after the implementation I could see that Gmail/Yahoo is not loading.Please could some one look into my config and advise. I can access all other websites without any issues.

class-map type inspect match-all ICMP
match protocol icmp
class-map type inspect match-all SMTP
match protocol smtp
class-map type inspect match-all HTTP-ACCESS
match protocol http
class-map type inspect match-all UDP
match protocol udp
class-map type inspect match-all HTTPs-ACCESS
match protocol https
class-map type inspect match-all TCP
match protocol tcp
class-map type inspect match-all DNS
match protocol dns
class-map type inspect match-all POP3
match protocol pop3
!
!
policy-map type inspect in-to-out-policy
class type inspect HTTPs-ACCESS
pass
class type inspect HTTP-ACCESS
inspect
class type inspect UDP
inspect
class type inspect TCP
inspect
class type inspect DNS
inspect
class type inspect SMTP
inspect
class type inspect POP3
inspect
class type inspect ICMP
inspect
class class-default
policy-map type inspect out-to-in-policy
class class-default
drop
!
zone security inside
zone security outside
zone-pair security in-to-out source inside destination outside
service-policy type inspect in-to-out-policy
zone-pair security out-to-in source outside destination inside
service-policy type inspect out-to-in-policy

Many thanks,

Hi,I think the configuration

Vibhor Amrodia — Tue, 21 Oct 2014 09:13:11 GMT

Hi,

I think the configuration looks good. Would you be able to try to enable logging for dropped packets and see if you see any packets being dropped ?

ip inspect log drop-pkt

Also , as a test , try to change class class-default in policy-map type inspect in-to-out-policy and see if this makes it work ?

Thanks and Regards,

Vibhor Amrodia

HiI think the problem is

Henrik Grankvist — Tue, 21 Oct 2014 09:29:59 GMT

I think the problem is:

policy-map type inspect in-to-out-policy
class type inspect HTTPs-ACCESS
pass

The HTTPS traffic is allowed out, but the return traffic will be blocked. Gmail is HTTPS, but I would think that any HTTPS website would not work.

Hi Thanks for your reply

Yadhu Tony — Tue, 21 Oct 2014 11:24:31 GMT

Thanks for your reply.

Sorry, I have put the pass command only for testing and wrongly copied the config with that. The actual configuration contain inspect for HTTPS. It is quite strange that all other HTTPS websites are working without any issue.

We are running version 12.3(8r)YH12 . Would this be the issue?

Appreciate your help on this.

Regards,

Hi Vibhor,Thanks for your

Yadhu Tony — Tue, 21 Oct 2014 11:41:18 GMT

Hi Vibhor,

Thanks for your reply. I doubt whether the issue is due to the IOS version 12.3(8r)YH12 which is loaded in our router as I could see that Cisco introduced zbfw in 12.4(6)T ?

I will try ip inspect log drop-pkt and will let you know the outcome.

Many thanks,