topic CSM - Bug deploying ZoneBased Firewall Rules to Router in Network Security

CSM - Bug deploying ZoneBased Firewall Rules to Router

leonardomachado — Tue, 12 Mar 2019 03:20:46 GMT

Hi,

When I try to deploy ZBFW rules to my router, CSM gives me the following error:

%No specific protocol or access-group configured in class CSM_ZBF_CLASS_MAP_6 for inspection. All packets will be dropped

CSM_ZBF_CLASS_MAP_6

It is also deploying strange commands like:

class-map type inspect match-all CSM_ZBF_CLASS_MAP_4

match access-group name ###CMAP_ACLNAME6

no match access-group name CSM_ZBF_CMAP_ACL_4

exit

Have you ever seen it before? Why is it asking about and ACL that does not exist? Why is it issuing strange commands?

I may provide you with further information, if you wish.

Thank you.

CSM - Bug deploying ZoneBased Firewall Rules to Router

Julio Carvajal — Sat, 21 Dec 2013 01:02:25 GMT

Hello Leonardo,

I will never recommend to do any Firewall Configuration via SDM, CCP or SDM. Things will just not work as they should (All of this based on my experience).

I have seen both of them in the past.

I would recommend to provide us the config and then we will tell you if we see something strange but try to do this via CLI (Trust me, U need this)

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

CSM - Bug deploying ZoneBased Firewall Rules to Router

leonardomachado — Tue, 24 Dec 2013 11:05:31 GMT

But that is the main reason of CSM product existence! It should centralize security configuration. I have 40 routers to manage and I definitely cannot manage Zone Based Firewall and ACL via CLI in this scenario. I have never faced any problem with ASDM while managing my ASA and FWSM.

CSM - Bug deploying ZoneBased Firewall Rules to Router

Julio Carvajal — Tue, 24 Dec 2013 17:06:14 GMT

So my answer was sort of useful hahaha.

The configuration of ZBFW is pretty complex and involves the definition of multiple parameters.

As I said my recommendation will always be do it from CLI, if you do not know how or need assitance with that then get Cisco TAC on the line or get someone that knows about it.

From the first log you posted I have seen it in the past when using an ACL to match traffic and have not cause any issues.

Now for this:

class-map type inspect match-all CSM_ZBF_CLASS_MAP_4

match access-group name ###CMAP_ACLNAME6

no match access-group name CSM_ZBF_CMAP_ACL_4

exit

It's just removing the use of an ACL to then match another traffic with a different ACL so not big deal.

The only way to detemrine whether the configuration is good or not is to analize the entire configuration with what you are trying to do!!

Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

CSM - Bug deploying ZoneBased Firewall Rules to Router

leonardomachado — Wed, 19 Feb 2014 13:29:23 GMT

The problem was that INSPECT rules need INSPECT protocols to be specified ! Otherwise it must me PASS flow

In my opinion it's a bug or bad programing in CSM interface. If inspect NEED a protocol it should be forced to input this information before deploying it!

Anyway, thks for helping.