topic default class map is dropping all Packets in Network Security https://community.cisco.com/t5/network-security/default-class-map-is-dropping-all-packets/m-p/2047935#M439013 <HTML><HEAD></HEAD><BODY><P>Hello Charlie,</P><P></P><P>I would recomend you to investigate a little bit more about how the ZBFW features works <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN> </P><P></P><P>Now I am going to help you on this one at least, then I will give you a few links you could use to study </P><P></P><P>We are going to study traffic from <STRONG>MyNetNet-zone to the MyNetWan-zone</STRONG></P><P></P><P>First the zone-pair</P><P>zone-pair security MyNetNet-&gt;MyNetWAN source MyNetNet-zone destination MyNetWAN-zone</P><P>service-policy type inspect MyNetNet-zone_to_MyNetWAN-zone_policy</P><P></P><P>so lets go policy-map </P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">policy-map type inspect MyNetNet-zone_to_MyNetWAN-zone_policy</P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">class type inspect MyNetNet-Class</P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">&nbsp; inspect</P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">class class-default</P><P></P><P></P><P>Finally to the class map <SPAN __jive_emoticon_name="cool" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/tiny_mce3/plugins/jiveemoticons/images/spacer.gif"></SPAN></P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">class-map type inspect <STRONG><EM style="text-decoration: underline; ">match-all </EM></STRONG>MyNetNet-Class</P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">match class-map MyNetNet-access-list</P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">match class-map Voice-protocols</P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">match class-map Extended-protocols</P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">match class-map Base-protocols</P><P></P><P></P><P></P><P>That keyword MATCH-ALL is the one causing the issues!!</P><P>Why?</P><P>Because you are telling the ZBFW to inspect traffic only if matches all of those class-maps so a packet will need to math the base protocols and the extended protocol and as you know that is not possible ( Just one protocol <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN> )</P><P></P><P>So here are the links </P><P><A class="jive-link-external-small" href="http://blogg.kvistofta.nu/cisco-ios-zone-based-policy-firewall/">http://blogg.kvistofta.nu/cisco-ios-zone-based-policy-firewall/</A></P><P><A _jive_internal="true" href="https://community.cisco.com/thread/2138873" style="line-height: 17.27272605895996px; color: #0068cf; cursor: pointer; font-family: Tahoma, Verdana, Arial, sans-serif; font-size: 13.63636302947998px; background-color: #ffffff;" target="_blank">https://supportforums.cisco.com/thread/2138873</A></P><P><A class="jive-link-external-small" href="http://pktmaniac.info/2011/08/zone-based-firewalls-something-to-keep-in-mind/">http://pktmaniac.info/2011/08/zone-based-firewalls-something-to-keep-in-mind/</A></P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml">http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml</A></P><P></P><P>You have some work to do </P><P></P><P>Please remember to rate all the helpful posts</P><P></P><P>Julio</P><P>CCSP</P></BODY></HTML> Thu, 23 Aug 2012 01:39:36 GMT Julio Carvajal 2012-08-23T01:39:36Z default class map is dropping all Packets https://community.cisco.com/t5/network-security/default-class-map-is-dropping-all-packets/m-p/2047934#M439012 <P>Hello I have a Cisco 871 router that used to have Access list based security. now I am trying the ZBFW for the first time.&nbsp; I thought I had a pretty good program until I found all my traffic was getting dropped<SPAN __jive_emoticon_name="confused" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/tiny_mce3/plugins/jiveemoticons/images/spacer.gif"></SPAN>. This is my first stab at ZBFWs and I am a bit confused esp with the default class part. Any help is greatly appreciated!!!! </P><P></P><P>The router is for my house and thus also has to have priority for gaming. I will add the gaming and voice QOS once I get it working,</P><P></P><P>Guest VLAN has access to 2 IP's in Data for printing. </P><P></P><P></P><P>Cisco871#sh run</P><P>Building configuration...</P><P></P><P></P><P>Current configuration : 8005 bytes</P><P>!</P><P>version 12.4</P><P>no service pad</P><P>service timestamps debug datetime msec</P><P>service timestamps log datetime msec</P><P>no service password-encryption</P><P>service sequence-numbers</P><P>!</P><P>hostname Cisco871</P><P>!</P><P>boot-start-marker</P><P>boot-end-marker</P><P>!</P><P>logging buffered 4096</P><P>no logging console</P><P>!</P><P>aaa new-model</P><P>!</P><P>!</P><P>aaa authentication login default local</P><P>aaa authorization exec default local </P><P>!</P><P>!</P><P>aaa session-id common</P><P>clock summer-time PST recurring</P><P>!</P><P>crypto pki trustpoint TP-self-signed-4004039535</P><P> enrollment selfsigned</P><P> subject-name cn=IOS-Self-Signed-Certificate-4004039535</P><P> revocation-check none</P><P> rsakeypair TP-self-signed-4004039535</P><P>!</P><P>!</P><P>crypto pki certificate chain TP-self-signed-4004039535</P><P> certificate self-signed 01</P><P>&nbsp; 3082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 </P><P>&nbsp; 31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 </P><P>&nbsp; 69666963 6174652D 34303034 30333935 3335301E 170D3038 30323037 30373532 </P><P>&nbsp; 32375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 </P><P>&nbsp; 4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 30303430 </P><P>&nbsp; 33393533 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 </P><P>&nbsp; 8100CEC2 7B89C73F AB4860EE 729C3B64 82139630 239A2301 8EA8B4C4 05505E25 </P><P>&nbsp; B0F24E7F 26ECEC53 3E266E80 F3104F61 BDDC5592 40E12537 2262D272 08D38F8E </P><P>&nbsp; 147F5059 7F632F5E 635B9CDF 652FFE82 C2F45C60 5F619AF0 72E640E0 E69EA9EF </P><P>&nbsp; 41C6B06C DD8ACF4B 0A1A33CF AF3C6BFB 73AD6BE0 BD84DD7F 435BD943 0A22E0E5 </P><P>&nbsp; F4130203 010001A3 74307230 0F060355 1D130101 FF040530 030101FF 301F0603 </P><P>&nbsp; 551D1104 18301682 144C7570 696E2E44 61627567 61626F6F 732E6F72 67301F06 </P><P>&nbsp; 03551D23 04183016 801473C6 E0784818 29A89377 23A22F5E BDD430CE E282301D </P><P>&nbsp; 0603551D 0E041604 1473C6E0 78481829 A8937723 A22F5EBD D430CEE2 82300D06 </P><P>&nbsp; 092A8648 86F70D01 01040500 03818100 299AD241 442F976F 4F030B33 C477B069 </P><P>&nbsp; D356C518 8132E61B 1220F999 A30A4E0C D337DCE5 C408E3BC 0439BB66 543CF585 </P><P>&nbsp; 8B26AA77 91FA510B 14796239 F272A306 C942490C A44336E0 A9430B81 9FC62524 </P><P>&nbsp; E55017FA 5C5463D7 B3492753 42315BEC 32B78F24 D10B0CA7 D1844CD5 C3E466B9 </P><P>&nbsp; 3543BD68 A4B2692D 05CBF6DC C93C8142</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;quit</P><P>! </P><P>!</P><P>ip cef</P><P>!</P><P>!</P><P>no ip dhcp use vrf connected</P><P>ip dhcp excluded-address 10.0.0.1 10.0.0.5</P><P>ip dhcp excluded-address 172.16.15.1 172.16.15.5</P><P>ip dhcp excluded-address 172.16.15.14</P><P>ip dhcp excluded-address 172.16.17.1 172.16.17.5</P><P>ip dhcp excluded-address 192.168.19.1 192.168.19.5</P><P>!</P><P>ip dhcp pool MyNetNative</P><P>&nbsp;&nbsp; import all</P><P>&nbsp;&nbsp; network 10.0.0.0 255.255.255.248</P><P>&nbsp;&nbsp; default-router 10.0.0.1 </P><P>&nbsp;&nbsp; domain-name MyNetNet.org</P><P>&nbsp;&nbsp; dns-server 4.2.2.1 4.2.2.6 8.8.8.8 208.67.220.220 </P><P>&nbsp;&nbsp; lease 0 2</P><P>!</P><P>ip dhcp pool MyNetData</P><P>&nbsp;&nbsp; import all</P><P>&nbsp;&nbsp; network 172.16.15.0 255.255.255.240</P><P>&nbsp;&nbsp; dns-server 172.16.15.14 4.2.2.1 4.2.2.6 8.8.8.8 208.67.220.220 </P><P>&nbsp;&nbsp; default-router 172.16.15.1 </P><P>&nbsp;&nbsp; domain-name MyDomain.org</P><P>!</P><P>ip dhcp pool MyNetVoice</P><P>&nbsp;&nbsp; import all</P><P>&nbsp;&nbsp; network 172.16.17.0 255.255.255.240</P><P>&nbsp;&nbsp; dns-server 172.16.15.14 </P><P>&nbsp;&nbsp; default-router 172.16.17.1 </P><P>&nbsp;&nbsp; domain-name MyDomain.org</P><P>!</P><P>ip dhcp pool MyNetGuest</P><P>&nbsp;&nbsp; import all</P><P>&nbsp;&nbsp; network 192.168.19.0 255.255.255.240</P><P>&nbsp;&nbsp; default-router 192.168.19.1 </P><P>&nbsp;&nbsp; domain-name MyNetGuest.org</P><P>&nbsp;&nbsp; dns-server 4.2.2.1 4.2.2.6 8.8.8.8 208.67.220.220 </P><P>!</P><P>!</P><P>ip domain name MyDomain.org</P><P>ip name-server 172.16.15.14</P><P>ip name-server 4.2.2.4</P><P>ip inspect log drop-pkt</P><P>!</P><P>multilink bundle-name authenticated</P><P></P><P></P><P>parameter-map type inspect TCP_PARAM</P><P></P><P></P><P>parameter-map type inspect global</P><P>!</P><P>!</P><P>username MyAdmin privilege 15 secret 5 MyPassword</P><P>archive</P><P> log config</P><P>&nbsp; hidekeys</P><P>!</P><P>!</P><P>!</P><P>class-map type inspect match-all MyNetGuest-access-list</P><P> match access-group 110</P><P>class-map type inspect match-any Base-protocols</P><P> match protocol http</P><P> match protocol https</P><P> match protocol ftp</P><P> match protocol ssh</P><P> match protocol dns</P><P> match protocol ntp</P><P> match protocol ica</P><P> match protocol pptp</P><P> match protocol icmp</P><P> match protocol tcp</P><P> match protocol udp</P><P>class-map type inspect match-all MyNetGuest-Class</P><P> match class-map MyNetGuest-access-list</P><P> match class-map Base-protocols</P><P>class-map type inspect match-all MyNetNet-access-list</P><P> match access-group 100</P><P>class-map type inspect match-any Voice-protocols</P><P> match protocol h323</P><P> match protocol skinny</P><P> match protocol sip</P><P>class-map type inspect match-any Extended-protocols</P><P> match protocol pop3</P><P> match protocol pop3s</P><P> match protocol imap</P><P> match protocol imaps</P><P> match protocol smtp</P><P>class-map type inspect match-all MyNetNet-Class</P><P> match class-map MyNetNet-access-list</P><P> match class-map Voice-protocols</P><P> match class-map Extended-protocols</P><P> match class-map Base-protocols</P><P>!</P><P>!</P><P>policy-map type inspect MyNetNet-zone_to_MyNetWAN-zone_policy</P><P> class type inspect MyNetNet-Class</P><P>&nbsp; inspect</P><P> class class-default</P><P>policy-map type inspect MyNetNet-zone_to_MyNetGuest-zone_policy</P><P> class type inspect MyNetNet-Class</P><P>&nbsp; inspect</P><P> class class-default</P><P>policy-map type inspect MyNetGuest-zone_to_MyNetNet-zone_policy</P><P> class type inspect MyNetGuest-access-list</P><P>&nbsp; inspect</P><P> class class-default</P><P>policy-map type inspect MyNetGuest-zone_to_MyNetWAN-zone_policy</P><P> class type inspect MyNetGuest-Class</P><P>&nbsp; inspect</P><P> class class-default</P><P>policy-map type inspect MyNetNet-zone</P><P> class class-default</P><P>&nbsp; pass</P><P>!</P><P>zone security MyNetNet-zone</P><P>zone security MyNetGuest-zone</P><P>zone security MyNetWAN-zone</P><P>zone-pair security MyNetNet-&gt;MyNetGuest source MyNetNet-zone destination MyNetGuest-zone</P><P> service-policy type inspect MyNetNet-zone_to_MyNetGuest-zone_policy</P><P>zone-pair security MyNetNet-&gt;MyNetWAN source MyNetNet-zone destination MyNetWAN-zone</P><P> service-policy type inspect MyNetNet-zone_to_MyNetWAN-zone_policy</P><P>zone-pair security MyNetGuest-&gt;MyNetWAN source MyNetGuest-zone destination MyNetWAN-zone</P><P> service-policy type inspect MyNetGuest-zone_to_MyNetWAN-zone_policy</P><P>zone-pair security MyNetGuest-&gt;MyNetNet source MyNetGuest-zone destination MyNetNet-zone</P><P> service-policy type inspect MyNetGuest-zone_to_MyNetNet-zone_policy</P><P>!</P><P>!</P><P>!</P><P>interface FastEthernet0</P><P> description Cisco-2849-Switch </P><P> switchport mode trunk</P><P> speed 100</P><P>!</P><P>interface FastEthernet1</P><P>!</P><P>interface FastEthernet2</P><P>!</P><P>interface FastEthernet3</P><P> description SBS-Server</P><P> switchport access vlan 10</P><P> spanning-tree portfast</P><P>!</P><P>interface FastEthernet4</P><P> description WAN</P><P> no ip address</P><P> ip mtu 1492</P><P> ip nat outside</P><P> ip virtual-reassembly</P><P> zone-member security MyNetWAN-zone</P><P> ip tcp adjust-mss 1452</P><P> duplex auto</P><P> speed auto</P><P> no cdp enable</P><P>!</P><P>interface Vlan1</P><P> description MyNetNative</P><P> ip address 10.0.0.1 255.255.255.248</P><P> ip nat inside</P><P> ip virtual-reassembly</P><P> zone-member security MyNetNet-zone</P><P> ip tcp adjust-mss 1452</P><P>!</P><P>interface Vlan10</P><P> description MyNetData</P><P> ip address 172.16.15.1 255.255.255.240</P><P> ip nat inside</P><P> ip virtual-reassembly</P><P> zone-member security MyNetNet-zone</P><P>!</P><P>interface Vlan20</P><P> description MyNetVoice</P><P> ip address 172.16.17.1 255.255.255.240</P><P> ip nat inside</P><P> ip virtual-reassembly</P><P> zone-member security MyNetNet-zone</P><P>!</P><P>interface Vlan69</P><P> description MyNetGuest</P><P> ip address 192.168.19.1 255.255.255.240</P><P> ip nat inside</P><P> ip virtual-reassembly</P><P> zone-member security MyNetGuest-zone</P><P>!</P><P>!</P><P>!</P><P>ip http server</P><P>ip http authentication local</P><P>ip http secure-server</P><P>ip http timeout-policy idle 60 life 86400 requests 10000</P><P>!</P><P>access-list 100 remark MyNetnet</P><P>access-list 100 permit ip 10.0.0.0 0.0.0.7 any</P><P>access-list 100 permit ip 172.16.15.0 0.0.0.31 any</P><P>access-list 100 permit ip 172.16.17.0 0.0.0.15 any</P><P>access-list 110 remark MyNetGuest</P><P>access-list 110 permit ip 192.168.19.0 0.0.0.15 host 172.16.15.2</P><P>access-list 110 permit ip 192.168.19.0 0.0.0.15 host 172.16.15.3</P><P>access-list 110 deny&nbsp;&nbsp; ip 192.168.19.0 0.0.0.15 10.0.0.0 0.0.0.7</P><P>access-list 110 deny&nbsp;&nbsp; ip 192.168.19.0 0.0.0.15 172.16.15.0 0.0.0.31</P><P>access-list 110 deny&nbsp;&nbsp; ip 192.168.19.0 0.0.0.15 172.16.17.0 0.0.0.15</P><P>access-list 110 permit ip 192.168.19.0 0.0.0.15 any</P><P>!</P><P>!</P><P>!</P><P>!</P><P>control-plane</P><P>!</P><P>banner login ^CC</P><P>****************************************************************</P><P>You know if you should be here or not.</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; if not please leave</P><P></P><P></P><P>NOW</P><P>****************************************************************</P><P>^C</P><P>!</P><P>line con 0</P><P> no modem enable</P><P>line aux 0</P><P>line vty 0 4</P><P> privilege level 15</P><P> transport input telnet ssh</P><P>!</P><P>scheduler max-task-time 5000</P><P>ntp server 172.16.15.14</P><P></P><P></P><P>!</P><P>webvpn cef</P><P>end</P><P></P><P></P><P>Cisco871#sh zone security</P><P>zone self</P><P>&nbsp; Description: System defined zone</P><P></P><P></P><P></P><P></P><P>zone MyNetNet-zone</P><P>&nbsp; Member Interfaces:</P><P>&nbsp;&nbsp;&nbsp; Vlan1</P><P>&nbsp;&nbsp;&nbsp; Vlan10</P><P>&nbsp;&nbsp;&nbsp; Vlan20</P><P></P><P></P><P></P><P></P><P>zone MyNetGuest-zone</P><P>&nbsp; Member Interfaces:</P><P>&nbsp;&nbsp;&nbsp; Vlan69</P><P></P><P></P><P></P><P>zone MyNetWAN-zone</P><P>&nbsp; Member Interfaces:</P><P>&nbsp;&nbsp;&nbsp; FastEthernet4</P><P></P><P>Cisco871#sh zone-pair security</P><P>Zone-pair name MyNetNet-&gt;MyNetGuest</P><P>&nbsp;&nbsp;&nbsp; Source-Zone MyNetNet-zone&nbsp; Destination-Zone MyNetGuest-zone </P><P>&nbsp;&nbsp;&nbsp; service-policy MyNetNet-zone_to_MyNetGuest-zone_policy</P><P>Zone-pair name MyNetNet-&gt;MyNetWAN</P><P>&nbsp;&nbsp;&nbsp; Source-Zone MyNetNet-zone&nbsp; Destination-Zone MyNetWAN-zone </P><P>&nbsp;&nbsp;&nbsp; service-policy MyNetNet-zone_to_MyNetWAN-zone_policy</P><P>Zone-pair name MyNetGuest-&gt;MyNetWAN</P><P>&nbsp;&nbsp;&nbsp; Source-Zone MyNetGuest-zone&nbsp; Destination-Zone MyNetWAN-zone </P><P>&nbsp;&nbsp;&nbsp; service-policy MyNetGuest-zone_to_MyNetWAN-zone_policy</P><P>Zone-pair name MyNetGuest-&gt;MyNetNet</P><P>&nbsp;&nbsp;&nbsp; Source-Zone MyNetGuest-zone&nbsp; Destination-Zone MyNetNet-zone </P><P>&nbsp;&nbsp;&nbsp; service-policy MyNetGuest-zone_to_MyNetNet-zone_policy</P><P></P><P>Cisco871#sh int faste4</P><P>FastEthernet4 is up, line protocol is up </P><P>&nbsp; Hardware is PQUICC_FEC, address is 0016.9d29.a667 (bia 0016.9d29.a667)</P><P>&nbsp; Description: WAN</P><P>&nbsp; Internet address is 10.38.177.98/25</P><P>&nbsp; MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, </P><P>&nbsp;&nbsp;&nbsp;&nbsp; reliability 255/255, txload 1/255, rxload 1/255</P><P>&nbsp; Encapsulation ARPA, loopback not set</P><P>&nbsp; Keepalive set (10 sec)</P><P>&nbsp; Full-duplex, 100Mb/s, 100BaseTX/FX</P><P>&nbsp; ARP type: ARPA, ARP Timeout 04:00:00</P><P>&nbsp; Last input 00:00:00, output 00:34:50, output hang never</P><P>&nbsp; Last clearing of "show interface" counters never</P><P>&nbsp; Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0</P><P>&nbsp; Queueing strategy: fifo</P><P>&nbsp; Output queue: 0/40 (size/max)</P><P>&nbsp; 5 minute input rate 2000 bits/sec, 3 packets/sec</P><P>&nbsp; 5 minute output rate 0 bits/sec, 0 packets/sec</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 593096 packets input, 73090812 bytes</P><P>&nbsp;&nbsp;&nbsp;&nbsp; Received 592752 broadcasts, 0 runts, 0 giants, 0 throttles</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 0 watchdog</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 0 input packets with dribble condition detected</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 9940 packets output, 1016025 bytes, 0 underruns</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 0 output errors, 0 collisions, 3 interface resets</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 0 babbles, 0 late collision, 0 deferred</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 0 lost carrier, 0 no carrier</P><P>&nbsp;&nbsp;&nbsp;&nbsp; 0 output buffer failures, 0 output buffers swapped out</P><P></P><P> Zone-pair: MyNetNet-&gt;MyNetWAN</P><P></P><P></P><P>&nbsp; Service-policy inspect : MyNetNet-zone_to_MyNetWAN-zone_policy</P><P></P><P></P><P>&nbsp;&nbsp;&nbsp; Class-map: MyNetNet-Class (match-all)</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Match: class-map match-all MyNetNet-access-list</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Match: access-group 100</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Match: class-map match-any Voice-protocols</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Match: protocol h323</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0 packets, 0 bytes</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 30 second rate 0 bps</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Match: protocol skinny</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0 packets, 0 bytes</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 30 second rate 0 bps</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Match: protocol sip</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0 packets, 0 bytes</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 30 second rate 0 bps</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Match: class-map match-any Extended-protocols</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Match: protocol pop3</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0 packets, 0 bytes</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 30 second rate 0 bps</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Match: protocol pop3s</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0 packets, 0 bytes</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 30 second rate 0 bps</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Match: protocol imap</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0 packets, 0 bytes</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 30 second rate 0 bps</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Match: protocol imaps</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0 packets, 0 bytes</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 30 second rate 0 bps</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Match: protocol smtp</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0 packets, 0 bytes</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 30 second rate 0 bps</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Match: class-map match-any Base-protocols</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Match: protocol http</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0 packets, 0 bytes</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 30 second rate 0 bps</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Match: protocol https</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0 packets, 0 bytes</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 30 second rate 0 bps</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Match: protocol ftp</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0 packets, 0 bytes</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 30 second rate 0 bps</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Match: protocol ssh</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0 packets, 0 bytes</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 30 second rate 0 bps</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Match: protocol dns</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0 packets, 0 bytes</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 30 second rate 0 bps</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Match: protocol ntp</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0 packets, 0 bytes</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 30 second rate 0 bps</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Match: protocol ica</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0 packets, 0 bytes</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 30 second rate 0 bps</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Match: protocol pptp</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0 packets, 0 bytes</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 30 second rate 0 bps</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Match: protocol icmp</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0 packets, 0 bytes</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 30 second rate 0 bps</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Match: protocol tcp</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0 packets, 0 bytes</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 30 second rate 0 bps</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Match: protocol udp</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0 packets, 0 bytes</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 30 second rate 0 bps</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Inspect</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Session creations since subsystem startup or last reset 0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Current session counts (estab/half-open/terminating) [0:0:0]</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Maxever session counts (estab/half-open/terminating) [0:0:0]</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Last session created never</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Last statistic reset never</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Last session creation rate 0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Maxever session creation rate 0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Last half-open session total 0</P><P></P><P></P><P>&nbsp;&nbsp;&nbsp; Class-map: class-default (match-any)</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Match: any </P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Drop (default action)</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 5196 packets, 256211 bytes</P><P></P><P></P><P>Cisco871#sh log</P><P>Syslog logging: enabled (1 messages dropped, 0 messages rate-limited,</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0 flushes, 0 overruns, xml disabled, filtering disabled)</P><P></P><P></P><P>No Active Message Discriminator.</P><P></P><P></P><P></P><P></P><P></P><P></P><P>No Inactive Message Discriminator.</P><P></P><P></P><P></P><P></P><P>&nbsp;&nbsp;&nbsp; Console logging: disabled</P><P>&nbsp;&nbsp;&nbsp; Monitor logging: level debugging, 0 messages logged, xml disabled,</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; filtering disabled</P><P>&nbsp;&nbsp;&nbsp; Buffer logging:&nbsp; level debugging, 1745 messages logged, xml disabled,</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; filtering disabled</P><P>&nbsp;&nbsp;&nbsp; Logging Exception size (4096 bytes)</P><P>&nbsp;&nbsp;&nbsp; Count and timestamp logging messages: disabled</P><P>&nbsp;&nbsp;&nbsp; Persistent logging: disabled</P><P></P><P></P><P>No active filter modules.</P><P></P><P></P><P>ESM: 0 messages dropped</P><P></P><P></P><P>&nbsp;&nbsp;&nbsp; Trap logging: level informational, 1785 message lines logged</P><P></P><P></P><P>Log Buffer (4096 bytes):</P><P></P><P></P><P>001779: *Feb 15 11:00:55.979: %FW-6-DROP_UDP_PKT: Dropping Other pkt 172.16.15.6:61806 =&gt; 168.94.0.1:53 with ip ident 511 due to&nbsp; policy match failure</P><P>001780: *Feb 15 11:00:59.739: %FW-6-DROP_TCP_PKT: Dropping Other pkt 172.16.15.6:4399 =&gt; 168.94.69.30:443 due to&nbsp; policy match failure -- ip ident 515 tcpflags 0x7002 seq.no 974122240 ack 0</P><P>001781: *Feb 15 11:01:26.507: %FW-6-DROP_UDP_PKT: Dropping Other pkt 172.16.15.6:51991 =&gt; 168.94.0.1:53 with ip ident 625 due to&nbsp; policy match failure</P><P>001783: *Feb 15 11:01:57.891: %FW-6-DROP_UDP_PKT: Dropping Other pkt 172.16.15.6:64470 =&gt; 168.94.0.1:53 with ip ident 677 due to&nbsp; policy match failure</P> Mon, 11 Mar 2019 23:45:37 GMT https://community.cisco.com/t5/network-security/default-class-map-is-dropping-all-packets/m-p/2047934#M439012 DaChuckler 2019-03-11T23:45:37Z default class map is dropping all Packets https://community.cisco.com/t5/network-security/default-class-map-is-dropping-all-packets/m-p/2047935#M439013 <HTML><HEAD></HEAD><BODY><P>Hello Charlie,</P><P></P><P>I would recomend you to investigate a little bit more about how the ZBFW features works <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN> </P><P></P><P>Now I am going to help you on this one at least, then I will give you a few links you could use to study </P><P></P><P>We are going to study traffic from <STRONG>MyNetNet-zone to the MyNetWan-zone</STRONG></P><P></P><P>First the zone-pair</P><P>zone-pair security MyNetNet-&gt;MyNetWAN source MyNetNet-zone destination MyNetWAN-zone</P><P>service-policy type inspect MyNetNet-zone_to_MyNetWAN-zone_policy</P><P></P><P>so lets go policy-map </P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">policy-map type inspect MyNetNet-zone_to_MyNetWAN-zone_policy</P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">class type inspect MyNetNet-Class</P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">&nbsp; inspect</P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">class class-default</P><P></P><P></P><P>Finally to the class map <SPAN __jive_emoticon_name="cool" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/tiny_mce3/plugins/jiveemoticons/images/spacer.gif"></SPAN></P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">class-map type inspect <STRONG><EM style="text-decoration: underline; ">match-all </EM></STRONG>MyNetNet-Class</P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">match class-map MyNetNet-access-list</P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">match class-map Voice-protocols</P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">match class-map Extended-protocols</P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">match class-map Base-protocols</P><P></P><P></P><P></P><P>That keyword MATCH-ALL is the one causing the issues!!</P><P>Why?</P><P>Because you are telling the ZBFW to inspect traffic only if matches all of those class-maps so a packet will need to math the base protocols and the extended protocol and as you know that is not possible ( Just one protocol <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN> )</P><P></P><P>So here are the links </P><P><A class="jive-link-external-small" href="http://blogg.kvistofta.nu/cisco-ios-zone-based-policy-firewall/">http://blogg.kvistofta.nu/cisco-ios-zone-based-policy-firewall/</A></P><P><A _jive_internal="true" href="https://community.cisco.com/thread/2138873" style="line-height: 17.27272605895996px; color: #0068cf; cursor: pointer; font-family: Tahoma, Verdana, Arial, sans-serif; font-size: 13.63636302947998px; background-color: #ffffff;" target="_blank">https://supportforums.cisco.com/thread/2138873</A></P><P><A class="jive-link-external-small" href="http://pktmaniac.info/2011/08/zone-based-firewalls-something-to-keep-in-mind/">http://pktmaniac.info/2011/08/zone-based-firewalls-something-to-keep-in-mind/</A></P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml">http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml</A></P><P></P><P>You have some work to do </P><P></P><P>Please remember to rate all the helpful posts</P><P></P><P>Julio</P><P>CCSP</P></BODY></HTML> Thu, 23 Aug 2012 01:39:36 GMT https://community.cisco.com/t5/network-security/default-class-map-is-dropping-all-packets/m-p/2047935#M439013 Julio Carvajal 2012-08-23T01:39:36Z