https://community.cisco.com/t5/network-security/zbf-protocol-inspection-access-list-combo/m-p/1517964#M618603 <HTML><HEAD></HEAD><BODY><P>OK, I see.</P><P></P><P>I am afraid you need to split it up.</P><P>You need a class that only matches on the interesting ftp traffic and also matches on protocol ftp, and then inspects. </P><P>So make sure the ftp traffic does not match your current ACL. And after that and before the default you inspect the only ftp class-map.</P><P></P><P>I hope it makes sense.</P><P></P><P>PK</P></BODY></HTML> Thu, 04 Nov 2010 20:20:51 GMT Panos Kampanakis 2010-11-04T20:20:51Z https://community.cisco.com/t5/network-security/zbf-protocol-inspection-access-list-combo/m-p/1517961#M618584 <P>So here is the deal, normally I have a pretty simple ZBF outbound configuration. Basically it's below without the bold italics. If traffic is http and the source ip isn't on a specific BYPASS-FILTER acl it gets filtered, otherwise it gets inspected and allowed.</P><P></P><P>Now I have a customer who has an incredibly large list of acl requirements and his default position on outbound traffic is deny. We have created an ACL that replicates this called inside_access_in and i have successfully applied it and have it working using the bold italics added below.</P><P></P><P>My problem is it once the ACL has allowed/denied the traffic it does not appear to be inspecting it further, this really affects FTP traffic as without inspection the connections don't always work properly.&nbsp; Is there a better way to do this? I don't have the full ACL below but a good example portion of it.</P><P></P><P>Thanks in advance.</P><P></P><P><EM><STRONG>class-map type inspect match-any INSIDE_ACCESS_IN<BR /> match access-group name inside_access_in</STRONG></EM></P><P>class-map type inspect match-any DEFAULT-TRAFFIC</P><P> match protocol tcp<BR /> match protocol udp<BR /> match protocol ftp<BR /> match protocol sip<BR /> match protocol rtsp<BR /> match protocol tftp<BR /> match protocol icmp<BR /> match protocol skinny<BR />class-map type inspect match-all NO-URL-FILTER<BR /> match protocol http<BR /> match access-group name BYPASS-FILTER<BR />class-map type inspect match-all INTERNET-INBOUND<BR /> match access-group name PERMIT-INTERNET<BR />class-map type inspect match-any URL-FILTER<BR /> match protocol http</P><P></P><P>policy-map type inspect PRIVATE-TO-PUBLIC<BR /> class type inspect NO-URL-FILTER<BR />&nbsp; inspect<BR /> class type inspect URL-FILTER<BR />&nbsp; inspect<BR />&nbsp; urlfilter SMARTFILTER<BR /><EM><STRONG> class type inspect INSIDE_ACCESS_IN<BR />&nbsp;&nbsp; inspect<BR /></STRONG></EM> class type inspect DEFAULT-TRAFFIC<BR />&nbsp; inspect<BR /> class class-default<BR />&nbsp; drop</P><P></P><P></P><P><STRONG><EM>ip access-list extended inside_access_in<BR /> permit ip object-group XXX_Servers any<BR /> permit ip object-group XXX_NETWORK_3 any<BR /> permit ip any object-group XXX_NETWORK_4<BR /> deny&nbsp;&nbsp; ip any object-group RFC1918<BR /> remark Internet Access<BR /> permit tcp object-group WWWAccess any eq www 443<BR /> remark Secure http access only<BR /> permit tcp object-group SecureWWW any eq 443<BR /> remark FTP Access<BR /> permit object-group FTP object-group FTPAccess any<BR /> remark FTP access for all users to these FTP sites<BR /> permit object-group FTP any object-group FTPSites</EM></STRONG></P><P><STRONG><EM>deny ip any any</EM></STRONG></P> Mon, 11 Mar 2019 19:04:59 GMT https://community.cisco.com/t5/network-security/zbf-protocol-inspection-access-list-combo/m-p/1517961#M618584 mloraditch 2019-03-11T19:04:59Z https://community.cisco.com/t5/network-security/zbf-protocol-inspection-access-list-combo/m-p/1517962#M618588 <HTML><HEAD></HEAD><BODY><P>It is normal to do the action in a class if you match the class and not move to the next action for the next class afterwards.</P><P></P><P>But from what I am seeing. your ACL matches on FTP traffic so, it is matched it should be inspected.</P><P>Let us know if there is confusion on the symptom.</P><P></P><P>PK</P></BODY></HTML> Thu, 04 Nov 2010 18:19:49 GMT https://community.cisco.com/t5/network-security/zbf-protocol-inspection-access-list-combo/m-p/1517962#M618588 Panos Kampanakis 2010-11-04T18:19:49Z https://community.cisco.com/t5/network-security/zbf-protocol-inspection-access-list-combo/m-p/1517963#M618598 <HTML><HEAD></HEAD><BODY><P>OK Makes, senses, here is where the problem occurs, if somebody is in the top level allow anything line of the acl. At that point I am only matching presumably on basic tcp/udp inspection and when you do that ftp doesn't always work unless you also enable ftp inspection like I do in my DEFAULT-TRAFFIC class.</P><P></P><P>So how do I get around that with my acl? I can add a tcp rule for the allow anything group with eq ftp but will that trigger the proper inspection? Would I do the same thing I end up doing for ftp for any other protocols like SIP, etc that need more than base tcp/udp inspection?</P><P></P><P>Thanks!</P><P>-Matthew</P></BODY></HTML> Thu, 04 Nov 2010 19:48:25 GMT https://community.cisco.com/t5/network-security/zbf-protocol-inspection-access-list-combo/m-p/1517963#M618598 mloraditch 2010-11-04T19:48:25Z https://community.cisco.com/t5/network-security/zbf-protocol-inspection-access-list-combo/m-p/1517964#M618603 <HTML><HEAD></HEAD><BODY><P>OK, I see.</P><P></P><P>I am afraid you need to split it up.</P><P>You need a class that only matches on the interesting ftp traffic and also matches on protocol ftp, and then inspects. </P><P>So make sure the ftp traffic does not match your current ACL. And after that and before the default you inspect the only ftp class-map.</P><P></P><P>I hope it makes sense.</P><P></P><P>PK</P></BODY></HTML> Thu, 04 Nov 2010 20:20:51 GMT https://community.cisco.com/t5/network-security/zbf-protocol-inspection-access-list-combo/m-p/1517964#M618603 Panos Kampanakis 2010-11-04T20:20:51Z https://community.cisco.com/t5/network-security/zbf-protocol-inspection-access-list-combo/m-p/1517965#M618611 <HTML><HEAD></HEAD><BODY><P>ok</P><P></P><P>makes sense so I need to for any sensitive protocols that require inspection (FTP, SIP, etc) have a separate acl for each and separate class map, etc</P><P></P><P>Luckily for this customer that's just FTP.</P></BODY></HTML> Thu, 04 Nov 2010 20:30:24 GMT https://community.cisco.com/t5/network-security/zbf-protocol-inspection-access-list-combo/m-p/1517965#M618611 mloraditch 2010-11-04T20:30:24Z https://community.cisco.com/t5/network-security/zbf-protocol-inspection-access-list-combo/m-p/1517966#M618618 <HTML><HEAD></HEAD><BODY><P>Please mark this as answered if it is for other people's future benefit.</P><P></P><P>Good luck with the config.</P><P></P><P>Take care,</P><P>PK</P></BODY></HTML> Thu, 04 Nov 2010 20:49:56 GMT https://community.cisco.com/t5/network-security/zbf-protocol-inspection-access-list-combo/m-p/1517966#M618618 Panos Kampanakis 2010-11-04T20:49:56Z https://community.cisco.com/t5/network-security/zbf-protocol-inspection-access-list-combo/m-p/1517967#M618624 <HTML><HEAD></HEAD><BODY><P>Done. Thanks for the assistance!</P></BODY></HTML> Fri, 05 Nov 2010 12:51:53 GMT https://community.cisco.com/t5/network-security/zbf-protocol-inspection-access-list-combo/m-p/1517967#M618624 mloraditch 2010-11-05T12:51:53Z