05-11-2011 02:22 AM - edited 03-11-2019 01:31 PM
Hi,
We have a FWSM running on multiple context on our network, and recently we found from ' sh service-policy' the FWSM is dropping some of our xdmcp packet.
Inspect: xdmcp, packet 16208, drop 81, reset-drop 0
here is the running configuration for the service policy.
class-map INSPECT_ALL
match default-inspection-traffic
!
policy-map GLOBAL
class INSPECT_ALL
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect smtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
!
service-policy GLOBAL global
We would like to bypass the xdmcp inspect on certain host and still inspect that on other hosts. Could we do this by adding the host to an access-list ( lets say the access-list is HOST ) and create a new class-map for those host, removing the inspect xdmcp.
class-map XDMCP
match access-list HOST
class-map INSPECT_ALL
match default-inspection-traffic
!
policy-map GLOBAL
class XDMCP
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect smtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
class INSPECT_ALL
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect smtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
!
service-policy GLOBAL global
I currently doest have a spare FWSM to try this configuration on, so any advise would be very helpfull, thanks
Solved! Go to Solution.
05-11-2011 02:50 AM
See below a configuration example of how to bypass an inspection policy using an ACL.
https://supportforums.cisco.com/docs/DOC-15891
Don't forget to rate posts that are helpful.
05-11-2011 02:50 AM
See below a configuration example of how to bypass an inspection policy using an ACL.
https://supportforums.cisco.com/docs/DOC-15891
Don't forget to rate posts that are helpful.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: