Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1014
Views
0
Helpful
1
Replies

FWSM not to inspect certain host

Go to solution
filterfilter
Level 1
Level 1

‎05-11-2011 02:22 AM - edited ‎03-11-2019 01:31 PM

Hi,

We have a FWSM running on multiple context on our network, and recently we found from ' sh service-policy' the FWSM is dropping some of our xdmcp packet.

Inspect: xdmcp, packet 16208, drop 81, reset-drop 0

here is the running configuration for the service policy.

class-map INSPECT_ALL

match default-inspection-traffic

!

policy-map GLOBAL

class INSPECT_ALL

  inspect dns maximum-length 512

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect smtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect netbios

  inspect tftp

!

service-policy GLOBAL global

We would like to bypass the xdmcp inspect on certain host and still inspect that on other hosts. Could we do this by adding the host to an access-list ( lets say the access-list is HOST ) and create a new class-map for those host, removing the inspect xdmcp.

class-map XDMCP

match access-list HOST

class-map INSPECT_ALL

match default-inspection-traffic

!

policy-map GLOBAL

class XDMCP

  inspect dns maximum-length 512

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect smtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect netbios

  inspect tftp

class INSPECT_ALL

  inspect dns maximum-length 512

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect smtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

inspect xdmcp

  inspect netbios

  inspect tftp

!

service-policy GLOBAL global

I currently doest have a spare FWSM to try this configuration on, so any advise would be very helpfull, thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
sean_evershed
Level 7
Level 7

‎05-11-2011 02:50 AM

See below a configuration example of how to bypass an inspection policy using an ACL.

https://supportforums.cisco.com/docs/DOC-15891

Don't forget to rate posts that are helpful.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
sean_evershed
Level 7
Level 7

‎05-11-2011 02:50 AM

See below a configuration example of how to bypass an inspection policy using an ACL.

https://supportforums.cisco.com/docs/DOC-15891

Don't forget to rate posts that are helpful.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card