cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


201
Views
0
Helpful
0
Replies
Highlighted

ZoneBased Firewall target:class identified as :none:

Hello,

 

Zone Based Firewall is dropping packets from one interface to another and I cannot understand why.

1) There is a zone-pair between both interfaces

2) All IP traffic is allowed

3) In the log says (target:class) - (none:none). Not event class-default is detected. Why?

 

Config:

zone security VPN

zone security USUARIOS

 

!------------------------
!VPN=>USUARIOS
!------------------------
ip access-list extended VPN-TO-USUARIOS
   permit ip any any
!
!
class-map type inspect match-all VPN-TO-USUARIOS-CLASS
   match access-group name VPN-TO-USUARIOS
!
!
policy-map type inspect VPN-TO-USUARIOS-POLICY
  class type inspect VPN-TO-USUARIOS-CLASS
      inspect
  class class-default
     drop log
!
zone-pair security VPN-TO-USUARIOS source VPN destination USUARIOS
   service-policy type inspect VPN-TO-USUARIOS-POLICY
!

int Vlan35
  zone-member security VPN

int Gi0/0/1.2
  zone-member security USUARIOS

 

Ip Address

GigabitEthernet0/0/1.2 : 10.65.48.1

Vlan35 : 10.68.168.1

 

Drop Log

002001: Sep 12 07:29:33.212 BRASIL: %IOSXE-6-PLATFORM: SIP1: cpp_cp: QFP:0.0 Thread:000 TS:00000084879874157576 %FW-6-LOG_SUMMARY: 1 udp packet was dropped from Vlan35 10.5.0.64:53 => 10.65.48.15:61404 (target:class)-(none:none)

 

Why ZBFW cannot identify target:class? Why is it dropping packets from this source and destination?

 

Thank you.