Firewall ASA - Global Policy-map not being saved in Packet Tracer

yoveena · ‎06-21-2022

Hello Cisco Expert,

Hope you are doing good.

I am working on a project in Cisco Packet Tracer 8.1.1, and current running into an issue where I am unable to save the global policy of the 5506-X firewall [version 9.6(1)].

As per my requirement, I will need to inspect icmp and http.

I try to remove the global policy, recreate a new one with the same name and save the config.

class-map inspection_default
match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect http
inspect icmp
!
service-policy global_policy global

At first, it is working fine and I am able to reach my external server.

However, once I close the pkt file and reopen it, the global policy I created is overwritten by the default global policy of the firewall.

class-map inspection_default
match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect tftp
!
service-policy global_policy global

Is there any way to fix this?

Thanking you in advance and awaiting for a response.

Regards,
Yoveena

Flavio Miranda · ‎06-21-2022

Hi

This can be a bug from your side. For me, the configuration remains after reload

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect tftp

policy-map global_policy2

class inspection_default

inspect dns preset_dns_map

inspect http

inspect icmp

ciscoasa#sh clock

*0:1:17.115 UTC Mon Mar 1 1993

ciscoasa#

yoveena · ‎06-22-2022

Hi @Flavio Miranda,

I successfully added another policy map and was able to retrieve the configuration after reload but could not reach my external server.

I try to remove the existing service policy, add another another one and was able to reach my external server.

class-map inspection_default
match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect tftp
policy-map global_policy2
class inspection_default
inspect dns preset_dns_map
inspect http
inspect icmp
!
service-policy global_policy2 global

However, once I close the pkt file and reopen it, the global service policy I created is overwritten by the default global service policy of the firewall.

class-map inspection_default
match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect tftp
policy-map global_policy2
class inspection_default
inspect dns preset_dns_map
inspect http
inspect icmp
!
service-policy global_policy global

Is there any workaround to resolve this issue?

Regards,

Yoveena

Flavio Miranda · ‎06-22-2022

It did not happen to me so, I wonder if this can be a problem from your side only. Can you share your PKT file and I can take a look.

yoveena · ‎06-23-2022

Hi @Flavio Miranda,

Please find attached the PKT file.

Awaiting for your response.

Regards,

Yoveena

Flavio Miranda · ‎06-23-2022

Hi

The below configuration is on the firewall.

"

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect tftp

policy-map global_policy2

class inspection_default

inspect http

inspect icmp

!

service-policy global_policy global

!"

I can see it even after firewall reboot.

However, your firewall does not have any Access List allow traffic. Is it because you are still working on it ?

yoveena · ‎06-24-2022

Hi Flavio,

The issue I had previously regarding the global policy map has been resolved since I created a second policy map policy-map global_policy2 and added inspect icmp and inspect http. However, I couldn't ping my external server.

I then created a second service policy service-policy global_policy2 global. I saved the config and ping my external server. Both the ping and http request were successful.

When I close my PKT file and reopen it, the service policy I created service-policy global_policy2 global is overwritten by the default service-policy global_policy global of the firewall.

Even without any Access-list, my internal hosts should be able to reach my external server. Nevertheless, from the external side there should be no access to my internal network due to the security-level.

Is there any workaround to save the service-policy global_policy2 global in my topology?

Regards,

Yoveena

Georg Pauwen · ‎06-21-2022

Hello,

just to cover the basics: you did issue the 'wr mem' command ?

yoveena · ‎06-22-2022

Hello @Georg Pauwen,

Yes, I used the 'wr mem' command during the configuration. However, the issue still persists with the service-policy global_policy global.

Georg Pauwen · ‎06-22-2022

Hello,

what about:

copy running-config startup-config

yoveena · ‎06-23-2022

Hello @Georg Pauwen,

I have also used the copy running-config startup-config command during the configuration. However, the issue remains the same.

Please find attached the PKT file.

Awaiting for your response.

Regards,

Yoveena

Georg Pauwen · ‎06-23-2022

Odd, I have the exact same problem. Nothing is saved.

yoveena · ‎06-24-2022

Hi @Georg Pauwen,

Is this a bug in the Firewall 5506-X of cisco packet tracer?

Do you have any workaround that could help me to save these configurations or could you provide any alternative way?

Regards,

Yoveena