cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1107
Views
5
Helpful
12
Replies

Firewall ASA - Global Policy-map not being saved in Packet Tracer

yoveena
Level 1
Level 1

Hello Cisco Expert,

 

Hope you are doing good.

 

I am working on a project in Cisco Packet Tracer 8.1.1, and current running into an issue where I am unable to save the global policy of the 5506-X firewall [version 9.6(1)].

 

As per my requirement, I will need to inspect icmp and http.

 

I try to remove the global policy, recreate a new one with the same name and save the config.

 

class-map inspection_default
match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect http
inspect icmp
!
service-policy global_policy global

 

At first, it is working fine and I am able to reach my external server.

 

However, once I close the pkt file and reopen it, the global policy I created is overwritten by the default global policy of the firewall.

 

class-map inspection_default
match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect tftp
!
service-policy global_policy global

 

Is there any way to fix this?

 

Thanking you in advance and awaiting for a response.

 

Regards,
Yoveena

12 Replies 12

Hi

 This can be a bug from your side. For me, the configuration remains after reload

 

 

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect tftp

policy-map global_policy2

class inspection_default

inspect dns preset_dns_map

inspect http

inspect icmp

 

 

ciscoasa#sh clock

*0:1:17.115 UTC Mon Mar 1 1993

ciscoasa#

Hi @Flavio Miranda,

 

I successfully added another policy map and was able to retrieve the configuration after reload but could not reach my external server.

 

I try to remove the existing service policy, add another another one and was able to reach my external server. 

 

class-map inspection_default
match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect tftp
policy-map global_policy2
class inspection_default
inspect dns preset_dns_map
inspect http
inspect icmp
!
service-policy global_policy2 global

 

However, once I close the pkt file and reopen it, the global service policy I created is overwritten by the default global service policy of the firewall.

 

class-map inspection_default
match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect tftp
policy-map global_policy2
class inspection_default
inspect dns preset_dns_map
inspect http
inspect icmp
!
service-policy global_policy global

 

Is there any workaround to resolve this issue?

 

Regards,

Yoveena

 

 

 

It did not happen to me so, I wonder if this can be a problem from your side only.  Can you share your PKT file and I can take  a look.

Hi @Flavio Miranda,

 

Please find attached the PKT file.

 

Awaiting for your response.

 

Regards,

Yoveena

Hi

 The below configuration is on the firewall.

"

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect tftp

policy-map global_policy2

class inspection_default

inspect http

inspect icmp

!

service-policy global_policy global

!"

I can see it even after firewall reboot. 

However, your firewall does not have any Access List allow traffic.  Is it because you are still working on it ?

 

Hi Flavio,

 

The issue I had previously regarding the global policy map has been resolved since I created a second policy map policy-map global_policy2 and added inspect icmp and inspect http. However, I couldn't ping my external server. 

 

I then created a second service policy service-policy global_policy2 global. I saved the config and ping my external server. Both the  ping and http request were successful. 

 

When I close my PKT file and reopen it, the service policy I created service-policy global_policy2 global is overwritten by the default service-policy global_policy global of the firewall.

 

Even without any Access-list, my internal hosts should be able to reach my external server. Nevertheless, from the external side there should be no access to my internal network due to the security-level.

 

Is there any workaround to save the service-policy global_policy2 global in my topology?

 

Regards,

Yoveena

 

Hello,

 

just to cover the basics: you did issue the 'wr mem' command ?

yoveena
Level 1
Level 1

Hello @Georg Pauwen,

 

Yes, I used the 'wr mem' command during the configuration. However, the issue still persists with the service-policy global_policy global.

Hello,

 

what about:

 

copy running-config startup-config

Hello @Georg Pauwen,

 

I have also used the copy running-config startup-config command during the configuration. However, the issue remains the same.

 

Please find attached the PKT file.

 

Awaiting for your response.

 

Regards,

Yoveena

Odd, I have the exact same problem. Nothing is saved.

Hi @Georg Pauwen,

 

Is this a bug in the Firewall 5506-X of cisco packet tracer?

 

Do you have any workaround that could help me to save these configurations or could you provide any alternative way?

 

Regards,

Yoveena