12-20-2013 10:31 AM - edited 03-11-2019 08:20 PM
Hi,
When I try to deploy ZBFW rules to my router, CSM gives me the following error:
%No specific protocol or access-group configured in class CSM_ZBF_CLASS_MAP_6 for inspection. All packets will be dropped
CSM_ZBF_CLASS_MAP_6
It is also deploying strange commands like:
class-map type inspect match-all CSM_ZBF_CLASS_MAP_4
match access-group name ###CMAP_ACLNAME6
no match access-group name CSM_ZBF_CMAP_ACL_4
exit
Have you ever seen it before? Why is it asking about and ACL that does not exist? Why is it issuing strange commands?
I may provide you with further information, if you wish.
Thank you.
Solved! Go to Solution.
12-20-2013 05:02 PM
Hello Leonardo,
I will never recommend to do any Firewall Configuration via SDM, CCP or SDM. Things will just not work as they should (All of this based on my experience).
I have seen both of them in the past.
I would recommend to provide us the config and then we will tell you if we see something strange but try to do this via CLI (Trust me, U need this)
For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com
Any question contact me at jcarvaja@laguiadelnetworking.com
Cheers,
Julio Carvajal Segura
12-20-2013 05:02 PM
Hello Leonardo,
I will never recommend to do any Firewall Configuration via SDM, CCP or SDM. Things will just not work as they should (All of this based on my experience).
I have seen both of them in the past.
I would recommend to provide us the config and then we will tell you if we see something strange but try to do this via CLI (Trust me, U need this)
For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com
Any question contact me at jcarvaja@laguiadelnetworking.com
Cheers,
Julio Carvajal Segura
12-24-2013 03:05 AM
But that is the main reason of CSM product existence! It should centralize security configuration. I have 40 routers to manage and I definitely cannot manage Zone Based Firewall and ACL via CLI in this scenario. I have never faced any problem with ASDM while managing my ASA and FWSM.
12-24-2013 09:06 AM
So my answer was sort of useful hahaha.
The configuration of ZBFW is pretty complex and involves the definition of multiple parameters.
As I said my recommendation will always be do it from CLI, if you do not know how or need assitance with that then get Cisco TAC on the line or get someone that knows about it.
From the first log you posted I have seen it in the past when using an ACL to match traffic and have not cause any issues.
Now for this:
class-map type inspect match-all CSM_ZBF_CLASS_MAP_4
match access-group name ###CMAP_ACLNAME6
no match access-group name CSM_ZBF_CMAP_ACL_4
exit
It's just removing the use of an ACL to then match another traffic with a different ACL so not big deal.
The only way to detemrine whether the configuration is good or not is to analize the entire configuration with what you are trying to do!!
Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com
02-19-2014 05:29 AM
The problem was that INSPECT rules need INSPECT protocols to be specified ! Otherwise it must me PASS flow
In my opinion it's a bug or bad programing in CSM interface. If inspect NEED a protocol it should be forced to input this information before deploying it!
Anyway, thks for helping.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide