01-26-2017 07:03 PM - edited 03-12-2019 01:50 AM
Working on converting from an ACL to ZBF and running into a snag of a sort. Problem is with an ISR 4331 running IOS XE 03.16.05.S.
The protocol, in this example, is using TCP port 2001, communicating with a custom API on a server. From looking at (older) documentation it seems that the suggested way to do this would be to define a custom PAM using:
ip port-map user-API port tcp 2001
Then doing our class-map/policy-map as normal:
ip access-list extended OUTSIDE_SERVER
permit ip host 10.0.0.1 any
class-map type inspect match-all OUTSIDE_SERVER-CMAP
match access-group name OUTSIDE_SERVER
match protocol user-API
The above appears to be fine in our lab on a 2921 (at least as far as configuring), however, it doesn't appear that you can define custom PAMs on the ISR4331 as you get "invalid input detected" when you try to use ip port-map user-[word].
Is there a new/recommended way to handle this? The way it's looking at the moment I can use my existing ACL with minimal changes and point the class-map to it, but I lose visibility on the traffic. The other option seems to be to create one ACL for the address portion of the traffic and another ACL for the ports, then class-map both of them. Is there something I'm not seeing?
01-27-2017 05:20 AM
Looks like the command is not supported on the version that you are running. Can you paste output of show version. I don't think there is a 3rd way of doing. 2 being ip port-map and using access-list.
-
AJ
01-27-2017 09:36 AM
Looks like the command is not supported on the version that you are running.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide