10-20-2014 10:16 AM - edited 03-11-2019 09:57 PM
Hi,
I have implemented zbfw on Cisco 1800 series router. But after the implementation I could see that Gmail/Yahoo is not loading.Please could some one look into my config and advise. I can access all other websites without any issues.
class-map type inspect match-all ICMP
match protocol icmp
class-map type inspect match-all SMTP
match protocol smtp
class-map type inspect match-all HTTP-ACCESS
match protocol http
class-map type inspect match-all UDP
match protocol udp
class-map type inspect match-all HTTPs-ACCESS
match protocol https
class-map type inspect match-all TCP
match protocol tcp
class-map type inspect match-all DNS
match protocol dns
class-map type inspect match-all POP3
match protocol pop3
!
!
policy-map type inspect in-to-out-policy
class type inspect HTTPs-ACCESS
pass
class type inspect HTTP-ACCESS
inspect
class type inspect UDP
inspect
class type inspect TCP
inspect
class type inspect DNS
inspect
class type inspect SMTP
inspect
class type inspect POP3
inspect
class type inspect ICMP
inspect
class class-default
policy-map type inspect out-to-in-policy
class class-default
drop
!
zone security inside
zone security outside
zone-pair security in-to-out source inside destination outside
service-policy type inspect in-to-out-policy
zone-pair security out-to-in source outside destination inside
service-policy type inspect out-to-in-policy
Many thanks,
10-21-2014 02:13 AM
Hi,
I think the configuration looks good. Would you be able to try to enable logging for dropped packets and see if you see any packets being dropped ?
ip inspect log drop-pkt
Also , as a test , try to change class class-default in policy-map type inspect in-to-out-policy and see if this makes it work ?
Thanks and Regards,
Vibhor Amrodia
10-21-2014 04:41 AM
Hi Vibhor,
Thanks for your reply. I doubt whether the issue is due to the IOS version 12.3(8r)YH12 which is loaded in our router as I could see that Cisco introduced zbfw in 12.4(6)T ?
I will try ip inspect log drop-pkt and will let you know the outcome.
Many thanks,
10-21-2014 02:29 AM
Hi
I think the problem is:
policy-map type inspect in-to-out-policy
class type inspect HTTPs-ACCESS
pass
The HTTPS traffic is allowed out, but the return traffic will be blocked. Gmail is HTTPS, but I would think that any HTTPS website would not work.
10-21-2014 04:24 AM
Hi
Thanks for your reply.
Sorry, I have put the pass command only for testing and wrongly copied the config with that. The actual configuration contain inspect for HTTPS. It is quite strange that all other HTTPS websites are working without any issue.
We are running version 12.3(8r)YH12 . Would this be the issue?
Appreciate your help on this.
Regards,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide