Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1504
Views
0
Helpful
4
Replies

Gmail and Yahoo not accessible after zbfw implementation

Yadhu Tony
Level 1
Level 1

‎10-20-2014 10:16 AM - edited ‎03-11-2019 09:57 PM

Hi,

I have implemented zbfw on Cisco 1800 series router. But after the implementation I could see that Gmail/Yahoo is not loading.Please could some one look into my config and advise. I can access all other websites without any issues.

class-map type inspect match-all ICMP
 match protocol icmp
class-map type inspect match-all SMTP
 match protocol smtp
class-map type inspect match-all HTTP-ACCESS
 match protocol http
class-map type inspect match-all UDP
 match protocol udp
class-map type inspect match-all HTTPs-ACCESS
 match protocol https
class-map type inspect match-all TCP
 match protocol tcp
class-map type inspect match-all DNS
 match protocol dns
class-map type inspect match-all POP3
 match protocol pop3
!
!
policy-map type inspect in-to-out-policy
 class type inspect HTTPs-ACCESS
  pass
 class type inspect HTTP-ACCESS
  inspect
 class type inspect UDP
  inspect
 class type inspect TCP
  inspect
 class type inspect DNS
  inspect
 class type inspect SMTP
  inspect
 class type inspect POP3
  inspect
 class type inspect ICMP
  inspect
 class class-default
policy-map type inspect out-to-in-policy
 class class-default
  drop
!
zone security inside
zone security outside
zone-pair security in-to-out source inside destination outside
 service-policy type inspect in-to-out-policy
zone-pair security out-to-in source outside destination inside
 service-policy type inspect out-to-in-policy

Many thanks,

Regards,
Tony

http://yadhutony.blogspot.com
Labels:
0 Helpful
4 Replies 4

Vibhor Amrodia
Cisco Employee
Cisco Employee

‎10-21-2014 02:13 AM

Hi,

I think the configuration looks good. Would you be able to try to enable logging for dropped packets and see if you see any packets being dropped ?

ip inspect log drop-pkt

Also , as a test , try to change class class-default in policy-map type inspect in-to-out-policy and see if this makes it work ?

Thanks and Regards,

Vibhor Amrodia

0 Helpful

Yadhu Tony
Level 1
Level 1
In response to Vibhor Amrodia

‎10-21-2014 04:41 AM

Hi Vibhor,

Thanks for your reply. I doubt whether the issue is due to the IOS version 12.3(8r)YH12 which is loaded in our router as I could see that Cisco introduced zbfw in 12.4(6)T ?

I will try ip inspect log drop-pkt and will let you know the outcome.

Many thanks,

Regards,
Tony

http://yadhutony.blogspot.com
0 Helpful

Henrik Grankvist
Level 4
Level 4

‎10-21-2014 02:29 AM

Hi

I think the problem is:

policy-map type inspect in-to-out-policy
 class type inspect HTTPs-ACCESS
  pass

The HTTPS traffic is allowed out, but the return traffic will be blocked. Gmail is HTTPS, but I would think that any HTTPS website would not work.

0 Helpful

Yadhu Tony
Level 1
Level 1
In response to Henrik Grankvist

‎10-21-2014 04:24 AM

Hi 

Thanks for your reply.

Sorry, I have put the pass command only for testing and wrongly copied the config with that. The actual configuration contain inspect for HTTPS. It is quite strange that all other HTTPS websites are working without any issue.

We are running version 12.3(8r)YH12 . Would this be the issue?

Appreciate your help on this.

Regards,

Regards,
Tony

http://yadhutony.blogspot.com
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card