Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
530
Views
0
Helpful
5
Replies

How to combine IP INSPECT and ZBFW

peter.jevos
Level 1
Level 1

‎10-02-2015 03:44 AM - edited ‎03-11-2019 11:41 PM

Hi 

I have on the router ZBFW applied on all interfaces:

zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
 service-policy type inspect PM_IN-TO-OUT

 

policy-map type inspect PM_IN-TO-OUT
 class type inspect CM_IN-TO-OUT
  inspect

class-map type inspect match-any CM_IN-TO-OUT
 match protocol tcp
 match protocol udp

Int LAN
 zone-member security INSIDE

I wanted to apply the IP INSPECT to filter the inappropriate traffic, however it is not allowed:
Router(config-subif)#ip inspect webfilter in
%Cannot configure inspect rule on an interface which is member of a zone . Remove the interface from the zone and retry.

How to combine this two security features ?

Many thanks

 

 

Labels:
0 Helpful
5 Replies 5

Mark Malone
VIP Alumni
VIP Alumni

‎10-02-2015 03:51 AM

It may be a bug

CSCek47737

If you attempt to associate an inspection rule with an interface that is part of a firewall zone, Cisco IOS returns the following error: "Cannot configure inspect rule on an interface which is member of a zone. Remove the interface from the zone and retry."

Workaround:

If you want to associate the inspection rule with the interface, you must first remove the interface from the zone using the Cisco IOS CLI.

0 Helpful

peter.jevos
Level 1
Level 1
In response to Mark Malone

‎10-02-2015 04:09 AM

Hi mark

 

i wanted to do it vice versa, so first i removed the zone member, then configured IP INSPECT, and then wanted to apply back the zone member. However it was not successful:

Router(config-subif)#zone-member security INSIDE
%Inspect rule is configured on the interface. Please unconfigure the rule first

I'm using c890-universalk9-mz.154-2.T3.bin

 

BR

 

0 Helpful

Mark Malone
VIP Alumni
VIP Alumni
In response to peter.jevos

‎10-02-2015 04:21 AM

Hi Unfortunatly that bug is hidden to the public so TAC are probably still working on a fix, I cant see which IOS in particular its effecting it just seems to match what your seeing

0 Helpful

Rishabh Seth
Level 7
Level 7

‎10-02-2015 03:53 AM

Hi Peter,

 

You can create the policy map for required inspection and apply it on the zone-pair.

Please refer following link for exact commands:

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_zbf/configuration/xe-3s/asr1000/sec-data-zbf-xe-asr1k-book/sec-zone-pol-fw.html#GUID-28F99D99-2160-410F-9959-D5FDDC767D91

 

Hope it helps!!!

Thanks,

R.Seth

Don't forget to mark the answer as correct if it helps in resolving your query!!!

0 Helpful

peter.jevos
Level 1
Level 1
In response to Rishabh Seth

‎10-02-2015 04:53 AM

Dear Risseth

can you send the hint how to incorporate the IP INSPECT into the policy map : ?
E.g:

ip inspect name webfilter http urlfilter
ip urlfilter exclusive-domain permit .microsoftonline.com
ip urlfilter exclusive-domain permit .office.com
 

With this CM and PM:

class-map type inspect match-any CM_IN-TO-OUT
 match protocol tcp
 match protocol udp
 match protocol icmp


policy-map type inspect PM_IN-TO-OUT
 class type inspect CM_IN-TO-OUT
  inspect

Then:
zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
 service-policy type inspect PM_IN-TO-OUT

 

Thanks

 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card