12-18-2009 12:59 AM - edited 03-11-2019 09:50 AM
Hi,
I'm having trouble with ZFW and url filtering. If I set it up according to documentation it blocks every website, however if I remove the urlfilter from the policy, everything works.
Any ideas?
Here is my config:
parameter-map type urlfilter websense-parmap
exclusive-domain deny .aaaaa.xx
exclusive-domain deny .bbbbb.xx
exclusive-domain deny .ccccc.xx
exclusive-domain deny .ddddd.xx
exclusive-domain deny .eeeee.xx
class-map type inspect match-any SMTP_TRAFFIC
match protocol smtp
class-map type inspect match-any HTTP_TRAFFIC
match protocol http
class-map type inspect match-any class-router-to-outside
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any class-outside-to-router
match protocol isakmp
match protocol ipsec-msft
match access-group name PROT_ESP
class-map type inspect match-any class-inside-to-outside
match protocol https
match protocol ftp
match protocol imap
match protocol imaps
match protocol pop3
match protocol pop3s
match protocol pptp
match protocol dns
match protocol user-tcp-8005
match protocol user-tcp-21000
match protocol user-tcp-49600
match protocol ssh
match protocol ica
match protocol icmp
match protocol ntp
match protocol user-tcp-5910
match protocol user-tcp-4081
match protocol user-tcp-10010
match protocol user-tcp-2222
match protocol lotusnote
match protocol user-tcp-8080
match protocol user-tcp-1353
class-map type inspect match-any class-outside-to-inside
match protocol smtp
match protocol mysql
match protocol pptp
match protocol user-tcp-7711
match protocol user-tcp-5910
match protocol user-tcp-5911
match protocol user-tcp-4081
match protocol user-udp-5910
match protocol user-udp-5911
class-map type inspect match-any GRE_TRAFFIC
match access-group name PROT_GRE
class-map type inspect match-all SMTP_SERVER_TRAFFIC
match protocol smtp
match access-group 100
policy-map type inspect policy-router-to-outside
class type inspect class-router-to-outside
inspect
class class-default
pass
policy-map type inspect policy-outside-to-router
class type inspect class-outside-to-router
pass
class class-default
drop
policy-map type inspect policy-outside-to-inside
class type inspect GRE_TRAFFIC
pass
class type inspect class-outside-to-inside
inspect
class class-default
drop
policy-map type inspect policy-inside-to-outside
class type inspect SMTP_SERVER_TRAFFIC
inspect
class type inspect GRE_TRAFFIC
pass
class type inspect class-inside-to-outside
inspect
class type inspect HTTP_TRAFFIC
inspect
urlfilter websense-parmap
class class-default
drop log
!
zone security inside
zone security outside
zone-pair security zp-outside-to-inside source outside destination inside
service-policy type inspect policy-outside-to-inside
zone-pair security zp-inside-to-outside source inside destination outside
service-policy type inspect policy-inside-to-outside
zone-pair security zp-router-to-outside source self destination outside
service-policy type inspect policy-router-to-outside
zone-pair security zp-outside-to-router source outside destination self
service-policy type inspect policy-outside-to-router
ip access-list extended PROT_ESP
permit esp any any
ip access-list extended PROT_GRE
permit gre any any
access-list 100 permit ip host 10.1.28.1 any
12-18-2009 05:21 AM
Figured it out.
"allow-mode on" was missing from my parameter map.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide