Hi guys,

In order to reduce the amount of policies that I need to configure on my security router, I'd like to be able to reuse policies for multiple zone-pairs, including for the self zone.

But if I configure a zone-pair that includes the self zone, and try to use a service-policy that's configured in a different zone pair, it won't work.

For example, (referencing the config below) on my ISR 1941 SecurityK9 router running IOS 15.6(3)M3... If I configure the "self-wan" zone-pair to use the "SELF-TO-OUTSIDE" policy, everything works and the router can negotiate a DHCP lease on it's WAN interface. But if I configure the "self-wan" zone-pair to use the "all-policy" policy, which is shared with the "lan-wan" zone-pair it doesn't work, and cannot negotiate a DHCP lease.

Can someone explain why this is happening?

!dhcp-ack acl
ip access-list extended DHCP-ACK
 permit udp any any eq bootpc
exit
!
!outside-to-self class
class-map type inspect match-any OUTSIDE-TO-SELF
 match access-group name DHCP-ACK
exit
!
!outside-to-self policy
policy-map type inspect OUTSIDE-TO-SELF
 class type inspect OUTSIDE-TO-SELF
  pass
 class class-default
  drop
  exit
exit
!

!all-acl
ip access-list extended all-acl
 permit ip any any
 permit icmp any any
!
!all-class
class-map type inspect match-any all-class
 match access-group name all-acl
exit
!
!all-policy
policy-map type inspect all-policy
 class type inspect all-class
  inspect
 class class-default
  drop log
  exit
exit
!
!self-to-outside policy
policy-map type inspect SELF-TO-OUTSIDE
 class type inspect all-class
  pass
 class class-default
  drop
  exit
exit
!

zone-pair security wan-self source wan destination self
 service-policy type inspect OUTSIDE-TO-SELF
exit
!
zone-pair security self-wan source self destination wan
 service-policy type inspect SELF-TO-OUTSIDE
 !service-policy type inspect all-policy
exit
!
zone-pair security lan-wan source lan destination wan
 service-policy type inspect all-policy
exit