Hi guys,
In order to reduce the amount of policies that I need to configure on my security router, I'd like to be able to reuse policies for multiple zone-pairs, including for the self zone.
But if I configure a zone-pair that includes the self zone, and try to use a service-policy that's configured in a different zone pair, it won't work.
For example, (referencing the config below) on my ISR 1941 SecurityK9 router running IOS 15.6(3)M3... If I configure the "self-wan" zone-pair to use the "SELF-TO-OUTSIDE" policy, everything works and the router can negotiate a DHCP lease on it's WAN interface. But if I configure the "self-wan" zone-pair to use the "all-policy" policy, which is shared with the "lan-wan" zone-pair it doesn't work, and cannot negotiate a DHCP lease.
Can someone explain why this is happening?
!dhcp-ack acl
ip access-list extended DHCP-ACK
permit udp any any eq bootpc
exit
!
!outside-to-self class
class-map type inspect match-any OUTSIDE-TO-SELF
match access-group name DHCP-ACK
exit
!
!outside-to-self policy
policy-map type inspect OUTSIDE-TO-SELF
class type inspect OUTSIDE-TO-SELF
pass
class class-default
drop
exit
exit
!
!all-acl
ip access-list extended all-acl
permit ip any any
permit icmp any any
!
!all-class
class-map type inspect match-any all-class
match access-group name all-acl
exit
!
!all-policy
policy-map type inspect all-policy
class type inspect all-class
inspect
class class-default
drop log
exit
exit
!
!self-to-outside policy
policy-map type inspect SELF-TO-OUTSIDE
class type inspect all-class
pass
class class-default
drop
exit
exit
!
zone-pair security wan-self source wan destination self
service-policy type inspect OUTSIDE-TO-SELF
exit
!
zone-pair security self-wan source self destination wan
service-policy type inspect SELF-TO-OUTSIDE
!service-policy type inspect all-policy
exit
!
zone-pair security lan-wan source lan destination wan
service-policy type inspect all-policy
exit