cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3482
Views
0
Helpful
7
Replies

match protocol Other

Koblensky
Level 1
Level 1

Hi all,

i've been using a the classmap "class-map type inspect match-any min-cls-insp-in-out"  in a policymap "policy-map type inspect min-pm-in-out" in the zone security "ccp-zp-in-out source" for my firewall. I've just noticed a "match protocol Other" that i've for sure didn't insert, can you tell me what is the functionality of this parameter??

it was not making any sense to me and so i've tried to:

conf

class-map type inspect match-any min-cls-insp-in-out

no match protocol Other

                                           ^

% Invalid input detected at '^' marker.

i've tried to remove the "match protocol ftp" and the ftp traffic was actually been blocked by the firewall.

class-map type inspect match-any min-cls-insp-in-out

match protocol dns

match protocol ftp

match protocol icmp

match protocol imap

match protocol rtsp

match protocol ssh

match protocol pop3s

match protocol pop3

match protocol imaps

match protocol https

match protocol Other

match protocol ntp

...

policy-map type inspect min-pm-in-out

class type inspect min-cls-invalid-in-src

  drop log

class type inspect min-cls-insp-in-out

  inspect

class type inspect min-cls-insp-smtp

  inspect

class type inspect min-http-cmap

  inspect

class type inspect min-cls-insp-im

  inspect

class class-default

  drop log

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect min-pm-in-out

thank you !!

7 Replies 7

Maykol Rojas
Cisco Employee
Cisco Employee

What version are you running?

Mike

Mike

version 15.0

anyone has an idea? google doesn't gives any hint ... thanks !!

Hi,

Could you do sh ip port-map Other

Regards.

Alain.

Don't forget to rate helpful posts.

#sh ip port-map Other

                           ^

% Invalid input detected at '^' marker.

i was wondering what happens if you do the following:

  • set a "ip port-map user-protocol--1 port tcp 3283"
  • set a "match protocol "user-protocol--1" on a class map
  • remove "ip port-map user-protocol--1 port tcp 3283"

does it keep the uknown match port... does it put Other or does it remove the configuration?

didn't had the time to play with it !!

andysuggars
Level 1
Level 1

I get the same problem on my Cisco 877 ADSL Router

It seems that when i remove a match protocol command, the match protocl Other seems to be dropped in there and like you have experienced, you can't just do a "no match protocol Other"

I would have to remove the whole class-map and add it again. It's fairly simple to do, just copy/paste into notepad, remove the match protocol Other line, do a no class-map and then copy and paste your previous classmap config (with the match protocol Other removed) back in again.

I'm running version 15.0 M7 and unfortunately i get connection problems with my ADSL provider if i use a later firmware version.

The weird thing is, it doesn't do it to any other class maps. Only this one. Perhaps if the class map has more than a certain number of match commands then this problem occurs. My other classmaps only have 2-3 match lines in it and i haven't had the chance to test.

Hello Andy,

I ran a lab on a 7200 router using Version 15.1(4)M4 and I did not got the same result.

I had on my class-map more than 10 protocols so it is not definetely related to the amount of match lines.

Regards.

Rate all the helpful posts

Julio

Security Engineer

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Review Cisco Networking for a $25 gift card