Hi there,
I'm experiencing a problem where a Cisco1841, running an advsecurity IOS (c1841-advsecurityk9-mz.124-15.T9.bin) and configured with Zone-Based policies via SDM is not allowing an external server to collect traffic stats via SNMP. The packets are getting dropped somewhere.
Following are the parts of the router config relating to this issue,
(i have omitted IP addresses and passwords)
class-map type inspect match-any sdm-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
match protocol snmp
class-map type inspect match-all sdm-insp-traffic
match class-map sdm-cls-insp-traffic
policy-map type inspect sdm-inspect
class type inspect sdm-invalid-src
drop log
class type inspect sdm-protocol-http
inspect
service-policy http sdm-action-app-http
class type inspect sdm-protocol-imap
inspect
service-policy imap sdm-action-imap
class type inspect sdm-protocol-pop3
inspect
service-policy pop3 sdm-action-pop3
class type inspect sdm-protocol-im
inspect
service-policy im sdm-action-app-im
class type inspect sdm-insp-traffic
inspect
class type inspect SDM-Voice-permit
inspect
class class-default
pass
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
interface FastEthernet0/0
description LAN interface
zone-member security in-zone
interface FastEthernet0/1
description WAN interface
zone-member security out-zone
ip route-cache flow
snmp-server community xxxxxx RO 1
snmp-server community xxxxxx RW 1
snmp-server ifindex persist
access-list 1 permit xxx.xxx.xxx.xxx
access-list 1 permit xxx.xxx.xxx.xxx
If I remove the 'zone-member security out-zone' command from the WAN Interface then things start working and the external server is able to poll the snmp information from the router. So it is something to do with the way the zone-based policies work/inspect.
Appreciate your help,
Regards,
Esteban