Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
996
Views
5
Helpful
4
Replies

ZBF and Nat does not match in Class-map

hcalderon
Level 1
Level 1

‎11-17-2022 04:25 PM

Hello  team,

I have to create  a new envirotment where Traffict  ( signals) coming  from outside ( internet ) has  to match in one of my ip publics, I have to nat by portforwarinng to a dmz and that it. Only with  ACL (  without ZBF) it works,  but with ZBF does not work and  I can see it does not match in classmap. If  I put  classmap permit protocol  it works  but  if  I put  an ACL does not  work.

 

Router(config)#zone security INSIDE

Router(config)#zone security OUTSIDE

Router(config)#zone security DMZ

 

Router(config)#interface gigabitEthernet 0/0/1

Router(config-if)#zone-member security DMZ

Router(config)#interface gigabitEthernet 0/0/3

Router(config-if)#zone-member security INSIDE

Router(config)#interface gigabitEthernet 0/0/2

Router(config-if)#zone-member security OUTSIDE

 

 

Router(config)#class-map type inspect match-any ESCENSE-OUTSIDE-TO-DMZ-CLASS

Router(config)#match access-group name ESCENSE-OUTSIDE-TO-DMZ-ACL   ---> With this fail but with protocol tcp only work


policy-map type inspect OUTSIDE-TO-DMZ-PM
class type inspect ESCENSE-OUTSIDE-TO-DMZ-CLASS
inspect
class class-default
drop log

Router(config)#zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE

Router(config)#zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE

Router(config)#zone-pair security OUT-TO-DMZ source OUTSIDE destination DMZ
service-policy type inspect OUTSIDE-TO-DMZ-PM

Router(config)#zone-pair security IN-TO-DMZ source INSIDE destination DMZ
service-policy type inspect INSIDE-TO-DMZ-PM

Router(config)#zone-pair security DMZ-TO-IN source DMZ destination INSIDE
service-policy type inspect DMZ-TO-INSIDE-PM

ip nat inside source static tcp 10.44.63.134 8000 ip public 8000 extendable
ip nat inside source static tcp 10.44.63.130 9880 ip public 9880 extendable
ip nat inside source static tcp 10.44.63.136 16001 ip public 16001 extendable
ip nat inside source static tcp 10.44.63.137 16002 ip public 16002 extendable
ip nat inside source static tcp 10.44.63.138 16003 ip public 16003 extendable

Labels:
4 Replies 4

hcalderon
Level 1
Level 1

‎11-24-2022 10:51 AM

Someone?

0 Helpful

MHM Cisco World
VIP
VIP
In response to hcalderon

‎11-24-2022 10:57 AM

someone here LoL... 
are this all config ? if not please share all config I will run lab tonight and find solution if there is. 

0 Helpful

hcalderon
Level 1
Level 1
In response to MHM Cisco World

‎11-24-2022 11:41 AM

Hello MHM hahah yes sometime  write  in forums  feels  alone jaja

MHM, yes  this  was  configured but I have to remove  and use  just  ACL with ip-access-group in  you know... and it work but I dont  want  that,  the  lines you see is  than  I had  configured but it did  not work,  Im  trying to  find why no  works to configure again.

Basicly the nat  I was  using  its not  from the phisical interface, I was  using one over you know.. for  example  1.1.1.1 public ( phisicly ) and 1.1.1.2 public ( the one  we use to nat  from internet to inside)

0 Helpful

MHM Cisco World
VIP
VIP
In response to hcalderon

‎11-24-2022 11:55 AM

I will run Lab but need more info. 
ESCENSE-OUTSIDE-TO-DMZ-ACL <<- this acl, can I see it (hide or change public IP with any IP)

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card