HI Rob!
Thanks again...
That sounds like a plan.
Re: the time servers - that's only just gone into the config (it's very much a work in progress) so I was aware that there would still be more work to be done. Slowly beginning to understand the self zone with your great assistance.
I wish I could repay the favour. It kind of makes sense once you being to understand it!
Thanks again.
"I'll be back"...
Rob.

Sighs.
OK so I configured as suggested - allowing bootp / dhcp traffic on ports 67/68.
Performed a shut on the relevant interfaces and then no shut them.
The interface gets an IP from DHCP - hallelujah! But we're back to the old no traffic flowing again.
It does seem as though something else is required to be configured in the self zone.
I added a log command to the pass statements on the policy maps.
How do I then view these logs with meaningful information as to what has been dropped so that I may be able to figure out what exactly the self zone is missing. Certainly with the pass IP any any it all worked!
I guess I need to figure out now what's preventing return traffic?
Any suggestions ? :(

If you modify the following:-

 

policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
class type inspect ALLOWED-PROTOCOLS
inspect
class class-default

 drop log

 

then any drops outbound should be logged, then type "show logging" to view the logs.

 

Can you provide the output of "show policy-map type inspect zone-pair ZP-INSIDE-TO-OUTSIDE" and upload here

Morning Rob!
Still ongoing I'm afraid.
The logs dont appear to hold any information on the INSIDE-TO-OUTSIDE rules as below.
The very second that I disable the zone pairing for the self zone everything springs into life.
It's almost as if everything is going through the SELF zone ?
Details are below anyway - your help is greatly appreciated.

C1117ISR#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
C1117ISR#sh logging
Syslog logging: enabled (0 messages dropped, 7 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)

No Active Message Discriminator.



No Inactive Message Discriminator.


Console logging: level debugging, 54 messages logged, xml disabled,
filtering disabled
Monitor logging: level debugging, 0 messages logged, xml disabled,
filtering disabled
Buffer logging: level debugging, 59 messages logged, xml disabled,
filtering disabled
Exception Logging: size (4096 bytes)
Count and timestamp logging messages: disabled
Persistent logging: disabled

No active filter modules.

Trap logging: level informational, 61 message lines logged
Logging Source-Interface: VRF Name:

Log Buffer (4096 bytes):
Throughput license found, throughput set to 50000 kbps
*Oct 26 11:47:09.233: %SYS-2-PRIVCFG_DECRYPT: Successfully apply the private config file
*Oct 26 11:47:09.280: %SYS-6-CLOCKUPDATE: System clock has been updated from 11:47:09 UTC Fri Oct 26 2018 to 12:47:09 GMT Fri Oct 26 2018, configured from console by vty0.
*Oct 26 11:47:09.922: %SYS-5-CONFIG_I: Configured from memory by console
*Oct 26 11:47:09.998: %IOSXE_OIR-6-REMSPA: SPA removed from subslot 0/0, interfaces disabled
*Oct 26 11:47:09.998: %IOSXE_OIR-6-REMSPA: SPA removed from subslot 0/1, interfaces disabled
*Oct 26 11:47:09.998: %IOSXE_OIR-6-REMSPA: SPA removed from subslot 0/2, interfaces disabled
*Oct 26 11:47:10.013: %SPA_OIR-6-OFFLINECARD: SPA (C1117-1x1GE) offline in subslot 0/0
*Oct 26 11:47:10.028: %SPA_OIR-6-OFFLINECARD: SPA (C1117-ES-4) offline in subslot 0/1
*Oct 26 11:47:10.045: %SPA_OIR-6-OFFLINECARD: SPA (C1117-VADSL-A) offline in subslot 0/2
*Oct 26 11:47:10.054: %IOSXE_OIR-6-INSCARD: Card (fp) inserted in slot F0
*Oct 26 11:47:10.054: %IOSXE_OIR-6-ONLINECARD: Card (fp) online in slot F0
*Oct 26 11:47:10.092: %IOSXE_OIR-6-INSCARD: Card (cc) inserted in slot 0
*Oct 26 11:47:10.093: %IOSXE_OIR-6-ONLINECARD: Card (cc) online in slot 0
*Oct 26 11:47:10.118: %FW-6-INIT: Firewall inspection startup completed; beginning operation.
*Oct 26 11:47:10.313: %IOSXE_OIR-6-INSSPA: SPA inserted in subslot 0/0
*Oct 26 11:47:10.316: %IOSXE_OIR-6-INSSPA: SPA inserted in subslot 0/1
*Oct 26 11:47:10.316: %IOSXE_OIR-6-INSSPA: SPA inserted in subslot 0/2
*Oct 26 11:47:10.629: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan10, changed state to down
*Oct 26 11:47:10.631: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan100, changed state to down
*Oct 26 11:47:12.217: %SYS-5-RESTART: System restarted --
Cisco IOS Software [Everest], ISR Software (ARMV8EB_LINUX_IOSD-UNIVERSALK9_IAS-M), Version 16.6.2, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2017 by Cisco Systems, Inc.
Compiled Wed 01-Nov-17 03:00 by mcpre
*Oct 26 11:47:12.246: %SSH-5-ENABLED: SSH 2.0 has been enabled
*Oct 26 11:47:12.318: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
*Oct 26 11:47:12.319: %CRYPTO-6-GDOI_ON_OFF: GDOI is OFF
Oct 26 11:47:14.906: %SYS-6-BOOTTIME: Time taken to reboot after reload = 310 seconds
Oct 26 11:47:20.724: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
Oct 26 11:47:20.724: %CRYPTO-6-GDOI_ON_OFF: GDOI is OFF
Oct 26 11:47:25.628: %SPA_OIR-6-ONLINECARD: SPA (C1117-1x1GE) online in subslot 0/0
Oct 26 11:47:26.053: %SPA_OIR-6-ONLINECARD: SPA (C1117-ES-4) online in subslot 0/1
Oct 26 11:47:28.031: %LINK-3-UPDOWN: Interface GigabitEthernet0/1/0, changed state to down
Oct 26 11:47:28.049: %LINK-3-UPDOWN: Interface GigabitEthernet0/1/3, changed state to down
Oct 26 11:47:36.034: %LINK-3-UPDOWN: Interface GigabitEthernet0/1/0, changed state to up
Oct 26 11:47:36.038: %LINK-3-UPDOWN: Interface GigabitEthernet0/1/3, changed state to up
Oct 26 11:47:37.034: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1/0, changed state to up
Oct 26 11:47:37.039: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1/3, changed state to up
Oct 26 11:47:37.048: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan10, changed state to up
Oct 26 11:47:37.053: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan100, changed state to up
Oct 26 11:48:29.625: %SPA_OIR-6-ONLINECARD: SPA (C1117-VADSL-A) online in subslot 0/2
Oct 26 11:48:31.620: %LINK-3-UPDOWN: Interface Ethernet0/2/0, changed state to down
Oct 26 11:49:06.616: %VDSL_DAEMON-3-VDSL_LINE_UPDOWN: Controller VDSL 0/2/0, line 0, changed state to up
Oct 26 11:49:06.616: %CONTROLLER-5-UPDOWN: Controller VDSL 0/2/0, changed state to up
Oct 26 11:49:08.615: %LINK-3-UPDOWN: Interface Ethernet0/2/0, changed state to up
Oct 26 11:49:09.613: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/2/0, changed state to up
Oct 26 11:49:44.418: %DHCP-6-ADDRESS_ASSIGN: Interface Ethernet0/2/0.101 assigned DHCP address 188.222.79.191, mask 255.255.252.0, hostname c03e0f9c268c@skydsl|addf773e

C1117ISR#sh policy-map type inspect zone-pair ZP-INSIDE-TO-OUTSIDE
Zone-pair: ZP-INSIDE-TO-OUTSIDE
Service-policy inspect : PM-INSIDE-TO-OUTSIDE-POLICY

Class-map: CMAP-ALLOWED-OUTBOUND-PROTOCOLS (match-any)
Match: protocol icmp
Match: protocol dns
Match: protocol http
Match: protocol https
Inspect
Packet inspection statistics [process switch:fast switch]
dns packets: [0:4]

Session creations since subsystem startup or last reset 2
Current session counts (estab/half-open/terminating) [0:0:0]
Maxever session counts (estab/half-open/terminating) [1:0:0]
Last session created 00:01:12
Last statistic reset never
Last session creation rate 2
Last half-open session total 0

Class-map: class-default (match-any)
Match: any
Drop
0 packets, 0 bytes

Hi Rob,
Looks like you are pinging from the router itself (C1117ISR), that would be classed as from the "self" zone. This would explain why there are no hits on the ZP-INSIDE-TO-OUTSIDE policy-map.

Try pinging from a device connected to the router, which would be in the "inside" zone.

HTH

Yup - I've done that and also tried web access - it logs precisely zero a being dropped on the INSIDE-TO-OUTSIDE rule. Nothing at all.
The log provided was following a clean reboot of the router and attempted PING and WEB access from a client machine in the 192.168.0.x vlan.
If I log PASS on the SELF-INTERNET zones I see the UDP DHCP traffic passing the rule without a problem but this blocks all other traffic and logs nothing as you can see...
Frustrating as I can't see anything wrong.
Another though - I'm NATting.
Would anything be required from SELF-INTERNET or vice versa to allow the NAT translations to take place on the router maybe ?

We have logs!
I decided to place a drop log on the end of the Internet-self / self-internet and Inside-outside interfaces and this is what we have...

Log Buffer (4096 bytes):
:class)-(ZP-SELF-TO-INTERNET:class-default) due to Policy drop:classify result with ip ident 0
Oct 26 12:30:38.456: %IOSXE-6-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:00000002818567169058 %FW-6-LOG_SUMMARY: 1 udp packet was dropped from internal0/0/rp:0 188.222.79.191:32810 => 90.207.238.99:53 (target:class)-(ZP-SELF-TO-INTERNET:class-default)
Oct 26 12:31:08.457: %IOSXE-6-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:00000002848568328467 %FW-6-LOG_SUMMARY: 1 udp packet was dropped from internal0/0/rp:0 188.222.79.191:32798 => 90.207.238.99:53 (target:class)-(ZP-SELF-TO-INTERNET:class-default)
Oct 26 12:31:09.755: %IOSXE-6-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:00000002849865530039 %FW-6-DROP_PKT: Dropping tcp pkt from Ethernet0/2/0.101 222.223.58.198:51399 => 188.222.79.191:23(target:class)-(ZP-INTERNET-TO-SELF:class-default) due to Policy drop:classify result with ip ident 22522 tcp flag 0x11, seq 1060131177, ack 1102197762
Oct 26 12:31:38.459: %IOSXE-6-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:00000002878569790199 %FW-6-LOG_SUMMARY: 1 udp packet was dropped from internal0/0/rp:0 188.222.79.191:23419 => 90.207.238.99:53 (target:class)-(ZP-SELF-TO-INTERNET:class-default)
Oct 26 12:31:43.732: %IOSXE-6-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:00000002883842548566 %FW-6-DROP_PKT: Dropping tcp pkt from internal0/0/rp:0 188.222.79.191:42886 => 90.207.238.97:53(target:class)-(ZP-SELF-TO-INTERNET:class-default) due to Policy drop:classify result with ip ident 23908 tcp flag 0x2, seq 4281981077, ack 0
Oct 26 12:32:08.460: %IOSXE-6-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:00000002908570630924 %FW-6-LOG_SUMMARY: 1 tcp packet was dropped from Ethernet0/2/0.101 84.204.26.126:7013 => 188.222.79.191:23 (target:class)-(ZP-INTERNET-TO-SELF:class-default)
Oct 26 12:32:26.191: %IOSXE-6-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:00000002926301479751 %FW-6-DROP_PKT: Dropping tcp pkt from Ethernet0/2/0.101 64.68.236.53:59010 => 188.222.79.191:37215(target:class)-(ZP-INTERNET-TO-SELF:class-default) due to Policy drop:classify result with ip ident 32059 tcp flag 0x2, seq 3168686015, ack 0
Oct 26 12:32:38.461: %IOSXE-6-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:00000002938571923574 %FW-6-LOG_SUMMARY: 4 tcp packets were dropped from internal0/0/rp:0 188.222.79.191:44361 => 8.8.8.8:53 (target:class)-(ZP-SELF-TO-INTERNET:class-default)
Oct 26 12:33:00.129: %IOSXE-6-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:00000002960239292806 %FW-6-DROP_PKT: Dropping udp pkt from internal0/0/rp:0 188.222.79.191:52427 => 90.207.238.99:53(target:class)-(ZP-SELF-TO-INTERNET:class-default) due to Policy drop:classify result with ip ident 0
Oct 26 12:33:08.463: %IOSXE-6-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:00000002968573569627 %FW-6-LOG_SUMMARY: 1 tcp packet was dropped from Ethernet0/2/0.101 223.17.166.205:6744 => 188.222.79.191:80 (target:class)-(ZP-INTERNET-TO-SELF:class-default)
Oct 26 12:33:38.464: %IOSXE-6-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:00000002998574916838 %FW-6-LOG_SUMMARY: 1 tcp packet was dropped from Ethernet0/2/0.101 64.68.236.53:59010 => 188.222.79.191:37215 (target:class)-(none:class-default)
Oct 26 12:34:08.465: %IOSXE-6-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:00000003028576108167 %FW-6-LOG_SUMMARY: 1 tcp packet was dropped from Ethernet0/2/0.101 37.59.240.163:55244 => 188.222.79.191:47766 (target:class)-(none:class-default)
Oct 26 12:34:38.467: %IOSXE-6-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:00000003058577426457 %FW-6-LOG_SUMMARY: 1 tcp packet was dropped from Ethernet0/2/0.101 185.255.31.38:8080 => 188.222.79.191:37777 (target:class)-(none:class-default)
Oct 26 12:34:45.376: %IOSXE-6-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:00000003065486601868 %FW-6-DROP_PKT: Dropping udp pkt from Vlan10 192.168.0.20:63483 => 216.58.206.142:443(target:class)-(ZP-INSIDE-TO-OUTSIDE:class-default) due to Policy drop:classify result with ip ident 52177

Great!

 

I can see that tcp/443 from inside to outside is matching "class-default" and is dropped. Can you upload your latest configuration to confirm what the configuration is? Potentiallly modify the class-map temporarily to permit tcp and udp, we can tie down if that works.

 

Dropping udp pkt from Vlan10 192.168.0.20:63483 => 216.58.206.142:443(target:class)-(ZP-INSIDE-TO-OUTSIDE:class-default) due to Policy drop:classify result with ip ident 52177

 

I can also see that DNS traffic from the router to the internet is matching "class-default" and dropped. Do the users on the lan use the router as the DNS server, which then forwards on to the internet?

 

1 udp packet was dropped from internal0/0/rp:0 188.222.79.191:32810 => 90.207.238.99:53 (target:class)-(ZP-SELF-TO-INTERNET:class-default)

Dropping tcp pkt from internal0/0/rp:0 188.222.79.191:42886 => 90.207.238.97:53(target:class)-(ZP-SELF-TO-INTERNET:class-default)

4 tcp packets were dropped from internal0/0/rp:0 188.222.79.191:44361 => 8.8.8.8:53 (target:class)-(ZP-SELF-TO-INTERNET:class-default)

OK - current config below.
I have to confess I do not understand "class-default" - the router seems to pop that into there of its own accord at the bottom of each defined Class-Map.
I've not allowed tcp and udp in the rule as yet in the config posted but can modify that and test.
You are indeed correct regarding the DNS. The router is acting as a DNS forwarder out to google / sky DNS servers...I'm going to assume you have more pearls of wisdom for me at this point!

Thanks again.

Rob.

C1117ISR#sh run
Building configuration...


Current configuration : 7576 bytes
!
! Last configuration change at 15:02:57 GMT Fri Oct 26 2018 by rhbmcse
! NVRAM config last updated at 13:29:29 GMT Fri Oct 26 2018 by rhbmcse
!
version 16.6
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname C1117ISR
!
boot-start-marker
boot-end-marker
!
!
enable secret 9 $9$jUR3aCOMA9OFgU$o3a79MhakpqV2vfDatrcHCxftZzba///XoF5BMiuU6Q
!
no aaa new-model
clock timezone GMT 1 0
!
ip name-server 8.8.8.8 8.8.4.4
no ip domain lookup
ip domain name 21RTM.local
ip dhcp excluded-address 192.168.0.1 192.168.0.19
ip dhcp excluded-address 192.168.0.51 192.168.0.254
ip dhcp excluded-address 10.0.0.1
!
ip dhcp pool CLIENTS
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1
dns-server 192.168.0.1
domain-name 21RTM.local
!
ip dhcp pool MANAGEMENT
network 10.0.0.0 255.255.255.0
!
!
subscriber templating
!

!
multilink bundle-name authenticated
!
!
crypto pki trustpoint TP-self-signed-3510874038
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3510874038
revocation-check none
rsakeypair TP-self-signed-3510874038
!
!
crypto pki certificate chain TP-self-signed-3510874038
certificate self-signed 01
30820330 30820218 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

quit
!
!
license udi pid C1117-4P sn FGL2205927C
license boot level securityk9
!
diagnostic bootup level minimal
spanning-tree extend system-id
!
!
username rhbmcse privilege 15 password 7 06240B232B5D550A7A75
!
redundancy
mode none
!
!
!
!
controller VDSL 0/2/0
!
!
vlan internal allocation policy ascending
!
!
class-map type inspect match-all CMAP-INSIDE-TO-SELF
match access-group name NACL-SELF-AND-INSIDE
class-map type inspect match-all CMAP-SELF-TO-INSIDE
match access-group name NACL-SELF-AND-INSIDE
class-map type inspect match-any CMAP-SELF-TO-INTERNET
match access-group name NACL-SELF-TO-INTERNET
class-map type inspect match-any CMAP-ALLOWED-OUTBOUND-PROTOCOLS
match protocol icmp
match protocol dns
match protocol http
match protocol https
class-map type inspect match-all CMAP-OUTSIDE-TO-SELF
match access-group name NACL-INTERNET-TO-SELF
!
policy-map type inspect PM-SELF-TO-INTERNET
class type inspect CMAP-SELF-TO-INTERNET
pass
class class-default
drop log
policy-map type inspect PM-SELF-TO-INSIDE
class type inspect CMAP-SELF-TO-INSIDE
pass
class class-default
policy-map type inspect PM-INSIDE-TO-OUTSIDE-POLICY
class type inspect CMAP-ALLOWED-OUTBOUND-PROTOCOLS
inspect
class class-default
drop log
policy-map type inspect PM-OUTSIDE-TO-SELF
class type inspect CMAP-OUTSIDE-TO-SELF
pass
class class-default
drop log
policy-map type inspect PM-INSIDE-TO-SELF
class type inspect CMAP-INSIDE-TO-SELF
pass
class class-default
!
zone security INTERNET
zone security INSIDE
zone-pair security ZP-INSIDE-TO-OUTSIDE source INSIDE destination INTERNET
service-policy type inspect PM-INSIDE-TO-OUTSIDE-POLICY
zone-pair security ZP-INSIDE-TO-SELF source INSIDE destination self
service-policy type inspect PM-INSIDE-TO-SELF
zone-pair security ZP-INTERNET-TO-SELF source INTERNET destination self
service-policy type inspect PM-OUTSIDE-TO-SELF
zone-pair security ZP-SELF-TO-INSIDE source self destination INSIDE
service-policy type inspect PM-SELF-TO-INSIDE
zone-pair security ZP-SELF-TO-INTERNET source self destination INTERNET
service-policy type inspect PM-SELF-TO-INTERNET
!
!
!
interface GigabitEthernet0/0/0
no ip address
shutdown
no negotiation auto
!
interface GigabitEthernet0/1/0
description CLIENT LAN
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet0/1/1
shutdown
!
interface GigabitEthernet0/1/2
shutdown
!
interface GigabitEthernet0/1/3
description MANAGEMENT INTERFACE
switchport access vlan 100
switchport mode access
!
interface ATM0/2/0
no ip address
shutdown
no atm ilmi-keepalive
no atm enable-ilmi-trap
!
interface Ethernet0/2/0
mac-address c03e.0f9c.268e
no ip address
no negotiation auto
!
interface Ethernet0/2/0.101
description SUBINT TO INTERNET
encapsulation dot1Q 101
ip dhcp client request classless-static-route
ip dhcp client client-id hex 6330336530663963323638
ip dhcp client hostname c68c@skydsl|addfx
ip address dhcp
no ip redirects
no ip proxy-arp
ip nat outside
zone-member security INTERNET
ip virtual-reassembly
!
interface Vlan1
no ip address
!
interface Vlan10
ip address 192.168.0.1 255.255.252.0
ip nat inside
zone-member security INSIDE
!
interface Vlan100
ip address 10.0.0.1 255.255.255.0
!
ip nat inside source route-map OUTSIDE-POOL interface Ethernet0/2/0.101 overload
ip forward-protocol nd
no ip http server
ip http authentication local
no ip http secure-server
ip dns server
ip ssh version 2
!
!
ip access-list extended NACL-INTERNET-TO-SELF
permit udp any eq bootps any
ip access-list extended NACL-PERMIT-ALL-TRAFFIC
permit ip any any
ip access-list extended NACL-SELF-AND-INSIDE
permit ip any any
ip access-list extended NACL-SELF-TO-INTERNET
permit udp any eq bootpc any
ip access-list extended NAT-TO-OUTSIDE
permit ip 192.168.0.0 0.0.3.255 any
!
!
!
route-map OUTSIDE-POOL permit 10
match ip address NAT-TO-OUTSIDE
match interface Ethernet0/2/0.101
!
!
!
control-plane
!
!
line con 0
password 7 091A7D06090D020152
login
transport input all
stopbits 1
line vty 0 4
login local
!
ntp master
ntp server 0.uk.pool.ntp.org
ntp server 1.uk.pool.ntp.org
ntp server 3.uk.pool.ntp.org
ntp server 2.uk.pool.ntp.org
wsma agent exec
!
wsma agent config
!
wsma agent filesys
!
wsma agent notify
!
!
end

Ok, cool, if the router is acting as the DNS server for the clients, then DNS requests will originate from the router itself, so therefore you will need to permit DNS from self to internet. Otherwise the users won't be able to resolve the hostnames. Try modifying that.

 

Class-default is a system default, if it doesn't match your specifically defined class-map then it will hit class-default, which by default will drop.

 

HTH

Quick update - I have added TCP and UDP to the CMAP-ALLOWED-OUTBOUND-PROTOCOLS class-map and indeed - the traffic floweth! So as you said - I guess it's a matter of tying it down now.
The SELF zone is a bit of a learning curve!

Seems I was a bit hasty. It worked - I hadn't put the zone pairings back in place.
I have since allowed port 53 TCP & UDP any any for now inbound and outbound to the self zone and I'm still getting no internet access from clients.
I have to drop off for the weekend now (kids) but I'll be back on the case Mon or Tue if that's OK for me to get some further assistance?

Many thanks so far.

Rob.

Firstly - a great big THANK YOU to RJI (Rob) for assisting with all of this.
I have a "working" config and when I do a pen test from outside to my internet IP (local global) I get filtered as a result so nobody is getting in hopefully.
One area of concern though which requires clarification.
Let's say I allow protocol 443 (ssh) outbound on my ZP-Inside-to-outside rule...with an inspect in my class-map and then I get this in the logs:

Dropping udp pkt from Vlan10 192.168.0.20:63483 => 216.58.206.142:443(target:class)-(ZP-INSIDE-TO-OUTSIDE:class-default) due to Policy drop:classify result with ip ident 52177

Now there is a rule there to say - allow 443 but it still drops. The only way I've found around this (and it's not just 443 that gets dropped - it's everything) is to allow IP any (or TCP and UDP any). Fair enough, this works but it would seem that because of the PAT that is going on that I can't just allow protocol 443. The f/w drops it. But if I allow the random translated port (63483) which is covered by the ANY rule, through it goes.
Forgive me if I'm wrong - and clearly I am - I thought I could tie down a lot more securely than this. If NAT is translating my 443 traffic to a random port which has to be allowed (and as far as I can see can only be covered off by an ANY rule as I have no idea what random port it is going to assign) - how do I tie this down to only allow specific protocols? It makes the match PROTOCOL command effectively useless in a PAT configuration! ?

Happy to learn if you're happy to help!

Cheers.

Rob.

Hi,
Glad to hear it's working.

What protocol are you matching on?
The packet dropped in your example is UDP/443, so therefore if you are matching protocol of https, that's TCP/443 (you did say match protcol 443 (ssh), but I assume you meant https). If you do wish to permit UDP/443 then you could define an ACL permitting UDP/443 and reference that instead of matching against a protocol.

HTH