Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
955
Views
0
Helpful
6
Replies

ZBF: Protocol Inspection/Access List Combo

Go to solution
mloraditch
Level 7
Level 7

‎11-04-2010 08:10 AM - edited ‎03-11-2019 12:04 PM

So here is the deal, normally I have a pretty simple ZBF outbound configuration. Basically it's below without the bold italics. If traffic is http and the source ip isn't on a specific BYPASS-FILTER acl it gets filtered, otherwise it gets inspected and allowed.

Now I have a customer who has an incredibly large list of acl requirements and his default position on outbound traffic is deny. We have created an ACL that replicates this called inside_access_in and i have successfully applied it and have it working using the bold italics added below.

My problem is it once the ACL has allowed/denied the traffic it does not appear to be inspecting it further, this really affects FTP traffic as without inspection the connections don't always work properly.  Is there a better way to do this? I don't have the full ACL below but a good example portion of it.

Thanks in advance.

class-map type inspect match-any INSIDE_ACCESS_IN
match access-group name inside_access_in

class-map type inspect match-any DEFAULT-TRAFFIC

match protocol tcp
match protocol udp
match protocol ftp
match protocol sip
match protocol rtsp
match protocol tftp
match protocol icmp
match protocol skinny
class-map type inspect match-all NO-URL-FILTER
match protocol http
match access-group name BYPASS-FILTER
class-map type inspect match-all INTERNET-INBOUND
match access-group name PERMIT-INTERNET
class-map type inspect match-any URL-FILTER
match protocol http

policy-map type inspect PRIVATE-TO-PUBLIC
class type inspect NO-URL-FILTER
  inspect
class type inspect URL-FILTER
  inspect
  urlfilter SMARTFILTER
class type inspect INSIDE_ACCESS_IN
   inspect
 class type inspect DEFAULT-TRAFFIC
  inspect
class class-default
  drop

ip access-list extended inside_access_in
permit ip object-group XXX_Servers any
permit ip object-group XXX_NETWORK_3 any
permit ip any object-group XXX_NETWORK_4
deny   ip any object-group RFC1918
remark Internet Access
permit tcp object-group WWWAccess any eq www 443
remark Secure http access only
permit tcp object-group SecureWWW any eq 443
remark FTP Access
permit object-group FTP object-group FTPAccess any
remark FTP access for all users to these FTP sites
permit object-group FTP any object-group FTPSites

deny ip any any

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Panos Kampanakis
Cisco Employee
Cisco Employee
In response to mloraditch

‎11-04-2010 01:20 PM

OK, I see.

I am afraid you need to split it up.

You need a class that only matches on the interesting ftp traffic and also matches on protocol ftp, and then inspects.

So make sure the ftp traffic does not match your current ACL. And after that and before the default you inspect the only ftp class-map.

I hope it makes sense.

PK

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Panos Kampanakis
Cisco Employee
Cisco Employee

‎11-04-2010 11:19 AM

It is normal to do the action in a class if you match the class and not move to the next action for the next class afterwards.

But from what I am seeing. your ACL matches on FTP traffic so, it is matched it should be inspected.

Let us know if there is confusion on the symptom.

PK

0 Helpful

Go to solution
mloraditch
Level 7
Level 7
In response to Panos Kampanakis

‎11-04-2010 12:48 PM

OK Makes, senses, here is where the problem occurs, if somebody is in the top level allow anything line of the acl. At that point I am only matching presumably on basic tcp/udp inspection and when you do that ftp doesn't always work unless you also enable ftp inspection like I do in my DEFAULT-TRAFFIC class.

So how do I get around that with my acl? I can add a tcp rule for the allow anything group with eq ftp but will that trigger the proper inspection? Would I do the same thing I end up doing for ftp for any other protocols like SIP, etc that need more than base tcp/udp inspection?

Thanks!

-Matthew

0 Helpful

Go to solution
Panos Kampanakis
Cisco Employee
Cisco Employee
In response to mloraditch

‎11-04-2010 01:20 PM

OK, I see.

I am afraid you need to split it up.

You need a class that only matches on the interesting ftp traffic and also matches on protocol ftp, and then inspects.

So make sure the ftp traffic does not match your current ACL. And after that and before the default you inspect the only ftp class-map.

I hope it makes sense.

PK

0 Helpful

Go to solution
mloraditch
Level 7
Level 7
In response to Panos Kampanakis

‎11-04-2010 01:30 PM

ok

makes sense so I need to for any sensitive protocols that require inspection (FTP, SIP, etc) have a separate acl for each and separate class map, etc

Luckily for this customer that's just FTP.

0 Helpful

Go to solution
Panos Kampanakis
Cisco Employee
Cisco Employee
In response to mloraditch

‎11-04-2010 01:49 PM

Please mark this as answered if it is for other people's future benefit.

Good luck with the config.

Take care,

PK

0 Helpful

Go to solution
mloraditch
Level 7
Level 7
In response to Panos Kampanakis

‎11-05-2010 05:51 AM

Done. Thanks for the assistance!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card