cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1354
Views
0
Helpful
6
Replies

ZBF: Protocol Inspection/Access List Combo

mloraditch
Level 7
Level 7

So here is the deal, normally I have a pretty simple ZBF outbound configuration. Basically it's below without the bold italics. If traffic is http and the source ip isn't on a specific BYPASS-FILTER acl it gets filtered, otherwise it gets inspected and allowed.

Now I have a customer who has an incredibly large list of acl requirements and his default position on outbound traffic is deny. We have created an ACL that replicates this called inside_access_in and i have successfully applied it and have it working using the bold italics added below.

My problem is it once the ACL has allowed/denied the traffic it does not appear to be inspecting it further, this really affects FTP traffic as without inspection the connections don't always work properly.  Is there a better way to do this? I don't have the full ACL below but a good example portion of it.

Thanks in advance.

class-map type inspect match-any INSIDE_ACCESS_IN
match access-group name inside_access_in

class-map type inspect match-any DEFAULT-TRAFFIC

match protocol tcp
match protocol udp
match protocol ftp
match protocol sip
match protocol rtsp
match protocol tftp
match protocol icmp
match protocol skinny
class-map type inspect match-all NO-URL-FILTER
match protocol http
match access-group name BYPASS-FILTER
class-map type inspect match-all INTERNET-INBOUND
match access-group name PERMIT-INTERNET
class-map type inspect match-any URL-FILTER
match protocol http

policy-map type inspect PRIVATE-TO-PUBLIC
class type inspect NO-URL-FILTER
  inspect
class type inspect URL-FILTER
  inspect
  urlfilter SMARTFILTER
class type inspect INSIDE_ACCESS_IN
   inspect
class type inspect DEFAULT-TRAFFIC
  inspect
class class-default
  drop

ip access-list extended inside_access_in
permit ip object-group XXX_Servers any
permit ip object-group XXX_NETWORK_3 any
permit ip any object-group XXX_NETWORK_4
deny   ip any object-group RFC1918
remark Internet Access
permit tcp object-group WWWAccess any eq www 443
remark Secure http access only
permit tcp object-group SecureWWW any eq 443
remark FTP Access
permit object-group FTP object-group FTPAccess any
remark FTP access for all users to these FTP sites
permit object-group FTP any object-group FTPSites

deny ip any any

1 Accepted Solution

Accepted Solutions

OK, I see.

I am afraid you need to split it up.

You need a class that only matches on the interesting ftp traffic and also matches on protocol ftp, and then inspects.

So make sure the ftp traffic does not match your current ACL. And after that and before the default you inspect the only ftp class-map.

I hope it makes sense.

PK

View solution in original post

6 Replies 6

Panos Kampanakis
Cisco Employee
Cisco Employee

It is normal to do the action in a class if you match the class and not move to the next action for the next class afterwards.

But from what I am seeing. your ACL matches on FTP traffic so, it is matched it should be inspected.

Let us know if there is confusion on the symptom.

PK

OK Makes, senses, here is where the problem occurs, if somebody is in the top level allow anything line of the acl. At that point I am only matching presumably on basic tcp/udp inspection and when you do that ftp doesn't always work unless you also enable ftp inspection like I do in my DEFAULT-TRAFFIC class.

So how do I get around that with my acl? I can add a tcp rule for the allow anything group with eq ftp but will that trigger the proper inspection? Would I do the same thing I end up doing for ftp for any other protocols like SIP, etc that need more than base tcp/udp inspection?

Thanks!

-Matthew

OK, I see.

I am afraid you need to split it up.

You need a class that only matches on the interesting ftp traffic and also matches on protocol ftp, and then inspects.

So make sure the ftp traffic does not match your current ACL. And after that and before the default you inspect the only ftp class-map.

I hope it makes sense.

PK

ok

makes sense so I need to for any sensitive protocols that require inspection (FTP, SIP, etc) have a separate acl for each and separate class map, etc

Luckily for this customer that's just FTP.

Please mark this as answered if it is for other people's future benefit.

Good luck with the config.

Take care,

PK

Done. Thanks for the assistance!

Review Cisco Networking for a $25 gift card