cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
742
Views
0
Helpful
5
Replies

ZBF zone based firewall on ASR 1000

a.ascione
Beginner
Beginner

Hi

Group any idea how this could happen in zone based firewall:

 sh policy-map type inspect zone-pair sessions

Zone-pair: Guest->Internet
Service-policy inspect : Guest_to_Internet

Class-map: Guest_Protocols (match-any)
Match: protocol http
Match: protocol https
Match: protocol dns
Match: protocol bootpc
Match: protocol bootps
Match: access-group name permitany
Pass
0 packets, 0 bytes

Class-map: class-default (match-any)
Match: any
Pass
2242890 packets, 1858326904 bytes

As you can see I get no matches on the first part of my policy map (Class-map: Guest_Protocols) although the users in the "Guest" zone are able to surf...

Any ideas how I could troubleshoot this ?

Thanks in advance for your suggestions.

 
1 Accepted Solution

Accepted Solutions

a.ascione
Beginner
Beginner

The problem was solved with a reboot of the router

 

View solution in original post

5 Replies 5

Mohammed al Baqari
VIP Advisor VIP Advisor
VIP Advisor
Can you get the output of the following

show policy-firewall session platform tcp destination-port 80 detail

show policy-firewall config platform

Hi Mohammed,

thank you for your quick reply.

It seems that the show policy-firewall sessions platform  remains empty.

So the command that you are asking is obiously also empty.

But that is probably because the packets are not matching on inspect rules.

 

The second command gives a very long output; I'm adding it in attachment.

thx

 

 

 

I don't see any attachment

sorry, it is ok now I have added it to the original message.

regards

 

 

a.ascione
Beginner
Beginner

The problem was solved with a reboot of the router

 
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers