05-11-2015 06:14 AM - edited 03-05-2019 01:26 AM
Good mroing chaps.
I have a security licence on a Cisco 1921. I do not have an application license.
I am using zone based firewall.
When treating a class map if I do a "normal" one - I am able to match on the P2P protocols:
Class Map match-any ALL-P2P-PROTOCOLS (id 25)
Match protocol bittorrent
Match protocol edonkey
Match protocol gnutella
Match protocol kazaa2
Match protocol fasttrack
Now, as you know, you cannot use non inspect class-maps in an inspect Policy-map:
class ALL-P2P-PROTOCOLS of type default is not allowed in policy-map PM_GUEST_TO_OUTSIDE_POLICY of type inspect
Now the problem I have, is that under and inspect map, I cannot use these protocols, they are missing!
In the cisco docs, they are there.
class-map type inspect match-any ALL-P2P-PROTOCOLS
1921(config-cmap)# match protocol ?
802-11-iapp IEEE 802.11 WLANs WG IAPP
ace-svr ACE Server/Propagation
aol America-Online Instant Messenger
appleqtc Apple QuickTime
bgp Border Gateway Protocol
biff Bliff mail notification
bootpc Bootstrap Protocol Client
bootps Bootstrap Protocol Server
cddbp CD Database Protocol
cifs CIFS
cisco-fna Cisco FNATIVE
cisco-net-mgmt cisco-net-mgmt
cisco-svcs cisco license/perf/GDP/X.25/ident svcs
cisco-sys Cisco SYSMAINT
cisco-tdp Cisco TDP
cisco-tna Cisco TNATIVE
citrix Citrix IMA/ADMIN/RTMP
citriximaclient Citrix IMA Client
clp Cisco Line Protocol
creativepartnr Creative Partnr
creativeserver Creative Server
daytime Daytime (RFC 867)
dbase dBASE Unix
dbcontrol_agent Oracle dbControl Agent po
ddns-v3 Dynamic DNS Version 3
dhcp-failover DHCP Failover
discard Discard port
dns Domain Name Server
dnsix DNSIX Securit Attribute Token Map
echo Echo port
entrust-svc-hdlr Entrust KM/Admin Service Handler
entrust-svcs Entrust sps/aaas/aams
Do I need the application licences - so that I can use the Advanced NBAR protocol packs
05-12-2015 01:04 AM
Enhanced NBAR should be included in the security license. I haven't tried blocking bittorrent with zbfw. But an idea comes to mind, along with ZBFW you can apply a service policy on the outgoing interface to drop this kind of traffic.
Class Map match-any ALL-P2P-PROTOCOLS
Match protocol bittorrent
Match protocol edonkey
Match protocol gnutella
Match protocol kazaa2
Match protocol fasttrack
!
policy-map PM-ALL-P2P-PROTOCOLS
class ALL-P2P-PROTOCOLS
drop
class default
permit
!
interface x/x (outgoing interface)
service-policy output PM-ALL-P2P-PROTOCOLS
Hopefully that would work. I haven't tested it myself though.
Hope this helps
Bilal
08-21-2015 07:37 AM
I had the same issue, and then came across this little tidbit of info:
This is listed in the restrictions of this doc: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_zbf/configuration/15-mt/sec-data-zbf-15-mt-book/sec-zone-pol-fw.html#GUID-6ECF1303-423F-4809-9329-8876F79D2FA7
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide