Small enhancement in zone-based firewalls

In the Deploying Zone-Based Firewalls book I wrote:

In early releases supporting zone-based policy firewall configuration (IOS 12.4(6)T), match protocol command cannot be used to classify traffic to or from the self zone. Only IP access lists can be used for traffic classification purposes.
Misha Volodko reported that the match protocol icmp command works for him when used with the self zone. Another small step toward perfect implementation :) ... and don't forget that you can always use class class-default to catch all the unclassified traffic (and log it before it's dropped, for example).

3 comments:

  1. Hi Ivan,

    I'm facing a very weird issue about Zone base Firewall, not sure if its IOS related, underneath are the details

    ===================================================
    policy-map type inspect PM.Traffic
    class type inspect CM.Routing
    pass log
    class type inspect CM_Voice.Protocol
    pass log
    class type inspect CM_Application.Traffic
    inspect
    class class-default
    drop log
    !
    zone security ZS_Trusted.Zone
    description Trusted-Inside Network
    zone security ZS_Untrusted.Zone
    description Untrusted-Outside Network
    !
    zone-pair security ZPS_Trusted.2.Untrusted source ZS_Trusted.Zone destination ZS_Untrusted.Zone
    service-policy type inspect PM.Trusted.2.Untrusted.Traffic - below error message upon applying this

    "Firewall service-policy attachment failed" this is the 1st time I encounter this issue


    2nd Issue:
    When I tried to remove the policy-map, by applying
    # no policy-map type inspect PM.Traffic
    Command successfully executed, no error, but when you check the running config, the policy-map
    still there
    I've tried it to other Router with the same Model & IOS version, same issue arrise.

    Note:
    1. Was able to configure ZBF on those two router, no issue encounter, I just temporarily removed it from the interface because there's some connectivity issue, but when I attempt to activate it again and add some policy-map, I got those issue.

    2. Router Info
    Cisco 3845 (revision 1.0) with 483327K/40960K bytes of memory.
    System image file is "flash:c3845-advipservicesk9-mz.124-24.T3.bin"

    ReplyDelete
  2. Ivan Pepelnjak27 May, 2010 18:31

    Looks like a bug to me. You should open a case with Cisco TAC.

    ReplyDelete
  3. This shortcoming appears to be fixed in many IOS trains: CSCsy29940 - Unable to inspect any protocol in self zone

    ReplyDelete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Ivan Pepelnjak, CCIE#1354, is the chief technology advisor for NIL Data Communications. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.