ACE ignoring class map depending on source???

Similar Messages

• ACE - HTTPS CLASS MAP CONFIGURATION

  Hi,
  We have a secured web site (HTTPS) currently fronted by Cisco ACE 4170, running version A5(1.2). We are trying to use the http class map to manipulate the traffic flow in the following manner:
  https://abc.com/ABC/* -> serverfarm#1
  https://abc.com/* -> serverfarm#2           (Default)
  Tecnically this should not be difficult and below is a sample of our configuration. We have similar configuration working on our non-secured web site (HTTP) However for the secure web site, the https request https://abc.com/ABC/xxx is continued being routed to serverfarm#2 instead of serverfarm#1 which is very frustrating.
  We can easily get this working on my F5 LTM within 5 minutes but this Cisco ACE continue to frustrate me...Appreciate if any expert on Cisco ACE can help to advise on our configuration.. Thanks.
  =========================================================
  serverfarm host serverfarm#1
  predictor leastconns
  probe https_probe
  rserver rs_server#1
    inservice
  rserver rs_server#2
    inservice
  serverfarm host serverfarm#2
  predictor leastconns
  probe https_probe
  rserver rs_server#3
    inservice
  rserver rs_server#4
    inservice
  sticky http-cookie STICKY_HTTPS_serverfarm#1
  cookie insert browser-expire
  timeout 15
  replicate sticky
  serverfarm serverfarm#1
  sticky http-cookie STICKY_HTTPS_serverfarm#2
  cookie insert browser-expire
  timeout 15
  replicate sticky
  serverfarm serverfarm#2
  class-map type http loadbalance match-any class-map-serverfarm#1
  2 match http url /ABC/.*
  policy-map type loadbalance first-match vs_serverfarm_https
  class class-map-serverfarm#1
    sticky-serverfarm STICKY_HTTPS_serverfarm#1
    insert-http x-forward header-value "%is"
    ssl-proxy client ssl_serverfarm
  class class-default
    sticky-serverfarm STICKY_HTTPS_serverfarm#2
    insert-http x-forward header-value "%is"
    ssl-proxy client ssl_serverfarm
  =========================================================

  Kanwaljeet,
  Yes, we are using ACE for SSL termination i.e. front end is https and back-end is also https.
  We are doing end-to-end encryption as our IT security and audit wanted end-to-end encryption between the client and servers. ACE should be able to look at the HTTP header at the front end since the client SSL session is terminate on the ACE.
  Below is an extract of the configuration, I've leave out the remaining configuration which is not required.
  =========================================================
  serverfarm host serverfarm#1
  predictor leastconns
  probe https_probe
  rserver rs_server#1
    inservice
  rserver rs_server#2
    inservice
  serverfarm host serverfarm#2
  predictor leastconns
  probe https_probe
  rserver rs_server#3
    inservice
  rserver rs_server#4
    inservice
  sticky http-cookie STICKY_HTTPS_serverfarm#1
  cookie insert browser-expire
  timeout 15
  replicate sticky
  serverfarm serverfarm#1
  sticky http-cookie STICKY_HTTPS_serverfarm#2
  cookie insert browser-expire
  timeout 15
  replicate sticky
  serverfarm serverfarm#2
  class-map match-all vs_serverfarm
    2 match virtual-address 10.178.50.140 tcp eq https
  class-map type http loadbalance match-any class-map-serverfarm#1
  2 match http url /ABC/.*
  policy-map type loadbalance first-match vs_serverfarm_https
  class class-map-serverfarm#1
    sticky-serverfarm STICKY_HTTPS_serverfarm#1
    insert-http x-forward header-value "%is"
    ssl-proxy client ssl_serverfarm
  class class-default
    sticky-serverfarm STICKY_HTTPS_serverfarm#2
    insert-http x-forward header-value "%is"
    ssl-proxy client ssl_serverfarm
  policy-map multi-match PRODWEB_POLICY
    class vs_serverfarm
      loadbalance vip inservice
      loadbalance policy vs_serverfarm_https
      loadbalance vip icmp-reply active
      nat dynamic 100 vlan 100
      ssl-proxy server ssl_serverfarm
  =========================================================

• ACE: a class-map with multiple ports... what about the probe/serverfarm?

  Hello Gilles,
  One question about something I was not able to find in the documentation.
  Lets say I have one class-map which includes 2 ports (in this case https and 5061).
  Can I associate this class-map to just 1 generic serverfarm and probe for both ports or I have to specify 2 serverfarms/rservers/probes?
  So, by not specifying the ports on the rserver, if a request is received on port 443 (or 5061), it is sent to the same respective port on the rserver?
  The same way is valid for the generic probe.  ACE module is able to probe both ports based on the class-map?
  Thanks and have a great day!!
  Giulio.
  probe tcp PROBE_GENERIC_TCP
    description This probe works for all TCP services by inheriting the VIP port.
    interval 15
    faildetect 2
    passdetect interval 15
    passdetect count 2
    open 2
  rserver host SERVER1_ACCESS
    ip address <1AC>
    inservice
  rserver host SERVER2_ACCESS
    ip address <2AC>
    inservice
  serverfarm host ACCESS-SFARM
    probe PROBE_GENERIC_TCP
    rserver SERVER1_ACCESS
      inservice
    rserver SERVER2_ACCESS
      inservice
  class-map match-any OCS_L4ACCESS
    2 match virtual-address x.x.x.176 tcp eq https
    2 match virtual-address x.x.x.176 tcp eq 5061
  policy-map type loadbalance first-match OCS_L4ACCESS
    class class-default
      sticky-serverfarm ACCESS_STICKY
  policy-map multi-match POLICY
  class OCS_L4ACCESS
  loadbalance vip inservice
  loadbalance policy OCS_L4ACCESS
  loadbalance vip icmp-reply active
  connection advanced-options OCS_VIPTIMEOUT
  nat dynamic XXX vlan 503

  Even if you use the 4710 appliance or expect the inheritance in the module software, it's worth considering if this is really what you want. If you keep multiple ports in the L3/L4 class-map you can't handle the services independently. You will have a common serverfarm for both https and 5061. If https service stops on one rserver, the ACE will place that rserver (and not that service) in out-of-operation state and it won't receive any 5061 traffic either. (You have the fail-on-all probe option but I wouldn't say it's a better choice. In that case, https traffic would be sent to the rserver even if https port is closed as long as there is at least one working service on it.) That's why I prefer a separate class-map and separate serverfarm for each service. (They can contain the same rservers, no need to duplicate.) BUT if the software supports probe port inheritance, you can benefit from it even in this scenario: serverfarm-443 and serverfarm-5061 can both use your PROBE_GENERIC_TCP.

• Issue with ACE HTTP class map

  This is what I want to achieve USING the ACE as a reverse proxy.
  User uses the url https://abc/password - gets to the destination server & the web page
  If user tries to use any thing additional then the connection is dropped at the ACE such as
  https://abc/password/test or any such variation.
  Following is the config I have to achieve this
  class-map type http loadbalance match-any L7-CLASS-TEST
    match http url /password
    match http url /password/
  class-map type http loadbalance match-any L7-CLASS-TEST-deny
    2 match http url .*.*
  policy-map type loadbalance first-match LBP-TEST
    class L7-CLASS-TEST
      serverfarm FARM-TEST
      ssl-proxy client TEST
    class L7-CLASS-TEST-deny
      drop
    class class-default
      serverfarm FARM-TEST
      ssl-proxy client TEST
  The problem with this is when the page opens I get broken links on all the images. If I use the following line
  match http url /password.*
  I get the images to work but the user can use the https://abc/password/test which is not what I want.
  Has any one faced this issue ?
  Any help will be appreciated.
  Thanks in advance
  Prasanna

  Prasanna,
  What about if you try it in HTTP and apply the following change?
  class-map type http loadbalance match-any L7-CLASS-TEST-deny
    2 match http url /.*
  This should work in HTTP but not with HTTPS
  Anyway, it should not work since everything seems to be encrypted, you may require either SSL-termination or END-TO-END SSL for this then the ACE can decrypt the request see what it needs to do and take the load balance decision.
  Jorge

• A problem with ACL in the class-map on the ACE module

                    Hi all,
  I configured the following on the ACE module:
  object-group network test
    host 192.168.1.21
    host 192.168.1.22
    host 192.168.1.23
  object-group service port
    tcp eq www
    tcp eq 8080
  access-list T line 8 extended permit object-group port object-group test any
  I tried to configure a class-map for matching this ACL:
  ACE-4710-2/Lab-OPT-11(config)# class-map match-any TEST_C
  ACE-4710-2/Lab-OPT-11(config-cmap)# match access-list T
  Error: Cannot associate acl having object-group ACEs in class-map.
  So couldn't I  configure the class-map by using ACL with object-groups involved? Is it the bug or the normal behaviour? Because the customer uses object-groups in ACLs and he has to configure ACL without object-groups for the traffic classification. It is horrible.
  Thank you
  Roman

  Hi Roman,
  I'm afraid it's the expected behavior. You cannot use an ACL with object-groups inside a class-map.
  Regards
  Daniel

• Class mapping generation

  Hi,
  I would like to know if exists a free tool to generate automaticaly a class model object or a class mapping from the source code of an application?
  Thanks for your help!
  Nicolas

  Why javadoc.exe is not good?

• ACE SSL Sticky class-map generic vs class default differences.

  There was a thread recently titled "ACE 3.0(0) SW / LB with SSL Session-ID" where Giles Dufour outlined a configuration for an ACE performing sticky based on SSL Session ID.
  Can anyone explain the benefits and differences of using a specific class-map generic such as this:
  class-map type generic match-any SSL-v3-32
    2 match layer4-payload regex "\x16\x03\x00..\x01.*"
    3 match layer4-payload regex "\x16\x03\x01..\x01.*"
  Versus just matching class default?
  So if I have a configuration such as this:
  policy-map type loadbalance generic first-match SSL-v3-Sticky
  class SSL-v3-32
     sticky-serverfarm ssl-v3
  vs
  policy-map type loadbalance generic first-match SSL-v3-Sticky
  class class-default
     sticky-serverfarm ssl-v3
  What's the benefit or drawback?

  The SSL session id is only available in version 3.0.1 and 3.1.1
  So you can match this particular version and then attempt to do stickyness.
  You are guaranteed to find what you're looking for.
  If you match a class-default it means you apply stickyness to any version of ssl packet.
  So there is a risk to misinterpret the content of the packet and stick on something else than the session id.
  Gilles.

• Source ip filtering with class map on cisco ace30

  Hello ,
  I would like to know if it is  possible to filter source ips connecting to a virtual ip  within a class map configuration ( or something else  ) ?
  access-list S_IP_FILTERING line 8 extended permit ip host 1.1.1.1 any
  class-map match-all S_IP_FILTERING_XVIP
  2 match access-list S_IP_FILTERING
  3 match virtual-address 2.2.2.2 any
  Error: Only one match access-list is allowed in a match-all class-map and it cannot mix with any other match type
  thanks for your support
  Case,

  Hi,
  Yes, it is possible to do this. Use the ACL filter for the source IP address under the policy-map type loadbalance. Then you would call that load balance policy in your multi-match policy under the appropriate class.
  for example:
  class-map type http loadbalance match-any LOADBALANCE-FILTER
    2 match source-address X.X.X.X 255.255.255.255
  class-map match-any TEST-CLASSMAP
    2 match virtual-address Y.Y.Y.Y tcp eq www
  policy-map type loadbalance first-match LOADBALANCE
    class LOADBALANCE-FILTER
      serverfarm TEST-SERVERFARM
  policy-map multi-match UTC-PM
    class TEST-CLASSMAP
      loadbalance policy LOADBALANCE
      loadbalance vip inservice
  -Alex

• Cisco ACE loadbalancing matching more than one header in L7 class map

  Dear All,
  This is regarding Cisco ACE loadbalancing matching more than one header in L7 class map. I have a small setup with ACE 30 module in Cisco6500. I have got three webservers. Presently I have following configuration where I am mathing one url header.
  class-map type http loadbalance match-all L7_WEB_HEADER_MATCH
  description MATCH THE HOST HEADER OF HTTP REQUEST
  2 match http header Host header-value ".*abhisar.com*"
  So for above configuration, when traffic is coming for abhisar.com, it is working fine.
  Now, I have following headers and DNS entry is pointing to same virtual IP for all http url header same as abhisar.com
  abhisarindia.com
  indiaabhi.com
  So new configuration will be
  class-map type http loadbalance match-any L7_WEB_HEADER_MATCH
  description MATCH THE HOST HEADER OF HTTP REQUEST
  2 match http header Host header-value ".*abhisar.com*"
  4 match http header Host header-value ".*abhisarindia.com*"
  6 match http header Host header-value ".*indiaabhi.com*"
  So just want to confirm if this is fine.
  Thank You,
  Abhisar.

  Dear Rajesh,
  Thank you for reply. I will let you know once I carry out this activity.
  Thank You,
  Abhisar.

• ACE - FQDN in a class map or other suggestions

  It appears it is only possible to use an IP address when creating match conditions in a class map which makes sense. 
  We are using this basically as a NAT.
  ie, server sends an HTTP message to the ACE containing XML
  ACE then encrypts with an SSL cert and substitutes a public IP address and sends the XML out to a customer IP on the public internet
  Problem is when customer changes the IP address, we need to change the configuration on the ACE.  Ideally if I could use a DNS name, then the customer can manage any changes via DNS and not involve us.
  Disclaimer: I'm a complete novice to the ACE
  Any ideas appreciated!

  Hi Rob,
  Can you share the current configuration and also the traffic flow here.
  Regards,
  Kanwal

• Class-maps used for load balancing on ACE

  I am from CCS background and am trying to understand how the VIPs could be configured on an ACE module (using class maps).
  I am looking for specific information for the following :
  1. Will each VIP have a corresponding Service-policy on the VLAN Interface or can we club many VIPs (through policy-maps) onto a single service-policy entry on teh interface?
  2. I could not find any cisco doco with the configuration examples for more than one VIP address and would please like to know some examples, if possible or could some one direct me to a doco with many VIP entries ?
  - Should each VIP have a seperate class-map or can list them together?

  You will have to configure L3/L4 class-maps for corresponding VIPs. You just need a single policy with n class-maps for n VIPS.
  I am writing a sample that will hopefully help you on this
  class-map match-all app1-vip
  match virtual-address 10.1.1.1 tcp eq 80
  class-map match-any app2-vip
  match virtual-address 10.1.1.2 tcp eq 443
  policy-map type loadbalance first-match L7app1
  class class-default
  server-farm App1-farm
  policy-map type loadbalance first-match L7app2
  class class-default
  server-farm App2-farm
  policy-map multi-match All-vips
  class app1-vip
  loadbalance vip inservice
  loadbalance policy L7app1
  loadbalance vip icmp-reply active
  class app2-vip
  loadbalance vip inservice
  loadbalance policy L7app2
  loadbalance vip icmp-reply active
  int vlan 100
  ip address 10.10.10.101 255.255.255.0
  service-policy input All-vips
  Syed Iftekhar Ahmed

• ACE - Class-maps

  I want to load balance traffic to a VIP based on client source address. Here is what I had in mind:
  access-list special-25 extended permit tcp host 10.20.138.18 host 10.20.96.19 eq 25
  access-list special-25 extended permit tcp host 10.20.138.30 host 10.20.96.19 eq 25
  access-list special-25 extended permit tcp host 10.20.138.40 host 10.20.96.19 eq 25
  access-list special-25 extended permit tcp host 10.20.254.88 host 10.20.96.19 eq 25
  access-list internal-25 extended permit tcp 10.20.0.0 0.0.255.255 host 10.20.96.19 eq 25
  access-list internet-25 extended permit tcp any host 10.20.96.19 eq 25
  class-map match-any INTERNET-MAIL
  2 match access-list internet-25
  class-map match-any INTERNAL-MAIL
  2 match access-list internal-25
  class-map match-any SPECIAL-MAIL
  2 match access-list special-25
  class-map match-all VIP-MAILGATE-25
  description MAILGATE INTERNAL 25
  2 match virtual-address 10.20.96.19 tcp eq 25
  serverfarm host mailgate-zero
  description INTERNET MAIL
  failaction purge
  rserver mailgate-1
  rserver mailgate-2
  rserver mailgate-3
  rserver mailgate-4
  serverfarm host mailgate-one
  description INTERNAL MAIL
  failaction purge
  rserver mailgate-5
  rserver mailgate-6
  serverfarm host mailgate-two
  description I DON'T KNOW MAIL
  failaction purge
  rserver mailgate-8
  policy-map type loadbalance first-match MAILGATE-POLICY
  class SPECIAL-MAIL
  serverfarm mailgate-two
  class INTERNAL-MAIL
  serverfarm mailgate-one
  class INTERNET-MAIL
  serverfarm mailgate-zero
  policy-map multi-match CLIENT-VIPS
  class VIP-MAILGATE-25
  loadbalance vip inservice
  loadbalance policy MAILGATE-POLICY
  loadbalance vip icmp-reply active
  The problem with this design is the policy-map MAILGATE-POLICY won't accept anything but the "class-default".
  Any ideas how can I make this work?
  Thanks,
  Milo

  Gilles,
  You're right, it does sound weird. However, it appears to work (the commands weren't rejected anyway). Now as soon as I get time on the real servers I test it out. Here's my modified config with your suggestion:
  class-map type http loadbalance match-all INTERNAL-MAIL-TEST
  10 match source-address 10.20.0.0 0.0.255.255
  class-map type http loadbalance match-any SPECIAL-MAIL-TEST
  10 match source-address 10.20.138.18 255.255.255.255
  15 match source-address 10.20.138.30 255.255.255.255
  20 match source-address 10.20.138.40 255.255.255.255
  25 match source-address 10.20.254.88 255.255.255.255
  class-map match-all VIP-MAILGATE-TEST-25
  description MAILGATE-TEST.NAU.EDU SMTP MAIL
  2 match virtual-address 10.20.96.36 tcp eq smtp
  policy-map type loadbalance first-match MAILGATE-POLICY-TEST
  class SPECIAL-MAIL-TEST
  serverfarm mailgate-two-test
  class INTERNAL-MAIL-TEST
  serverfarm mailgate-one-test
  class class-default
  serverfarm mailgate-zero-test
  policy-map multi-match CLIENT-VIPS
  class VIP-MAILGATE-TEST-25
  loadbalance vip inservice
  loadbalance policy MAILGATE-POLICY-TEST
  loadbalance vip icmp-reply active
  Thank you!
  Milo

• ACE class-map match url syntax

  Can someone help me with the string that would match a url with no path specified?  For instance; user types "https://outlook.domain.net" into their browser and I want the ACE to redirect that request to https://outlook.domain.net/owa".
    2 match http url oulook\.domain\.net\

  Adam and Shday,
  I'll give you a hand on this =)
  Adam we can solve your problem only if you're doing SSL offloading on the ACE as the layer 5 information that needs to be checked is being sent encrypted.
  In case SSL termination is configured then the configuration would be like this:
  rserver redirect OWA
    webhost-redirection https://%h/owa 301
    inservice
  serverfarm redirect OWA
    rserver OWA
      inservice
  class-map type http loadbalance match-any OWA
  2 match http header Host header-value "outlook.domain.net"
  policy-map type loadbalance first-match OWA
  class OWA
    serverfarm OWA
  class class-default
    serverfarm Backend
  Shday yours is pretty much the same but you need to decide if class-default needs
  to be in place:
  rserver redirect Domain
  webhost-redirection http://%h/any_path 301
  inservice
  serverfarm redirect Domain
     rserver Domain
       inservice
  class-map type http loadbalance match-any Any
  2 match http url /.*
  class-map type http loadbalance match-any Domain
  2 match http header Host header-value "domain.com"
  policy-map type loadbalance first-match Domain
  class Any
    serverfarm Backend
  class Domain
    serverfarm Domain
  HTH
  Pablo

• Class-map for CSC ignores

  I have an application that is getting blocked by the Trend Micro CSC under the http class map. I need it to ignore http traffic from a 172.16.1.0/24, and allow all else. I haven't worked with class maps much, but my thinking is an ACL with the IP subnet, and a match statement under the class map, but where I have the question is, will the ACL be
  permit ip 172.16.1.0 255.255.255.0 any
  deny ip any any
  or the other way around?
  deny ip 172.16.1.0 255.255.255.0 any
  permit ip any any

  thats right
  but upong the ACL u have writen above u will ignore web traffic from 172.16.1.0/24 to 192.168.0.0
  and will match any other web traffic
  but nothing else
  i mean no smtp,pop3 or ftp
  if u want to match any thing else after the deny or ignore statement
  u have to make permit ip any any
  after u match it with class-map
  apply it to a policy map
  like polic-map global_policy (which is the default global policy)
  class-map (ur calss-map name)
  csc fail-open
  then
  service-policy global_policy global
  in this case it will be applied to all interfaces
  good luck
  Rate if helpful

• Default class map is dropping all Packets

  Hello I have a Cisco 871 router that used to have Access list based security. now I am trying the ZBFW for the first time.  I thought I had a pretty good program until I found all my traffic was getting dropped. This is my first stab at ZBFWs and I am a bit confused esp with the default class part. Any help is greatly appreciated!!!!
  The router is for my house and thus also has to have priority for gaming. I will add the gaming and voice QOS once I get it working,
  Guest VLAN has access to 2 IP's in Data for printing.
  Cisco871#sh run
  Building configuration...
  Current configuration : 8005 bytes
  version 12.4
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  service sequence-numbers
  hostname Cisco871
  boot-start-marker
  boot-end-marker
  logging buffered 4096
  no logging console
  aaa new-model
  aaa authentication login default local
  aaa authorization exec default local
  aaa session-id common
  clock summer-time PST recurring
  crypto pki trustpoint TP-self-signed-4004039535
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-4004039535
  revocation-check none
  rsakeypair TP-self-signed-4004039535
  crypto pki certificate chain TP-self-signed-4004039535
  certificate self-signed 01
    3082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
    31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
    69666963 6174652D 34303034 30333935 3335301E 170D3038 30323037 30373532
    32375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
    4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 30303430
    33393533 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
    8100CEC2 7B89C73F AB4860EE 729C3B64 82139630 239A2301 8EA8B4C4 05505E25
    B0F24E7F 26ECEC53 3E266E80 F3104F61 BDDC5592 40E12537 2262D272 08D38F8E
    147F5059 7F632F5E 635B9CDF 652FFE82 C2F45C60 5F619AF0 72E640E0 E69EA9EF
    41C6B06C DD8ACF4B 0A1A33CF AF3C6BFB 73AD6BE0 BD84DD7F 435BD943 0A22E0E5
    F4130203 010001A3 74307230 0F060355 1D130101 FF040530 030101FF 301F0603
    551D1104 18301682 144C7570 696E2E44 61627567 61626F6F 732E6F72 67301F06
    03551D23 04183016 801473C6 E0784818 29A89377 23A22F5E BDD430CE E282301D
    0603551D 0E041604 1473C6E0 78481829 A8937723 A22F5EBD D430CEE2 82300D06
    092A8648 86F70D01 01040500 03818100 299AD241 442F976F 4F030B33 C477B069
    D356C518 8132E61B 1220F999 A30A4E0C D337DCE5 C408E3BC 0439BB66 543CF585
    8B26AA77 91FA510B 14796239 F272A306 C942490C A44336E0 A9430B81 9FC62524
    E55017FA 5C5463D7 B3492753 42315BEC 32B78F24 D10B0CA7 D1844CD5 C3E466B9
    3543BD68 A4B2692D 05CBF6DC C93C8142
              quit
  ip cef
  no ip dhcp use vrf connected
  ip dhcp excluded-address 10.0.0.1 10.0.0.5
  ip dhcp excluded-address 172.16.15.1 172.16.15.5
  ip dhcp excluded-address 172.16.15.14
  ip dhcp excluded-address 172.16.17.1 172.16.17.5
  ip dhcp excluded-address 192.168.19.1 192.168.19.5
  ip dhcp pool MyNetNative
     import all
     network 10.0.0.0 255.255.255.248
     default-router 10.0.0.1
     domain-name MyNetNet.org
     dns-server 4.2.2.1 4.2.2.6 8.8.8.8 208.67.220.220
     lease 0 2
  ip dhcp pool MyNetData
     import all
     network 172.16.15.0 255.255.255.240
     dns-server 172.16.15.14 4.2.2.1 4.2.2.6 8.8.8.8 208.67.220.220
     default-router 172.16.15.1
     domain-name MyDomain.org
  ip dhcp pool MyNetVoice
     import all
     network 172.16.17.0 255.255.255.240
     dns-server 172.16.15.14
     default-router 172.16.17.1
     domain-name MyDomain.org
  ip dhcp pool MyNetGuest
     import all
     network 192.168.19.0 255.255.255.240
     default-router 192.168.19.1
     domain-name MyNetGuest.org
     dns-server 4.2.2.1 4.2.2.6 8.8.8.8 208.67.220.220
  ip domain name MyDomain.org
  ip name-server 172.16.15.14
  ip name-server 4.2.2.4
  ip inspect log drop-pkt
  multilink bundle-name authenticated
  parameter-map type inspect TCP_PARAM
  parameter-map type inspect global
  username MyAdmin privilege 15 secret 5 MyPassword
  archive
  log config
    hidekeys
  class-map type inspect match-all MyNetGuest-access-list
  match access-group 110
  class-map type inspect match-any Base-protocols
  match protocol http
  match protocol https
  match protocol ftp
  match protocol ssh
  match protocol dns
  match protocol ntp
  match protocol ica
  match protocol pptp
  match protocol icmp
  match protocol tcp
  match protocol udp
  class-map type inspect match-all MyNetGuest-Class
  match class-map MyNetGuest-access-list
  match class-map Base-protocols
  class-map type inspect match-all MyNetNet-access-list
  match access-group 100
  class-map type inspect match-any Voice-protocols
  match protocol h323
  match protocol skinny
  match protocol sip
  class-map type inspect match-any Extended-protocols
  match protocol pop3
  match protocol pop3s
  match protocol imap
  match protocol imaps
  match protocol smtp
  class-map type inspect match-all MyNetNet-Class
  match class-map MyNetNet-access-list
  match class-map Voice-protocols
  match class-map Extended-protocols
  match class-map Base-protocols
  policy-map type inspect MyNetNet-zone_to_MyNetWAN-zone_policy
  class type inspect MyNetNet-Class
    inspect
  class class-default
  policy-map type inspect MyNetNet-zone_to_MyNetGuest-zone_policy
  class type inspect MyNetNet-Class
    inspect
  class class-default
  policy-map type inspect MyNetGuest-zone_to_MyNetNet-zone_policy
  class type inspect MyNetGuest-access-list
    inspect
  class class-default
  policy-map type inspect MyNetGuest-zone_to_MyNetWAN-zone_policy
  class type inspect MyNetGuest-Class
    inspect
  class class-default
  policy-map type inspect MyNetNet-zone
  class class-default
    pass
  zone security MyNetNet-zone
  zone security MyNetGuest-zone
  zone security MyNetWAN-zone
  zone-pair security MyNetNet->MyNetGuest source MyNetNet-zone destination MyNetGuest-zone
  service-policy type inspect MyNetNet-zone_to_MyNetGuest-zone_policy
  zone-pair security MyNetNet->MyNetWAN source MyNetNet-zone destination MyNetWAN-zone
  service-policy type inspect MyNetNet-zone_to_MyNetWAN-zone_policy
  zone-pair security MyNetGuest->MyNetWAN source MyNetGuest-zone destination MyNetWAN-zone
  service-policy type inspect MyNetGuest-zone_to_MyNetWAN-zone_policy
  zone-pair security MyNetGuest->MyNetNet source MyNetGuest-zone destination MyNetNet-zone
  service-policy type inspect MyNetGuest-zone_to_MyNetNet-zone_policy
  interface FastEthernet0
  description Cisco-2849-Switch
  switchport mode trunk
  speed 100
  interface FastEthernet1
  interface FastEthernet2
  interface FastEthernet3
  description SBS-Server
  switchport access vlan 10
  spanning-tree portfast
  interface FastEthernet4
  description WAN
  no ip address
  ip mtu 1492
  ip nat outside
  ip virtual-reassembly
  zone-member security MyNetWAN-zone
  ip tcp adjust-mss 1452
  duplex auto
  speed auto
  no cdp enable
  interface Vlan1
  description MyNetNative
  ip address 10.0.0.1 255.255.255.248
  ip nat inside
  ip virtual-reassembly
  zone-member security MyNetNet-zone
  ip tcp adjust-mss 1452
  interface Vlan10
  description MyNetData
  ip address 172.16.15.1 255.255.255.240
  ip nat inside
  ip virtual-reassembly
  zone-member security MyNetNet-zone
  interface Vlan20
  description MyNetVoice
  ip address 172.16.17.1 255.255.255.240
  ip nat inside
  ip virtual-reassembly
  zone-member security MyNetNet-zone
  interface Vlan69
  description MyNetGuest
  ip address 192.168.19.1 255.255.255.240
  ip nat inside
  ip virtual-reassembly
  zone-member security MyNetGuest-zone
  ip http server
  ip http authentication local
  ip http secure-server
  ip http timeout-policy idle 60 life 86400 requests 10000
  access-list 100 remark MyNetnet
  access-list 100 permit ip 10.0.0.0 0.0.0.7 any
  access-list 100 permit ip 172.16.15.0 0.0.0.31 any
  access-list 100 permit ip 172.16.17.0 0.0.0.15 any
  access-list 110 remark MyNetGuest
  access-list 110 permit ip 192.168.19.0 0.0.0.15 host 172.16.15.2
  access-list 110 permit ip 192.168.19.0 0.0.0.15 host 172.16.15.3
  access-list 110 deny   ip 192.168.19.0 0.0.0.15 10.0.0.0 0.0.0.7
  access-list 110 deny   ip 192.168.19.0 0.0.0.15 172.16.15.0 0.0.0.31
  access-list 110 deny   ip 192.168.19.0 0.0.0.15 172.16.17.0 0.0.0.15
  access-list 110 permit ip 192.168.19.0 0.0.0.15 any
  control-plane
  banner login ^CC
  You know if you should be here or not.
           if not please leave
  NOW
  ^C
  line con 0
  no modem enable
  line aux 0
  line vty 0 4
  privilege level 15
  transport input telnet ssh
  scheduler max-task-time 5000
  ntp server 172.16.15.14
  webvpn cef
  end
  Cisco871#sh zone security
  zone self
    Description: System defined zone
  zone MyNetNet-zone
    Member Interfaces:
      Vlan1
      Vlan10
      Vlan20
  zone MyNetGuest-zone
    Member Interfaces:
      Vlan69
  zone MyNetWAN-zone
    Member Interfaces:
      FastEthernet4
  Cisco871#sh zone-pair security
  Zone-pair name MyNetNet->MyNetGuest
      Source-Zone MyNetNet-zone  Destination-Zone MyNetGuest-zone
      service-policy MyNetNet-zone_to_MyNetGuest-zone_policy
  Zone-pair name MyNetNet->MyNetWAN
      Source-Zone MyNetNet-zone  Destination-Zone MyNetWAN-zone
      service-policy MyNetNet-zone_to_MyNetWAN-zone_policy
  Zone-pair name MyNetGuest->MyNetWAN
      Source-Zone MyNetGuest-zone  Destination-Zone MyNetWAN-zone
      service-policy MyNetGuest-zone_to_MyNetWAN-zone_policy
  Zone-pair name MyNetGuest->MyNetNet
      Source-Zone MyNetGuest-zone  Destination-Zone MyNetNet-zone
      service-policy MyNetGuest-zone_to_MyNetNet-zone_policy
  Cisco871#sh int faste4
  FastEthernet4 is up, line protocol is up
    Hardware is PQUICC_FEC, address is 0016.9d29.a667 (bia 0016.9d29.a667)
    Description: WAN
    Internet address is 10.38.177.98/25
    MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
       reliability 255/255, txload 1/255, rxload 1/255
    Encapsulation ARPA, loopback not set
    Keepalive set (10 sec)
    Full-duplex, 100Mb/s, 100BaseTX/FX
    ARP type: ARPA, ARP Timeout 04:00:00
    Last input 00:00:00, output 00:34:50, output hang never
    Last clearing of "show interface" counters never
    Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
    Queueing strategy: fifo
    Output queue: 0/40 (size/max)
    5 minute input rate 2000 bits/sec, 3 packets/sec
    5 minute output rate 0 bits/sec, 0 packets/sec
       593096 packets input, 73090812 bytes
       Received 592752 broadcasts, 0 runts, 0 giants, 0 throttles
       0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
       0 watchdog
       0 input packets with dribble condition detected
       9940 packets output, 1016025 bytes, 0 underruns
       0 output errors, 0 collisions, 3 interface resets
       0 babbles, 0 late collision, 0 deferred
       0 lost carrier, 0 no carrier
       0 output buffer failures, 0 output buffers swapped out
  Zone-pair: MyNetNet->MyNetWAN
    Service-policy inspect : MyNetNet-zone_to_MyNetWAN-zone_policy
      Class-map: MyNetNet-Class (match-all)
        Match: class-map match-all MyNetNet-access-list
          Match: access-group 100
        Match: class-map match-any Voice-protocols
          Match: protocol h323
            0 packets, 0 bytes
            30 second rate 0 bps
          Match: protocol skinny
            0 packets, 0 bytes
            30 second rate 0 bps
          Match: protocol sip
            0 packets, 0 bytes
            30 second rate 0 bps
        Match: class-map match-any Extended-protocols
          Match: protocol pop3
            0 packets, 0 bytes
            30 second rate 0 bps
          Match: protocol pop3s
            0 packets, 0 bytes
            30 second rate 0 bps
          Match: protocol imap
            0 packets, 0 bytes
            30 second rate 0 bps
          Match: protocol imaps
            0 packets, 0 bytes
            30 second rate 0 bps
          Match: protocol smtp
            0 packets, 0 bytes
            30 second rate 0 bps
        Match: class-map match-any Base-protocols
          Match: protocol http
            0 packets, 0 bytes
            30 second rate 0 bps
          Match: protocol https
            0 packets, 0 bytes
            30 second rate 0 bps
          Match: protocol ftp
            0 packets, 0 bytes
            30 second rate 0 bps
          Match: protocol ssh
            0 packets, 0 bytes
            30 second rate 0 bps
          Match: protocol dns
            0 packets, 0 bytes
            30 second rate 0 bps
          Match: protocol ntp
            0 packets, 0 bytes
            30 second rate 0 bps
          Match: protocol ica
            0 packets, 0 bytes
            30 second rate 0 bps
          Match: protocol pptp
            0 packets, 0 bytes
            30 second rate 0 bps
          Match: protocol icmp
            0 packets, 0 bytes
            30 second rate 0 bps
          Match: protocol tcp
            0 packets, 0 bytes
            30 second rate 0 bps
          Match: protocol udp
            0 packets, 0 bytes
            30 second rate 0 bps
        Inspect
          Session creations since subsystem startup or last reset 0
          Current session counts (estab/half-open/terminating) [0:0:0]
          Maxever session counts (estab/half-open/terminating) [0:0:0]
          Last session created never
          Last statistic reset never
          Last session creation rate 0
          Maxever session creation rate 0
          Last half-open session total 0
      Class-map: class-default (match-any)
        Match: any
        Drop (default action)
          5196 packets, 256211 bytes
  Cisco871#sh log
  Syslog logging: enabled (1 messages dropped, 0 messages rate-limited,
                  0 flushes, 0 overruns, xml disabled, filtering disabled)
  No Active Message Discriminator.
  No Inactive Message Discriminator.
      Console logging: disabled
      Monitor logging: level debugging, 0 messages logged, xml disabled,
                       filtering disabled
      Buffer logging:  level debugging, 1745 messages logged, xml disabled,
                       filtering disabled
      Logging Exception size (4096 bytes)
      Count and timestamp logging messages: disabled
      Persistent logging: disabled
  No active filter modules.
  ESM: 0 messages dropped
      Trap logging: level informational, 1785 message lines logged
  Log Buffer (4096 bytes):
  001779: *Feb 15 11:00:55.979: %FW-6-DROP_UDP_PKT: Dropping Other pkt 172.16.15.6:61806 => 168.94.0.1:53 with ip ident 511 due to  policy match failure
  001780: *Feb 15 11:00:59.739: %FW-6-DROP_TCP_PKT: Dropping Other pkt 172.16.15.6:4399 => 168.94.69.30:443 due to  policy match failure -- ip ident 515 tcpflags 0x7002 seq.no 974122240 ack 0
  001781: *Feb 15 11:01:26.507: %FW-6-DROP_UDP_PKT: Dropping Other pkt 172.16.15.6:51991 => 168.94.0.1:53 with ip ident 625 due to  policy match failure
  001783: *Feb 15 11:01:57.891: %FW-6-DROP_UDP_PKT: Dropping Other pkt 172.16.15.6:64470 => 168.94.0.1:53 with ip ident 677 due to  policy match failure

  Hello Charlie,
  I would recomend you to investigate a little bit more about how the ZBFW features works
  Now I am going to help you on this one at least, then I will give you a few links you could use to study
  We are going to study traffic from MyNetNet-zone to the MyNetWan-zone
  First the zone-pair
  zone-pair security MyNetNet->MyNetWAN source MyNetNet-zone destination MyNetWAN-zone
  service-policy type inspect MyNetNet-zone_to_MyNetWAN-zone_policy
  so lets go policy-map
  policy-map type inspect MyNetNet-zone_to_MyNetWAN-zone_policy
  class type inspect MyNetNet-Class
    inspect
  class class-default
  Finally to the class map
  class-map type inspect match-all MyNetNet-Class
  match class-map MyNetNet-access-list
  match class-map Voice-protocols
  match class-map Extended-protocols
  match class-map Base-protocols
  That keyword MATCH-ALL is the one causing the issues!!
  Why?
  Because you are telling the ZBFW to inspect traffic only if matches all of those class-maps so a packet will need to math the base protocols and the extended protocol and as you know that is not possible ( Just one protocol )
  So here are the links
  http://blogg.kvistofta.nu/cisco-ios-zone-based-policy-firewall/
  https://supportforums.cisco.com/thread/2138873
  http://pktmaniac.info/2011/08/zone-based-firewalls-something-to-keep-in-mind/
  http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml
  You have some work to do
  Please remember to rate all the helpful posts
  Julio
  CCSP