ACE class-map match url syntax
Can someone help me with the string that would match a url with no path specified? For instance; user types "https://outlook.domain.net" into their browser and I want the ACE to redirect that request to https://outlook.domain.net/owa".
2 match http url oulook\.domain\.net\
Adam and Shday,
I'll give you a hand on this =)
Adam we can solve your problem only if you're doing SSL offloading on the ACE as the layer 5 information that needs to be checked is being sent encrypted.
In case SSL termination is configured then the configuration would be like this:
rserver redirect OWA
webhost-redirection https://%h/owa 301
inservice
serverfarm redirect OWA
rserver OWA
inservice
class-map type http loadbalance match-any OWA
2 match http header Host header-value "outlook.domain.net"
policy-map type loadbalance first-match OWA
class OWA
serverfarm OWA
class class-default
serverfarm Backend
Shday yours is pretty much the same but you need to decide if class-default needs
to be in place:
rserver redirect Domain
webhost-redirection http://%h/any_path 301
inservice
serverfarm redirect Domain
rserver Domain
inservice
class-map type http loadbalance match-any Any
2 match http url /.*
class-map type http loadbalance match-any Domain
2 match http header Host header-value "domain.com"
policy-map type loadbalance first-match Domain
class Any
serverfarm Backend
class Domain
serverfarm Domain
HTH
Pablo
Similar Messages
-
I want to load balance traffic to a VIP based on client source address. Here is what I had in mind:
access-list special-25 extended permit tcp host 10.20.138.18 host 10.20.96.19 eq 25
access-list special-25 extended permit tcp host 10.20.138.30 host 10.20.96.19 eq 25
access-list special-25 extended permit tcp host 10.20.138.40 host 10.20.96.19 eq 25
access-list special-25 extended permit tcp host 10.20.254.88 host 10.20.96.19 eq 25
access-list internal-25 extended permit tcp 10.20.0.0 0.0.255.255 host 10.20.96.19 eq 25
access-list internet-25 extended permit tcp any host 10.20.96.19 eq 25
class-map match-any INTERNET-MAIL
2 match access-list internet-25
class-map match-any INTERNAL-MAIL
2 match access-list internal-25
class-map match-any SPECIAL-MAIL
2 match access-list special-25
class-map match-all VIP-MAILGATE-25
description MAILGATE INTERNAL 25
2 match virtual-address 10.20.96.19 tcp eq 25
serverfarm host mailgate-zero
description INTERNET MAIL
failaction purge
rserver mailgate-1
rserver mailgate-2
rserver mailgate-3
rserver mailgate-4
serverfarm host mailgate-one
description INTERNAL MAIL
failaction purge
rserver mailgate-5
rserver mailgate-6
serverfarm host mailgate-two
description I DON'T KNOW MAIL
failaction purge
rserver mailgate-8
policy-map type loadbalance first-match MAILGATE-POLICY
class SPECIAL-MAIL
serverfarm mailgate-two
class INTERNAL-MAIL
serverfarm mailgate-one
class INTERNET-MAIL
serverfarm mailgate-zero
policy-map multi-match CLIENT-VIPS
class VIP-MAILGATE-25
loadbalance vip inservice
loadbalance policy MAILGATE-POLICY
loadbalance vip icmp-reply active
The problem with this design is the policy-map MAILGATE-POLICY won't accept anything but the "class-default".
Any ideas how can I make this work?
Thanks,
MiloGilles,
You're right, it does sound weird. However, it appears to work (the commands weren't rejected anyway). Now as soon as I get time on the real servers I test it out. Here's my modified config with your suggestion:
class-map type http loadbalance match-all INTERNAL-MAIL-TEST
10 match source-address 10.20.0.0 0.0.255.255
class-map type http loadbalance match-any SPECIAL-MAIL-TEST
10 match source-address 10.20.138.18 255.255.255.255
15 match source-address 10.20.138.30 255.255.255.255
20 match source-address 10.20.138.40 255.255.255.255
25 match source-address 10.20.254.88 255.255.255.255
class-map match-all VIP-MAILGATE-TEST-25
description MAILGATE-TEST.NAU.EDU SMTP MAIL
2 match virtual-address 10.20.96.36 tcp eq smtp
policy-map type loadbalance first-match MAILGATE-POLICY-TEST
class SPECIAL-MAIL-TEST
serverfarm mailgate-two-test
class INTERNAL-MAIL-TEST
serverfarm mailgate-one-test
class class-default
serverfarm mailgate-zero-test
policy-map multi-match CLIENT-VIPS
class VIP-MAILGATE-TEST-25
loadbalance vip inservice
loadbalance policy MAILGATE-POLICY-TEST
loadbalance vip icmp-reply active
Thank you!
Milo -
3850 QoS class-map match-all?
I would like to create a QoS marking policy that re-marks packet to CS5 if the inbound traffic is SIP *and* if it is marked CS3 when it comes in. I would have expected the configuration listed below will work. I only found out when I tried to apply the config that, unlike other IOS devices, "class-map match-all" does not exist in 3850 3.3.x code. It can only do "class-map match-any" Can anyone suggest a work-around config for 3850 to achieve the same end result?
ip access-list extended ACL-QOS-SIP
permit tcp any range 5060 5061 any
permit tcp any any range 5060 5061
ip access-list extended ACL-QOS-CS3
permit ip any any dscp cs3
class-map match-all CM-QOS-CS5
match access-group name ACL-QOS-CS3
match access-group name ACL-QOS-SIP
policy-map PM-QOS-MARKING
class CM-QOS-CS5
set ip dscp cs5
Any suggestions would be appreciated.jlkeys, below is configuration I ended up using to resolve the issue:
ip access-list extended ACL-QOS-SIP
permit tcp any range 5060 5061 any dscp cs3
class-map match-any CM-QOS-CS5
match access-group name ACL-QOS-SIP
policy-map PM-QOS-MARKING
class CM-QOS-CS5
set ip dscp cs5 -
Hello,
When configuring a class-map, I want to match based on DSCP values. I see that I can configure the match statement either as "match dscp" or "match ip dscp". The router accepts either one. Is there a difference between these two, or do they accomplish the same thing?Hi,
"match dscp" matches both IPv4 and IPv6 traffic while "match ip dscp" matches only IPv4 traffic.
HTH,
Nagendra -
How does class-map match?
Say if I have two class-maps, one is matching on IP address, the other one is matching on IP Precedence, what happens if a packet meets both criteria? Which class-map it'll match?
I guess it'll be top-down (match the first class-map). If that's the case, it'd be very difficult to prioritize the class-maps as they don't have line numbers as ACLs, which you can delete/insert the class-map at a specific location in the config.
Thanks!Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
Policy-map classes are processed in sequence.
Yes, edits can be difficult, as you may need to drop and redefine multiple classes. (But we had to do that for ACLs years ago too. Fortunately, policy-map classes cannot run into the thousands.) -
ACE - HTTPS CLASS MAP CONFIGURATION
Hi,
We have a secured web site (HTTPS) currently fronted by Cisco ACE 4170, running version A5(1.2). We are trying to use the http class map to manipulate the traffic flow in the following manner:
https://abc.com/ABC/* -> serverfarm#1
https://abc.com/* -> serverfarm#2 (Default)
Tecnically this should not be difficult and below is a sample of our configuration. We have similar configuration working on our non-secured web site (HTTP) However for the secure web site, the https request https://abc.com/ABC/xxx is continued being routed to serverfarm#2 instead of serverfarm#1 which is very frustrating.
We can easily get this working on my F5 LTM within 5 minutes but this Cisco ACE continue to frustrate me...Appreciate if any expert on Cisco ACE can help to advise on our configuration.. Thanks.
=========================================================
serverfarm host serverfarm#1
predictor leastconns
probe https_probe
rserver rs_server#1
inservice
rserver rs_server#2
inservice
serverfarm host serverfarm#2
predictor leastconns
probe https_probe
rserver rs_server#3
inservice
rserver rs_server#4
inservice
sticky http-cookie STICKY_HTTPS_serverfarm#1
cookie insert browser-expire
timeout 15
replicate sticky
serverfarm serverfarm#1
sticky http-cookie STICKY_HTTPS_serverfarm#2
cookie insert browser-expire
timeout 15
replicate sticky
serverfarm serverfarm#2
class-map type http loadbalance match-any class-map-serverfarm#1
2 match http url /ABC/.*
policy-map type loadbalance first-match vs_serverfarm_https
class class-map-serverfarm#1
sticky-serverfarm STICKY_HTTPS_serverfarm#1
insert-http x-forward header-value "%is"
ssl-proxy client ssl_serverfarm
class class-default
sticky-serverfarm STICKY_HTTPS_serverfarm#2
insert-http x-forward header-value "%is"
ssl-proxy client ssl_serverfarm
=========================================================Kanwaljeet,
Yes, we are using ACE for SSL termination i.e. front end is https and back-end is also https.
We are doing end-to-end encryption as our IT security and audit wanted end-to-end encryption between the client and servers. ACE should be able to look at the HTTP header at the front end since the client SSL session is terminate on the ACE.
Below is an extract of the configuration, I've leave out the remaining configuration which is not required.
=========================================================
serverfarm host serverfarm#1
predictor leastconns
probe https_probe
rserver rs_server#1
inservice
rserver rs_server#2
inservice
serverfarm host serverfarm#2
predictor leastconns
probe https_probe
rserver rs_server#3
inservice
rserver rs_server#4
inservice
sticky http-cookie STICKY_HTTPS_serverfarm#1
cookie insert browser-expire
timeout 15
replicate sticky
serverfarm serverfarm#1
sticky http-cookie STICKY_HTTPS_serverfarm#2
cookie insert browser-expire
timeout 15
replicate sticky
serverfarm serverfarm#2
class-map match-all vs_serverfarm
2 match virtual-address 10.178.50.140 tcp eq https
class-map type http loadbalance match-any class-map-serverfarm#1
2 match http url /ABC/.*
policy-map type loadbalance first-match vs_serverfarm_https
class class-map-serverfarm#1
sticky-serverfarm STICKY_HTTPS_serverfarm#1
insert-http x-forward header-value "%is"
ssl-proxy client ssl_serverfarm
class class-default
sticky-serverfarm STICKY_HTTPS_serverfarm#2
insert-http x-forward header-value "%is"
ssl-proxy client ssl_serverfarm
policy-map multi-match PRODWEB_POLICY
class vs_serverfarm
loadbalance vip inservice
loadbalance policy vs_serverfarm_https
loadbalance vip icmp-reply active
nat dynamic 100 vlan 100
ssl-proxy server ssl_serverfarm
========================================================= -
Layer-7 Class-maps: 'not' match-any
Hallo All,
I'm wondering if the following logic is possible on the ACEs.
First Match is:
class-map type http loadbalance match-any CM7-MatchSrcIP
10 match source-address 192.168.0.0 255.255.0.0
20 match source-address 172.16.0.0 255.255.0.0
class-map type http loadbalance match-any CM7-URLs
10 match http url /testing.*
class-map type http loadbalance match-all CM7-WWW
10 match class-map CM7-MatchSrcIP
20 match class-map CM7-URLs
If the above URL and IP sources are matched, I want to send to a specific SF. (easy enough)
If the URL matches /testing.* but source IP address doesn't match of any of the above subnets, I want to redirect to a 'restricted' page. (ummm)
If the URL is something else (e.g. /temporary.*) with any IP source address, I want it to be load-balanced by a different SF (say like in a class-default)
Thx in adv
DavidHi David,
Sure you can try this on the ACE, you already created most of the configuration so now just need to apply the maps under the first-match policy.
According to your description this is how this policy should look like:
policy-map type loadbalance first-match SLB_LOGIC
class CM7-WWW
serverfarm Testing
class CM7-URLs
serverfarm Restricted
class class-default
serverfarm Any
- ACE checks for testing plus IP address matching.
- If user belongs to any other subnet then SF restricted is used.
- If none of the above statements is matched then defaul class map and SF is used.
Cheers!
Pablo -
A problem with ACL in the class-map on the ACE module
Hi all,
I configured the following on the ACE module:
object-group network test
host 192.168.1.21
host 192.168.1.22
host 192.168.1.23
object-group service port
tcp eq www
tcp eq 8080
access-list T line 8 extended permit object-group port object-group test any
I tried to configure a class-map for matching this ACL:
ACE-4710-2/Lab-OPT-11(config)# class-map match-any TEST_C
ACE-4710-2/Lab-OPT-11(config-cmap)# match access-list T
Error: Cannot associate acl having object-group ACEs in class-map.
So couldn't I configure the class-map by using ACL with object-groups involved? Is it the bug or the normal behaviour? Because the customer uses object-groups in ACLs and he has to configure ACL without object-groups for the traffic classification. It is horrible.
Thank you
RomanHi Roman,
I'm afraid it's the expected behavior. You cannot use an ACL with object-groups inside a class-map.
Regards
Daniel -
ACE ignoring class map depending on source???
I have a problem with a the load balancing "not working" properly depending on the source.
The load balancing decision is done with a secondary cookie (?ld=fe1 or ?ld=fe2). If it appears and the value is fe1 the request should go to serverfarm FE1-app. If the value is fe2 then serverfarm FE2-app should be choosen. If it is not present in the http request then serverfarm FE-app in the class-default is taking over.
This approach works if "surfing" to the VIP from a certain part of the internal network. It does not work from another part of the network. It seems that cookie is ignored and only the class default triggers.
The strange thing is that the same approach works for another setup that looks identical (with different rservers and different VIP of course). There the class map for the cookie triggers always.
My question is now: Why does the ACE seem to ignore the class map for the cookie when coming from a certain part of the network? How can I debug/follow a certain connection or load balancing decision?
Here is the config:
rserver host FE1-app
description frontend app
ip address 192.168.137.69
inservice
rserver host FE2-app
description frontend app
ip address 192.168.137.74
inservice
serverfarm host FE1-app
rserver FE1-app 80
inservice
serverfarm host FE2-app
rserver FE2-app 80
inservice
serverfarm host FE-app
rserver FE1-app 80
inservice
rserver FE2-app 80
inservice
class-map type http loadbalance match-all COOKIE-FE1
2 match http cookie secondary ld cookie-value "fe1"
class-map type http loadbalance match-all COOKIE-FE2
2 match http cookie secondary ld cookie-value "fe2"
class-map match-all VIP-app
2 match virtual-address 192.168.138.39 tcp eq www
policy-map type loadbalance first-match VIP-app-loadbalance
class COOKIE-FE1
serverfarm FE1-app
class COOKIE-FE2
serverfarm FE2-app
class class-default
serverfarm FE-app
policy-map multi-match INT470
class VIP-app
loadbalance vip inservice
loadbalance policy VIP-app-loadbalance
loadbalance vip icmp-reply
interface vlan 470
description lb_rpfedrift
ip address 192.168.138.36 255.255.255.240
alias 192.168.138.35 255.255.255.240
peer ip address 192.168.138.37 255.255.255.240
service-policy input remote_mgmt_allow_policy
service-policy input INT470
no shutdownHi Federico,
The source of the request has no relation with the way ACE handles the connections, so, there are probably other differences in the traffic.
The best way to troubleshoot these kind of connections is taking a traffic capture on the TenGigabit interface connecting the ACE with the switch backplane. Once you have it, you can try to look for differences between the working and failing connections.
From what you describe, I wouldn't be surprised if the issue comes from the fact that there are several HTTP requests inside the same TCP flow (in which case, by default, the ACE will look only at the first one), so I would suggest you to enable "persistence rebalance" for this VIP. For more details, check the link below:
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA2_3_0/configuration/slb/guide/classlb.html#wp1062907
I hope this helps
Daniel -
Hello Gilles,
One question about something I was not able to find in the documentation.
Lets say I have one class-map which includes 2 ports (in this case https and 5061).
Can I associate this class-map to just 1 generic serverfarm and probe for both ports or I have to specify 2 serverfarms/rservers/probes?
So, by not specifying the ports on the rserver, if a request is received on port 443 (or 5061), it is sent to the same respective port on the rserver?
The same way is valid for the generic probe. ACE module is able to probe both ports based on the class-map?
Thanks and have a great day!!
Giulio.
probe tcp PROBE_GENERIC_TCP
description This probe works for all TCP services by inheriting the VIP port.
interval 15
faildetect 2
passdetect interval 15
passdetect count 2
open 2
rserver host SERVER1_ACCESS
ip address <1AC>
inservice
rserver host SERVER2_ACCESS
ip address <2AC>
inservice
serverfarm host ACCESS-SFARM
probe PROBE_GENERIC_TCP
rserver SERVER1_ACCESS
inservice
rserver SERVER2_ACCESS
inservice
class-map match-any OCS_L4ACCESS
2 match virtual-address x.x.x.176 tcp eq https
2 match virtual-address x.x.x.176 tcp eq 5061
policy-map type loadbalance first-match OCS_L4ACCESS
class class-default
sticky-serverfarm ACCESS_STICKY
policy-map multi-match POLICY
class OCS_L4ACCESS
loadbalance vip inservice
loadbalance policy OCS_L4ACCESS
loadbalance vip icmp-reply active
connection advanced-options OCS_VIPTIMEOUT
nat dynamic XXX vlan 503Even if you use the 4710 appliance or expect the inheritance in the module software, it's worth considering if this is really what you want. If you keep multiple ports in the L3/L4 class-map you can't handle the services independently. You will have a common serverfarm for both https and 5061. If https service stops on one rserver, the ACE will place that rserver (and not that service) in out-of-operation state and it won't receive any 5061 traffic either. (You have the fail-on-all probe option but I wouldn't say it's a better choice. In that case, https traffic would be sent to the rserver even if https port is closed as long as there is at least one working service on it.) That's why I prefer a separate class-map and separate serverfarm for each service. (They can contain the same rservers, no need to duplicate.) BUT if the software supports probe port inheritance, you can benefit from it even in this scenario: serverfarm-443 and serverfarm-5061 can both use your PROBE_GENERIC_TCP.
-
Class-maps used for load balancing on ACE
I am from CCS background and am trying to understand how the VIPs could be configured on an ACE module (using class maps).
I am looking for specific information for the following :
1. Will each VIP have a corresponding Service-policy on the VLAN Interface or can we club many VIPs (through policy-maps) onto a single service-policy entry on teh interface?
2. I could not find any cisco doco with the configuration examples for more than one VIP address and would please like to know some examples, if possible or could some one direct me to a doco with many VIP entries ?
- Should each VIP have a seperate class-map or can list them together?You will have to configure L3/L4 class-maps for corresponding VIPs. You just need a single policy with n class-maps for n VIPS.
I am writing a sample that will hopefully help you on this
class-map match-all app1-vip
match virtual-address 10.1.1.1 tcp eq 80
class-map match-any app2-vip
match virtual-address 10.1.1.2 tcp eq 443
policy-map type loadbalance first-match L7app1
class class-default
server-farm App1-farm
policy-map type loadbalance first-match L7app2
class class-default
server-farm App2-farm
policy-map multi-match All-vips
class app1-vip
loadbalance vip inservice
loadbalance policy L7app1
loadbalance vip icmp-reply active
class app2-vip
loadbalance vip inservice
loadbalance policy L7app2
loadbalance vip icmp-reply active
int vlan 100
ip address 10.10.10.101 255.255.255.0
service-policy input All-vips
Syed Iftekhar Ahmed -
Class-map does not support match protocol ssl
I have several 1941/k9's that do not have the class-map command: to suppot ssl. System image is c1900-universalk9-mz.SPA.152-1.T.bin.
class-map match-any af31
match protocol ssl <-- missing.
I did some google searches but come up with nothing.
Is the fix to upgrade IOS? I have found it on other routers running c1900-universalk9-mz.SPA.152-4.M4.bin. I would just upgrade and check but have an extensive change review board with questions before doing so.
Thanks for advice,
HaydnDisclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
I'm not current on NBAR (or NBAR 2), but NBAR used to support loadable modules (PDMs?). Sometimes Cisco would provide those so you could add match protocols without upgrading your IOS.
Otherwise the "fix" would be to upgrade your IOS.
Lastly, depending on what it matching SSL really means to you, using port based ACLs might suffice (in fact, some NBAR match protocol is only really that, but some NBAR matches regardless of the port usage).
PS:
Also on the subject of SSL, don't forget much can use it. I once matched on it for the purposes of providing secure shell higher queuing priority, worked great for SSH, not so great when secure copy (SCP) also matched against it. -
ACE: Stickyness, Cookie in URL
Hello,
I have a problem with cookies in the URL if the browser does not support Cookies in the http header.
I'm setting the cookie in the url static , so the URL looks like:
http://testfarm/sticky.cgi?serverid=1.1.1.1
And configure the sticky group:
sticky http-cookie serverid sticky-farm cookie secondary serverid
replicate sticky
serverfarm sticky-farmm 8 static cookie-value "1.1.1.1" rserver server1
16 static cookie-value "1.1.1.2" rserver server2
What's wrong with my configuration?
If the client accepts cookies in the Cookie header anything works but not if the client rejects the cookie.Hi Gilles,
no, i did not specify a port in the serverfarm or in the realserver.
The configuration looks like this:
sticky http-cookie serverid ST-sticky-farm
cookie secondary serverid
replicate sticky
serverfarm sticky-farm
8 static cookie-value "1.1.1.1" rserver server1
16 static cookie-value "1.1.1.2" rserver server2
policy-map type loadbalance first-match L7-10-1-1-1
class class-default
sticky-serverfarm sticky-farm
policy-map multi-match L4_SLB_POL_external
description L4 Policy fuer SLB ohne NAT
class V-10-1-1-1
loadbalance vip inservice
loadbalance policy L7-10-1-1-1
loadbalance vip icmp-reply active
appl-parameter http advanced-options HTTP-rebalance
class-map match-any V-10-1-1-1
2 match virtual-address 10.1.1.1 tcp eq www
serverfarm host sticky-farm
probe tcp80-i30
rserver server1
inservice
rserver server2
inservice
rserver host server1
ip address 1.1.1.1
inservice
rserver host server2
ip address 1.1.1.2
inservice
Sven -
Source ip filtering with class map on cisco ace30
Hello ,
I would like to know if it is possible to filter source ips connecting to a virtual ip within a class map configuration ( or something else ) ?
access-list S_IP_FILTERING line 8 extended permit ip host 1.1.1.1 any
class-map match-all S_IP_FILTERING_XVIP
2 match access-list S_IP_FILTERING
3 match virtual-address 2.2.2.2 any
Error: Only one match access-list is allowed in a match-all class-map and it cannot mix with any other match type
thanks for your support
Case,Hi,
Yes, it is possible to do this. Use the ACL filter for the source IP address under the policy-map type loadbalance. Then you would call that load balance policy in your multi-match policy under the appropriate class.
for example:
class-map type http loadbalance match-any LOADBALANCE-FILTER
2 match source-address X.X.X.X 255.255.255.255
class-map match-any TEST-CLASSMAP
2 match virtual-address Y.Y.Y.Y tcp eq www
policy-map type loadbalance first-match LOADBALANCE
class LOADBALANCE-FILTER
serverfarm TEST-SERVERFARM
policy-map multi-match UTC-PM
class TEST-CLASSMAP
loadbalance policy LOADBALANCE
loadbalance vip inservice
-Alex -
Default class map is dropping all Packets
Hello I have a Cisco 871 router that used to have Access list based security. now I am trying the ZBFW for the first time. I thought I had a pretty good program until I found all my traffic was getting dropped. This is my first stab at ZBFWs and I am a bit confused esp with the default class part. Any help is greatly appreciated!!!!
The router is for my house and thus also has to have priority for gaming. I will add the gaming and voice QOS once I get it working,
Guest VLAN has access to 2 IP's in Data for printing.
Cisco871#sh run
Building configuration...
Current configuration : 8005 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service sequence-numbers
hostname Cisco871
boot-start-marker
boot-end-marker
logging buffered 4096
no logging console
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa session-id common
clock summer-time PST recurring
crypto pki trustpoint TP-self-signed-4004039535
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4004039535
revocation-check none
rsakeypair TP-self-signed-4004039535
crypto pki certificate chain TP-self-signed-4004039535
certificate self-signed 01
3082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34303034 30333935 3335301E 170D3038 30323037 30373532
32375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 30303430
33393533 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100CEC2 7B89C73F AB4860EE 729C3B64 82139630 239A2301 8EA8B4C4 05505E25
B0F24E7F 26ECEC53 3E266E80 F3104F61 BDDC5592 40E12537 2262D272 08D38F8E
147F5059 7F632F5E 635B9CDF 652FFE82 C2F45C60 5F619AF0 72E640E0 E69EA9EF
41C6B06C DD8ACF4B 0A1A33CF AF3C6BFB 73AD6BE0 BD84DD7F 435BD943 0A22E0E5
F4130203 010001A3 74307230 0F060355 1D130101 FF040530 030101FF 301F0603
551D1104 18301682 144C7570 696E2E44 61627567 61626F6F 732E6F72 67301F06
03551D23 04183016 801473C6 E0784818 29A89377 23A22F5E BDD430CE E282301D
0603551D 0E041604 1473C6E0 78481829 A8937723 A22F5EBD D430CEE2 82300D06
092A8648 86F70D01 01040500 03818100 299AD241 442F976F 4F030B33 C477B069
D356C518 8132E61B 1220F999 A30A4E0C D337DCE5 C408E3BC 0439BB66 543CF585
8B26AA77 91FA510B 14796239 F272A306 C942490C A44336E0 A9430B81 9FC62524
E55017FA 5C5463D7 B3492753 42315BEC 32B78F24 D10B0CA7 D1844CD5 C3E466B9
3543BD68 A4B2692D 05CBF6DC C93C8142
quit
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.0.0.1 10.0.0.5
ip dhcp excluded-address 172.16.15.1 172.16.15.5
ip dhcp excluded-address 172.16.15.14
ip dhcp excluded-address 172.16.17.1 172.16.17.5
ip dhcp excluded-address 192.168.19.1 192.168.19.5
ip dhcp pool MyNetNative
import all
network 10.0.0.0 255.255.255.248
default-router 10.0.0.1
domain-name MyNetNet.org
dns-server 4.2.2.1 4.2.2.6 8.8.8.8 208.67.220.220
lease 0 2
ip dhcp pool MyNetData
import all
network 172.16.15.0 255.255.255.240
dns-server 172.16.15.14 4.2.2.1 4.2.2.6 8.8.8.8 208.67.220.220
default-router 172.16.15.1
domain-name MyDomain.org
ip dhcp pool MyNetVoice
import all
network 172.16.17.0 255.255.255.240
dns-server 172.16.15.14
default-router 172.16.17.1
domain-name MyDomain.org
ip dhcp pool MyNetGuest
import all
network 192.168.19.0 255.255.255.240
default-router 192.168.19.1
domain-name MyNetGuest.org
dns-server 4.2.2.1 4.2.2.6 8.8.8.8 208.67.220.220
ip domain name MyDomain.org
ip name-server 172.16.15.14
ip name-server 4.2.2.4
ip inspect log drop-pkt
multilink bundle-name authenticated
parameter-map type inspect TCP_PARAM
parameter-map type inspect global
username MyAdmin privilege 15 secret 5 MyPassword
archive
log config
hidekeys
class-map type inspect match-all MyNetGuest-access-list
match access-group 110
class-map type inspect match-any Base-protocols
match protocol http
match protocol https
match protocol ftp
match protocol ssh
match protocol dns
match protocol ntp
match protocol ica
match protocol pptp
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all MyNetGuest-Class
match class-map MyNetGuest-access-list
match class-map Base-protocols
class-map type inspect match-all MyNetNet-access-list
match access-group 100
class-map type inspect match-any Voice-protocols
match protocol h323
match protocol skinny
match protocol sip
class-map type inspect match-any Extended-protocols
match protocol pop3
match protocol pop3s
match protocol imap
match protocol imaps
match protocol smtp
class-map type inspect match-all MyNetNet-Class
match class-map MyNetNet-access-list
match class-map Voice-protocols
match class-map Extended-protocols
match class-map Base-protocols
policy-map type inspect MyNetNet-zone_to_MyNetWAN-zone_policy
class type inspect MyNetNet-Class
inspect
class class-default
policy-map type inspect MyNetNet-zone_to_MyNetGuest-zone_policy
class type inspect MyNetNet-Class
inspect
class class-default
policy-map type inspect MyNetGuest-zone_to_MyNetNet-zone_policy
class type inspect MyNetGuest-access-list
inspect
class class-default
policy-map type inspect MyNetGuest-zone_to_MyNetWAN-zone_policy
class type inspect MyNetGuest-Class
inspect
class class-default
policy-map type inspect MyNetNet-zone
class class-default
pass
zone security MyNetNet-zone
zone security MyNetGuest-zone
zone security MyNetWAN-zone
zone-pair security MyNetNet->MyNetGuest source MyNetNet-zone destination MyNetGuest-zone
service-policy type inspect MyNetNet-zone_to_MyNetGuest-zone_policy
zone-pair security MyNetNet->MyNetWAN source MyNetNet-zone destination MyNetWAN-zone
service-policy type inspect MyNetNet-zone_to_MyNetWAN-zone_policy
zone-pair security MyNetGuest->MyNetWAN source MyNetGuest-zone destination MyNetWAN-zone
service-policy type inspect MyNetGuest-zone_to_MyNetWAN-zone_policy
zone-pair security MyNetGuest->MyNetNet source MyNetGuest-zone destination MyNetNet-zone
service-policy type inspect MyNetGuest-zone_to_MyNetNet-zone_policy
interface FastEthernet0
description Cisco-2849-Switch
switchport mode trunk
speed 100
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
description SBS-Server
switchport access vlan 10
spanning-tree portfast
interface FastEthernet4
description WAN
no ip address
ip mtu 1492
ip nat outside
ip virtual-reassembly
zone-member security MyNetWAN-zone
ip tcp adjust-mss 1452
duplex auto
speed auto
no cdp enable
interface Vlan1
description MyNetNative
ip address 10.0.0.1 255.255.255.248
ip nat inside
ip virtual-reassembly
zone-member security MyNetNet-zone
ip tcp adjust-mss 1452
interface Vlan10
description MyNetData
ip address 172.16.15.1 255.255.255.240
ip nat inside
ip virtual-reassembly
zone-member security MyNetNet-zone
interface Vlan20
description MyNetVoice
ip address 172.16.17.1 255.255.255.240
ip nat inside
ip virtual-reassembly
zone-member security MyNetNet-zone
interface Vlan69
description MyNetGuest
ip address 192.168.19.1 255.255.255.240
ip nat inside
ip virtual-reassembly
zone-member security MyNetGuest-zone
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
access-list 100 remark MyNetnet
access-list 100 permit ip 10.0.0.0 0.0.0.7 any
access-list 100 permit ip 172.16.15.0 0.0.0.31 any
access-list 100 permit ip 172.16.17.0 0.0.0.15 any
access-list 110 remark MyNetGuest
access-list 110 permit ip 192.168.19.0 0.0.0.15 host 172.16.15.2
access-list 110 permit ip 192.168.19.0 0.0.0.15 host 172.16.15.3
access-list 110 deny ip 192.168.19.0 0.0.0.15 10.0.0.0 0.0.0.7
access-list 110 deny ip 192.168.19.0 0.0.0.15 172.16.15.0 0.0.0.31
access-list 110 deny ip 192.168.19.0 0.0.0.15 172.16.17.0 0.0.0.15
access-list 110 permit ip 192.168.19.0 0.0.0.15 any
control-plane
banner login ^CC
You know if you should be here or not.
if not please leave
NOW
^C
line con 0
no modem enable
line aux 0
line vty 0 4
privilege level 15
transport input telnet ssh
scheduler max-task-time 5000
ntp server 172.16.15.14
webvpn cef
end
Cisco871#sh zone security
zone self
Description: System defined zone
zone MyNetNet-zone
Member Interfaces:
Vlan1
Vlan10
Vlan20
zone MyNetGuest-zone
Member Interfaces:
Vlan69
zone MyNetWAN-zone
Member Interfaces:
FastEthernet4
Cisco871#sh zone-pair security
Zone-pair name MyNetNet->MyNetGuest
Source-Zone MyNetNet-zone Destination-Zone MyNetGuest-zone
service-policy MyNetNet-zone_to_MyNetGuest-zone_policy
Zone-pair name MyNetNet->MyNetWAN
Source-Zone MyNetNet-zone Destination-Zone MyNetWAN-zone
service-policy MyNetNet-zone_to_MyNetWAN-zone_policy
Zone-pair name MyNetGuest->MyNetWAN
Source-Zone MyNetGuest-zone Destination-Zone MyNetWAN-zone
service-policy MyNetGuest-zone_to_MyNetWAN-zone_policy
Zone-pair name MyNetGuest->MyNetNet
Source-Zone MyNetGuest-zone Destination-Zone MyNetNet-zone
service-policy MyNetGuest-zone_to_MyNetNet-zone_policy
Cisco871#sh int faste4
FastEthernet4 is up, line protocol is up
Hardware is PQUICC_FEC, address is 0016.9d29.a667 (bia 0016.9d29.a667)
Description: WAN
Internet address is 10.38.177.98/25
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s, 100BaseTX/FX
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 00:34:50, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 2000 bits/sec, 3 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
593096 packets input, 73090812 bytes
Received 592752 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog
0 input packets with dribble condition detected
9940 packets output, 1016025 bytes, 0 underruns
0 output errors, 0 collisions, 3 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out
Zone-pair: MyNetNet->MyNetWAN
Service-policy inspect : MyNetNet-zone_to_MyNetWAN-zone_policy
Class-map: MyNetNet-Class (match-all)
Match: class-map match-all MyNetNet-access-list
Match: access-group 100
Match: class-map match-any Voice-protocols
Match: protocol h323
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol skinny
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol sip
0 packets, 0 bytes
30 second rate 0 bps
Match: class-map match-any Extended-protocols
Match: protocol pop3
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol pop3s
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol imap
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol imaps
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol smtp
0 packets, 0 bytes
30 second rate 0 bps
Match: class-map match-any Base-protocols
Match: protocol http
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol https
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol ftp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol ssh
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol dns
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol ntp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol ica
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol pptp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol icmp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol tcp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol udp
0 packets, 0 bytes
30 second rate 0 bps
Inspect
Session creations since subsystem startup or last reset 0
Current session counts (estab/half-open/terminating) [0:0:0]
Maxever session counts (estab/half-open/terminating) [0:0:0]
Last session created never
Last statistic reset never
Last session creation rate 0
Maxever session creation rate 0
Last half-open session total 0
Class-map: class-default (match-any)
Match: any
Drop (default action)
5196 packets, 256211 bytes
Cisco871#sh log
Syslog logging: enabled (1 messages dropped, 0 messages rate-limited,
0 flushes, 0 overruns, xml disabled, filtering disabled)
No Active Message Discriminator.
No Inactive Message Discriminator.
Console logging: disabled
Monitor logging: level debugging, 0 messages logged, xml disabled,
filtering disabled
Buffer logging: level debugging, 1745 messages logged, xml disabled,
filtering disabled
Logging Exception size (4096 bytes)
Count and timestamp logging messages: disabled
Persistent logging: disabled
No active filter modules.
ESM: 0 messages dropped
Trap logging: level informational, 1785 message lines logged
Log Buffer (4096 bytes):
001779: *Feb 15 11:00:55.979: %FW-6-DROP_UDP_PKT: Dropping Other pkt 172.16.15.6:61806 => 168.94.0.1:53 with ip ident 511 due to policy match failure
001780: *Feb 15 11:00:59.739: %FW-6-DROP_TCP_PKT: Dropping Other pkt 172.16.15.6:4399 => 168.94.69.30:443 due to policy match failure -- ip ident 515 tcpflags 0x7002 seq.no 974122240 ack 0
001781: *Feb 15 11:01:26.507: %FW-6-DROP_UDP_PKT: Dropping Other pkt 172.16.15.6:51991 => 168.94.0.1:53 with ip ident 625 due to policy match failure
001783: *Feb 15 11:01:57.891: %FW-6-DROP_UDP_PKT: Dropping Other pkt 172.16.15.6:64470 => 168.94.0.1:53 with ip ident 677 due to policy match failureHello Charlie,
I would recomend you to investigate a little bit more about how the ZBFW features works
Now I am going to help you on this one at least, then I will give you a few links you could use to study
We are going to study traffic from MyNetNet-zone to the MyNetWan-zone
First the zone-pair
zone-pair security MyNetNet->MyNetWAN source MyNetNet-zone destination MyNetWAN-zone
service-policy type inspect MyNetNet-zone_to_MyNetWAN-zone_policy
so lets go policy-map
policy-map type inspect MyNetNet-zone_to_MyNetWAN-zone_policy
class type inspect MyNetNet-Class
inspect
class class-default
Finally to the class map
class-map type inspect match-all MyNetNet-Class
match class-map MyNetNet-access-list
match class-map Voice-protocols
match class-map Extended-protocols
match class-map Base-protocols
That keyword MATCH-ALL is the one causing the issues!!
Why?
Because you are telling the ZBFW to inspect traffic only if matches all of those class-maps so a packet will need to math the base protocols and the extended protocol and as you know that is not possible ( Just one protocol )
So here are the links
http://blogg.kvistofta.nu/cisco-ios-zone-based-policy-firewall/
https://supportforums.cisco.com/thread/2138873
http://pktmaniac.info/2011/08/zone-based-firewalls-something-to-keep-in-mind/
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml
You have some work to do
Please remember to rate all the helpful posts
Julio
CCSP
Maybe you are looking for
-
"New lifecycle definition" fails with "Unexpected error"
This problem has been previously posted without resolution. Select "Lifecycle Definitions -> New lifecycle definition". Error: "Unexpected error, unable to find item name at application or page level. A severe error has occurred. Possible causes may
-
Purchase order with reference to Sales Order
Dear SAP Gurus, I want to create a Purchase Order with reference to sales order. I want to take the material in my stocks also. If i create a Purchase order with account assignment, i am able to take the inventory of that material as it is consumed a
-
ICloud drive keeps switching itself off on my iPad 2
I have a MBP and an iMac = both on Yosemite and both working with iCloud drive OK. But I cannot get this to work on iPad 2 with IOS 8 - with either Pages or Keynote. It keeps telling me to set up iCloud - which I do as per instructions - but it send
-
Hi guys, hope someone can help as this has had me flummoxed for a good few hours and nothing as of yet I have come across has helped me in fixing my iPod (5th Gen). Basically when attempting to use iTunes (with my iPod connected), iTunes freezes and
-
Hide disclose icon form ADF tree row depending on row data
Hello, I've got an ADF tree based on recursive View Object. So basically we don't know how many tree levels are there, but depending on a row data we know that the row is a leaf and there will be no children rows. But the disclose icon is there event