Class-map type inspect match access-group name question
I'm creating a zone base firewall solution and all appears to be fine until I create a class-map type inspect match-all or any
and match access-group name acl to match an extended ACL and once I match it the commands runs but when I go back to view the configuration of the class-map it is not there.
I have tried other named ACLs and it works if the ACL contents are simple like permit ip any any but for complex ACLs with ranges, tcp, udp, icmp etc etc it does not take it but it does not report an issue either and when I view the config its not there for the complex extended acl but for the simple extended acl it does show.
Any restrictions or possible bugs I'm running into?
Thanks for all looking
This could be a bug. Could you post the exact configuration you are trying to implement? I just set up a small test and I have been unable to reproduce what you are seeing. I would like to see if I get the same result using your config.
Please remember to select a correct answer and rate helpful posts
Similar Messages
-
Layer 7 class-map with different match types
Hello,
I am fighting with a problem on an ACE-4710 version A3(2.4) configuation. I just want to configure a layer 7 class-map that matches if one of two conditions is true. The problem is that these conditions are not from the same type and the ACE refuses the second match statement. However, in the configuration guide, it is clearly defined that it should be possible :
Here is what the configuration guides says :
host1/Admin(config)# class-map type http loadbalance match-any CLASS3
host1/Admin(config-cmap-http-lb)# 100 match http url .*.gif
host1/Admin(config-cmap-http-lb)# 200 match http header Host header-value XYZ
host1/Admin(config-cmap-http-lb)# exit
If I test exactly the same configuration in a context of my ACE, I receive an error message :
CH01AC03/P-104-A(config)# class-map type http loadbalance match-any CLASS3
CH01AC03/P-104-A(config-cmap-http-lb)# 100 match http url .*.gif
CH01AC03/P-104-A(config-cmap-http-lb)# 200 match http header Host header-value XYZ
Error: Match-any classmap can not have different type of match
If I use nested class-maps, I receive the same error message !
Is it a known problem or is it a solution for it ?
Thank you for any help
YvesHello Yves,
The command error is correct. I'll take a look at the docs and see about getting them corrected, if necessary.
Basically, for a match-all, you would have to use different types. For example, there will only be one Host header, so you would only specify it once using regex or a fixed string. As you found out, the match-any requires that they all be of the same type. See my example below:
class-map type http loadbalance match-all HEADER-AND-URL
100 match http url /login.*
200 match http header Host header-value "XYZ"
class-map type http loadbalance match-any URLS
100 match http url .*\.gif
200 match http url .*\.jpg
class-map type http loadbalance match-any HEADER
200 match http header Host header-value "CISCO"
policy-map type loadbalance first-match SLB_LOGIC
class HEADER-AND-URL
serverfarm LOGIN-FARM
class URLS
serverfarm IMAGES-FARM
class HEADER
serverfarm CISCO-FARM
class class-default
serverfarm WWW-FARM
So let's say you want to match requests for URLs ending in .jpg or for requests with Host header XYZ, and if it matches either one, then send to the same serverfarm.
class-map type http loadbalance match-any URL-JPG
2 match http url .*\.jpg
class-map type http loadbalance match-any HOST-XYZ
2 match http header Host header-value "XYZ"
policy-map type loadbalance first-match SLB_LOGIC
class URL-JPG
serverfarm SERVER-FARM
class HOST-XYZ
serverfarm SERVER-FARM
If you wanted to send these requests to the farm only if they matched BOTH matches, then you could do it as follows:
class-map type http loadbalance match-all HEADER-AND-URL
100 match http url /login.*
200 match http header Host header-value "XYZ"
policy-map type loadbalance first-match SLB_LOGIC
class HEADER-AND-URL
serverfarm LOGIN-FARM
Hope this helps,
Sean -
Tracback and reload after "sh policy-map type inspect zone-pair"
Hi all
hitting the issue that the device reloads after issueing "sh policy-map type inspect zone-pair"
Patrick
For image:
Cisco IOS Software, ISR4400 Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.4(2)S, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2014 by Cisco Systems, Inc.
Compiled Wed 26-Mar-14 21:38 by mcpre
Uptime = 00:09:36
Happens in isr4400-universalk9.03.12.00.S.154-2.S-std.SPA.bin and isr4400-universalk9.03.11.01.S.154-1.S1-std.SPA.bin.
CMD: 'h policy-map type inspect zone-pair'' 15:25:08 CET Fri May 23 2014
Exception to IOS Thread:
Frame pointer 0x7FE738ADCE70, PC = 0x2824D9F
UNIX-EXT-SIGNAL: Segmentation fault(11), Process = SSH Process
-Traceback= 1#0f900c654b45d2459c0c267ce51d6164 :400000+2424D9F :400000+974FE12 :400000+974FAB8 :400000+974F5E2 :400000+27A9BB0 :400000+28297C6 :400000+281182C :400000+2810189 :400000+975962A :400000+9759522 :400000+98645DA :400000+975991D :400000+AC061C :400000+ABF735 :400000+ABDAAD :400000+3FCC510
Fastpath Thread backtrace:
-Traceback= 1#0f900c654b45d2459c0c267ce51d6164 c:7FE7877A2000+BE012
Auxiliary Thread backtrace:
-Traceback= 1#0f900c654b45d2459c0c267ce51d6164 pthread:7FE782EFD000+A7C9
RAX = 00007FE738ADCEC4 RBX = 00007FE735F40608
RCX = 0000000000000001 RDX = 000000000000001F
RSP = 00007FE738ADCE70 RBP = 00007FE738ADCE70
RSI = 0000000000000000 RDI = 00007FE738ADCEC4
R8 = 0000000000000001 R9 = 0000000000000000
R10 = 0000000000000002 R11 = 0000000000000002
R12 = 000000000000001D R13 = C88E990B00000000
R14 = C4CEAD38E77F0000 R15 = A0ED3436E77F0001
RFL = 0000000000010202 RIP = 0000000002824D9F
CS = 0033 FS = 0000 GS = 0000
ST0 = 0000 0000000000000000 ST1 = 0000 0000000000000000
ST2 = 0000 0000000000000000 ST3 = 0000 0000000000000000
ST4 = 0000 0000000000000000 ST5 = 0000 0000000000000000
ST6 = 0000 0000000000000000 ST7 = 0000 0000000000000000
X87CW = 037F X87SW = 0000 X87TG = 0000 X87OP = 0000
X87IP = 0000000000000000 X87DP = 0000000000000000
XMM0 = 00000000000000000000000000000000
XMM1 = 00000000000000000000000000000000
XMM2 = 00000000000000000000000000000000
XMM3 = 00000000000000000000000000000000
XMM4 = 00000000000000000000000000000000
XMM5 = 00000000000000000000000000000000
XMM6 = 00000000000000000000000000000000
XMM7 = 5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C
XMM8 = 36363636363636363636363636363636
XMM9 = 36363636363636363636363636363636
XMM10 = 5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C
XMM11 = 5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C
XMM12 = 00000000000000000000000000000000
XMM13 = 00000000000000000000000000000000
XMM14 = 00000000000000006F6F6B6B67676767
XMM15 = 00000000000000000000000020202020
MXCSR = 00001F80Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
I believe tracebacks are normally indicative of a bug. This might be something more suitable to raise with TAC. -
IOS Firewall: what is this class map doing?
Hi, a few weeks ago I set up a class map but now as I am finding time to review my config, I am wondering what effect this has. It is applied to a policy map for ssh access from the Internet to the router for management:
class-map type inspect match-any SSH
match protocol ssh
match access-group name SSH
The access list with the name "SSH" just allows certain public IP network blocks.
But I think I should be setting this to match-all and not match-any if I want it to allow the ssh protocol from only my IP, correct?
Also just to ensure I am not confused about proper creation of the ACL. The ACL with the name SSH I've given is as follows:
ip access-list extended SSH
permit tcp xx.xx.0.0 0.255.255.255 any eq 22
permit tcp xx.xx.0.0 0.7.255.255 any eq 22
permit tcp xx.xx.0.0 0.255.255.255 any eq 22
First, am I being redundant in the class map by telling it to match protocol ssh and also specifiying port 22 in the ACL? And, is this ACL readout done properly if I want only certain IP blocks to be able to come in from the Internet, to the router, using ssh?Hello Colin,
But I think I should be setting this to match-all and not match-any if I want it to allow the ssh protocol from only my IP, correct?
Exactly you are getting it now It needs to be a match all....
Regarding the ACL should be like this:
access-list SSH
permit tcp host outside_user_ip host router_outside_interface eq 22
Regards, -
Help with Class-map configuration - ZBFW
Hello,
I need some clarification regarding the class-map configuration in a ZBFW. I need to allow https,http,ftp & rdp traffic from Internet to few of the servers inside our LAN. So I put the below configuration to accomplish the task (example shows class-map for only https protocol) :
a.)
class-map type inspect match-all HTTPS-ACCESS
match protocol https
match access-group name HTTPS-SERVER-ACCESS
ip access-list extended HTTPS-SERVER-ACCESS
permit tcp any host 172.17.0.55 eq 443
permit tcp any host 172.17.0.56 eq 443
permit tcp any host 172.17.0.36 eq 443
permit tcp any host 172.17.0.45 eq 443
permit tcp any host 172.17.0.60 eq 443
Where 55,56,36,45,60 are the servers inside the LAN (12 more servers are there) that need to be accessed via https,http,ftp & rdp from Internet.
Is it a correct approach? or do I need to change my configuation so that I have to match ACL with my class-map like below:
b.)
ip access-list extended OUTSIDE-TO-INSIDE-ACL
permit tcp any host 172.17.0.55 eq 443
permit tcp any host 172.17.0.55 eq www
permit tcp any host 172.17.0.55 eq 21
permit tcp any host 172.17.0.55 eq 3389
permit tcp any host 172.17.0.56 eq 443
permit tcp any host 172.17.0.56 eq www
permit tcp any host 172.17.0.56 eq 21
permit tcp any host 172.17.0.56 eq 3389
permit tcp any host 172.17.0.36 eq 443
permit tcp any host 172.17.0.36 eq www
permit tcp any host 172.17.0.36 eq 21
permit tcp any host 172.17.0.36 eq 3389
permit tcp any host 172.17.0.45 eq 443
permit tcp any host 172.17.0.45 eq www
permit tcp any host 172.17.0.45 eq 21
permit tcp any host 172.17.0.45 eq 3389
class-map type inspect match-all OUT-IN-CLASS
match access-group name OUTSIDE-TO-INSIDE-ACL
Which one is the correct approach when we consider the performance of the firewall ? Please help me.
Regards,
YadhuHey
I do not agree with Varun, I think the first approach is the best one.
Why? Because when you issue the "match protocol ..." you are usig NBAR wich is an application inspection software, which means that https or whatever protocol is inspected at layer 7, not layer 3 and 4 which the seconds approach does (IP and port-number).
Lets say you use the second approach and an attacker uses some malicious protocol that runs over port 443 or whatever (a port that you opened). That attack would be successfull because all you say, you are going to IP-address 172.17.0.56 over port 443 so go ahead.
But if you are using NBAR, this would not work because NBAR will look at layer 7, inside the protocol itself and look if this really is HTTPS (or whatever protocol).
That's my two cents. Hope it helped! -
Default class map is dropping all Packets
Hello I have a Cisco 871 router that used to have Access list based security. now I am trying the ZBFW for the first time. I thought I had a pretty good program until I found all my traffic was getting dropped. This is my first stab at ZBFWs and I am a bit confused esp with the default class part. Any help is greatly appreciated!!!!
The router is for my house and thus also has to have priority for gaming. I will add the gaming and voice QOS once I get it working,
Guest VLAN has access to 2 IP's in Data for printing.
Cisco871#sh run
Building configuration...
Current configuration : 8005 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service sequence-numbers
hostname Cisco871
boot-start-marker
boot-end-marker
logging buffered 4096
no logging console
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa session-id common
clock summer-time PST recurring
crypto pki trustpoint TP-self-signed-4004039535
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4004039535
revocation-check none
rsakeypair TP-self-signed-4004039535
crypto pki certificate chain TP-self-signed-4004039535
certificate self-signed 01
3082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34303034 30333935 3335301E 170D3038 30323037 30373532
32375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 30303430
33393533 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100CEC2 7B89C73F AB4860EE 729C3B64 82139630 239A2301 8EA8B4C4 05505E25
B0F24E7F 26ECEC53 3E266E80 F3104F61 BDDC5592 40E12537 2262D272 08D38F8E
147F5059 7F632F5E 635B9CDF 652FFE82 C2F45C60 5F619AF0 72E640E0 E69EA9EF
41C6B06C DD8ACF4B 0A1A33CF AF3C6BFB 73AD6BE0 BD84DD7F 435BD943 0A22E0E5
F4130203 010001A3 74307230 0F060355 1D130101 FF040530 030101FF 301F0603
551D1104 18301682 144C7570 696E2E44 61627567 61626F6F 732E6F72 67301F06
03551D23 04183016 801473C6 E0784818 29A89377 23A22F5E BDD430CE E282301D
0603551D 0E041604 1473C6E0 78481829 A8937723 A22F5EBD D430CEE2 82300D06
092A8648 86F70D01 01040500 03818100 299AD241 442F976F 4F030B33 C477B069
D356C518 8132E61B 1220F999 A30A4E0C D337DCE5 C408E3BC 0439BB66 543CF585
8B26AA77 91FA510B 14796239 F272A306 C942490C A44336E0 A9430B81 9FC62524
E55017FA 5C5463D7 B3492753 42315BEC 32B78F24 D10B0CA7 D1844CD5 C3E466B9
3543BD68 A4B2692D 05CBF6DC C93C8142
quit
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.0.0.1 10.0.0.5
ip dhcp excluded-address 172.16.15.1 172.16.15.5
ip dhcp excluded-address 172.16.15.14
ip dhcp excluded-address 172.16.17.1 172.16.17.5
ip dhcp excluded-address 192.168.19.1 192.168.19.5
ip dhcp pool MyNetNative
import all
network 10.0.0.0 255.255.255.248
default-router 10.0.0.1
domain-name MyNetNet.org
dns-server 4.2.2.1 4.2.2.6 8.8.8.8 208.67.220.220
lease 0 2
ip dhcp pool MyNetData
import all
network 172.16.15.0 255.255.255.240
dns-server 172.16.15.14 4.2.2.1 4.2.2.6 8.8.8.8 208.67.220.220
default-router 172.16.15.1
domain-name MyDomain.org
ip dhcp pool MyNetVoice
import all
network 172.16.17.0 255.255.255.240
dns-server 172.16.15.14
default-router 172.16.17.1
domain-name MyDomain.org
ip dhcp pool MyNetGuest
import all
network 192.168.19.0 255.255.255.240
default-router 192.168.19.1
domain-name MyNetGuest.org
dns-server 4.2.2.1 4.2.2.6 8.8.8.8 208.67.220.220
ip domain name MyDomain.org
ip name-server 172.16.15.14
ip name-server 4.2.2.4
ip inspect log drop-pkt
multilink bundle-name authenticated
parameter-map type inspect TCP_PARAM
parameter-map type inspect global
username MyAdmin privilege 15 secret 5 MyPassword
archive
log config
hidekeys
class-map type inspect match-all MyNetGuest-access-list
match access-group 110
class-map type inspect match-any Base-protocols
match protocol http
match protocol https
match protocol ftp
match protocol ssh
match protocol dns
match protocol ntp
match protocol ica
match protocol pptp
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all MyNetGuest-Class
match class-map MyNetGuest-access-list
match class-map Base-protocols
class-map type inspect match-all MyNetNet-access-list
match access-group 100
class-map type inspect match-any Voice-protocols
match protocol h323
match protocol skinny
match protocol sip
class-map type inspect match-any Extended-protocols
match protocol pop3
match protocol pop3s
match protocol imap
match protocol imaps
match protocol smtp
class-map type inspect match-all MyNetNet-Class
match class-map MyNetNet-access-list
match class-map Voice-protocols
match class-map Extended-protocols
match class-map Base-protocols
policy-map type inspect MyNetNet-zone_to_MyNetWAN-zone_policy
class type inspect MyNetNet-Class
inspect
class class-default
policy-map type inspect MyNetNet-zone_to_MyNetGuest-zone_policy
class type inspect MyNetNet-Class
inspect
class class-default
policy-map type inspect MyNetGuest-zone_to_MyNetNet-zone_policy
class type inspect MyNetGuest-access-list
inspect
class class-default
policy-map type inspect MyNetGuest-zone_to_MyNetWAN-zone_policy
class type inspect MyNetGuest-Class
inspect
class class-default
policy-map type inspect MyNetNet-zone
class class-default
pass
zone security MyNetNet-zone
zone security MyNetGuest-zone
zone security MyNetWAN-zone
zone-pair security MyNetNet->MyNetGuest source MyNetNet-zone destination MyNetGuest-zone
service-policy type inspect MyNetNet-zone_to_MyNetGuest-zone_policy
zone-pair security MyNetNet->MyNetWAN source MyNetNet-zone destination MyNetWAN-zone
service-policy type inspect MyNetNet-zone_to_MyNetWAN-zone_policy
zone-pair security MyNetGuest->MyNetWAN source MyNetGuest-zone destination MyNetWAN-zone
service-policy type inspect MyNetGuest-zone_to_MyNetWAN-zone_policy
zone-pair security MyNetGuest->MyNetNet source MyNetGuest-zone destination MyNetNet-zone
service-policy type inspect MyNetGuest-zone_to_MyNetNet-zone_policy
interface FastEthernet0
description Cisco-2849-Switch
switchport mode trunk
speed 100
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
description SBS-Server
switchport access vlan 10
spanning-tree portfast
interface FastEthernet4
description WAN
no ip address
ip mtu 1492
ip nat outside
ip virtual-reassembly
zone-member security MyNetWAN-zone
ip tcp adjust-mss 1452
duplex auto
speed auto
no cdp enable
interface Vlan1
description MyNetNative
ip address 10.0.0.1 255.255.255.248
ip nat inside
ip virtual-reassembly
zone-member security MyNetNet-zone
ip tcp adjust-mss 1452
interface Vlan10
description MyNetData
ip address 172.16.15.1 255.255.255.240
ip nat inside
ip virtual-reassembly
zone-member security MyNetNet-zone
interface Vlan20
description MyNetVoice
ip address 172.16.17.1 255.255.255.240
ip nat inside
ip virtual-reassembly
zone-member security MyNetNet-zone
interface Vlan69
description MyNetGuest
ip address 192.168.19.1 255.255.255.240
ip nat inside
ip virtual-reassembly
zone-member security MyNetGuest-zone
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
access-list 100 remark MyNetnet
access-list 100 permit ip 10.0.0.0 0.0.0.7 any
access-list 100 permit ip 172.16.15.0 0.0.0.31 any
access-list 100 permit ip 172.16.17.0 0.0.0.15 any
access-list 110 remark MyNetGuest
access-list 110 permit ip 192.168.19.0 0.0.0.15 host 172.16.15.2
access-list 110 permit ip 192.168.19.0 0.0.0.15 host 172.16.15.3
access-list 110 deny ip 192.168.19.0 0.0.0.15 10.0.0.0 0.0.0.7
access-list 110 deny ip 192.168.19.0 0.0.0.15 172.16.15.0 0.0.0.31
access-list 110 deny ip 192.168.19.0 0.0.0.15 172.16.17.0 0.0.0.15
access-list 110 permit ip 192.168.19.0 0.0.0.15 any
control-plane
banner login ^CC
You know if you should be here or not.
if not please leave
NOW
^C
line con 0
no modem enable
line aux 0
line vty 0 4
privilege level 15
transport input telnet ssh
scheduler max-task-time 5000
ntp server 172.16.15.14
webvpn cef
end
Cisco871#sh zone security
zone self
Description: System defined zone
zone MyNetNet-zone
Member Interfaces:
Vlan1
Vlan10
Vlan20
zone MyNetGuest-zone
Member Interfaces:
Vlan69
zone MyNetWAN-zone
Member Interfaces:
FastEthernet4
Cisco871#sh zone-pair security
Zone-pair name MyNetNet->MyNetGuest
Source-Zone MyNetNet-zone Destination-Zone MyNetGuest-zone
service-policy MyNetNet-zone_to_MyNetGuest-zone_policy
Zone-pair name MyNetNet->MyNetWAN
Source-Zone MyNetNet-zone Destination-Zone MyNetWAN-zone
service-policy MyNetNet-zone_to_MyNetWAN-zone_policy
Zone-pair name MyNetGuest->MyNetWAN
Source-Zone MyNetGuest-zone Destination-Zone MyNetWAN-zone
service-policy MyNetGuest-zone_to_MyNetWAN-zone_policy
Zone-pair name MyNetGuest->MyNetNet
Source-Zone MyNetGuest-zone Destination-Zone MyNetNet-zone
service-policy MyNetGuest-zone_to_MyNetNet-zone_policy
Cisco871#sh int faste4
FastEthernet4 is up, line protocol is up
Hardware is PQUICC_FEC, address is 0016.9d29.a667 (bia 0016.9d29.a667)
Description: WAN
Internet address is 10.38.177.98/25
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s, 100BaseTX/FX
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 00:34:50, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 2000 bits/sec, 3 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
593096 packets input, 73090812 bytes
Received 592752 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog
0 input packets with dribble condition detected
9940 packets output, 1016025 bytes, 0 underruns
0 output errors, 0 collisions, 3 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out
Zone-pair: MyNetNet->MyNetWAN
Service-policy inspect : MyNetNet-zone_to_MyNetWAN-zone_policy
Class-map: MyNetNet-Class (match-all)
Match: class-map match-all MyNetNet-access-list
Match: access-group 100
Match: class-map match-any Voice-protocols
Match: protocol h323
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol skinny
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol sip
0 packets, 0 bytes
30 second rate 0 bps
Match: class-map match-any Extended-protocols
Match: protocol pop3
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol pop3s
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol imap
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol imaps
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol smtp
0 packets, 0 bytes
30 second rate 0 bps
Match: class-map match-any Base-protocols
Match: protocol http
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol https
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol ftp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol ssh
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol dns
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol ntp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol ica
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol pptp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol icmp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol tcp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol udp
0 packets, 0 bytes
30 second rate 0 bps
Inspect
Session creations since subsystem startup or last reset 0
Current session counts (estab/half-open/terminating) [0:0:0]
Maxever session counts (estab/half-open/terminating) [0:0:0]
Last session created never
Last statistic reset never
Last session creation rate 0
Maxever session creation rate 0
Last half-open session total 0
Class-map: class-default (match-any)
Match: any
Drop (default action)
5196 packets, 256211 bytes
Cisco871#sh log
Syslog logging: enabled (1 messages dropped, 0 messages rate-limited,
0 flushes, 0 overruns, xml disabled, filtering disabled)
No Active Message Discriminator.
No Inactive Message Discriminator.
Console logging: disabled
Monitor logging: level debugging, 0 messages logged, xml disabled,
filtering disabled
Buffer logging: level debugging, 1745 messages logged, xml disabled,
filtering disabled
Logging Exception size (4096 bytes)
Count and timestamp logging messages: disabled
Persistent logging: disabled
No active filter modules.
ESM: 0 messages dropped
Trap logging: level informational, 1785 message lines logged
Log Buffer (4096 bytes):
001779: *Feb 15 11:00:55.979: %FW-6-DROP_UDP_PKT: Dropping Other pkt 172.16.15.6:61806 => 168.94.0.1:53 with ip ident 511 due to policy match failure
001780: *Feb 15 11:00:59.739: %FW-6-DROP_TCP_PKT: Dropping Other pkt 172.16.15.6:4399 => 168.94.69.30:443 due to policy match failure -- ip ident 515 tcpflags 0x7002 seq.no 974122240 ack 0
001781: *Feb 15 11:01:26.507: %FW-6-DROP_UDP_PKT: Dropping Other pkt 172.16.15.6:51991 => 168.94.0.1:53 with ip ident 625 due to policy match failure
001783: *Feb 15 11:01:57.891: %FW-6-DROP_UDP_PKT: Dropping Other pkt 172.16.15.6:64470 => 168.94.0.1:53 with ip ident 677 due to policy match failureHello Charlie,
I would recomend you to investigate a little bit more about how the ZBFW features works
Now I am going to help you on this one at least, then I will give you a few links you could use to study
We are going to study traffic from MyNetNet-zone to the MyNetWan-zone
First the zone-pair
zone-pair security MyNetNet->MyNetWAN source MyNetNet-zone destination MyNetWAN-zone
service-policy type inspect MyNetNet-zone_to_MyNetWAN-zone_policy
so lets go policy-map
policy-map type inspect MyNetNet-zone_to_MyNetWAN-zone_policy
class type inspect MyNetNet-Class
inspect
class class-default
Finally to the class map
class-map type inspect match-all MyNetNet-Class
match class-map MyNetNet-access-list
match class-map Voice-protocols
match class-map Extended-protocols
match class-map Base-protocols
That keyword MATCH-ALL is the one causing the issues!!
Why?
Because you are telling the ZBFW to inspect traffic only if matches all of those class-maps so a packet will need to math the base protocols and the extended protocol and as you know that is not possible ( Just one protocol )
So here are the links
http://blogg.kvistofta.nu/cisco-ios-zone-based-policy-firewall/
https://supportforums.cisco.com/thread/2138873
http://pktmaniac.info/2011/08/zone-based-firewalls-something-to-keep-in-mind/
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml
You have some work to do
Please remember to rate all the helpful posts
Julio
CCSP -
ZBF Class-map and different way of doing them
Hi People just though i would ask a question on how to set up a ZBF. (question at the end of example config's)
i have been playing with this for a while now and like to get advice over what way is the recomended way of doing multiple matchs
ok we we all know the basic
class-map type inspect match-any ZBF_CM_ICMP
match protocol icmp
policy-map type inspect ZBF_PM_EXTERNAL->DMZ
class type inspect ZBF_CM_ICMP
inspect
and then the ZP dont need to show, this is a simple map using nbar fair enough
then we could a mulitiple matches
class-map type inspect match-any ZBF_CM_STD_DMZ_PORTS
match protocol icmp
match protocol http
match protocol dns
match protocol https
policy-map type inspect ZBF_PM_DMZ->EXTERNAL
class type inspect ZBF_CM_STD_DMZ_PORTS
inspect
Ok still easy to understand but now come the bit that a little more copmplex non NBAR matches
ip access-list extended AL_RDP_PORT
permit tcp any any eq 3389
class-map type inspect match-all ZBF_CM_RDP
match access-group name AL_RDP_PORT
policy-map type inspect ZBF_PM_EXTERNAL->DMZ
class type inspect ZBF_CM_RDP
inspect
This config is now using an access list because NBAR dosent have the protocol in it then map the AL to the CM then CM to PM. next is example is what i setup to get more non NBAR ports and only for 1 host
ip access-list extended AL_HOST_IP_IN
permit ip any host 11.11.11.11
ip access-list extended AL_ISATAP
permit 41 any any
ip access-list extended AL_TEREDO
permit udp any any eq 3544
class-map type inspect match-ANY ZBF_CM_DirectAccess_Protocols
description Nested Class Map
match access-group name AL_ISATAP
match access-group name AL_TEREDO
match protocol https
class-map type inspect match-ALL ZBF_CM_APP_IN
match access-group name AL_HOST_IP_IN
match access-group name ZBF_CM_DirectAccess_Protocols
policy-map type inspect ZBF_PM_EXTERNAL->DMZ
class type inspect ZBF_CM_APP_IN
inspect (or pass with rule for other direction)
THis is what i setup and it works not for this example but the rule flow i then was having issues with DMVPN and ZBF (turned out to be an iso bug annoying me) but i used CiscoCP to setup the ZBF automaticly forthe DMVPN and it ZBF rule where same proceduare as below.
ip access-list extended AL_HOST_IP_IN
permit ip any host 11.11.11.11
ip access-list extended AL_ISATAP
permit 41 any any
ip access-list extended AL_TEREDO
permit udp any any eq 3544
class-map type inspect match-ANY CM_ISATAP
match access-group name AL_ISATAP
class-map type inspect match-ANY CM_TEREDO
match access-group name AL_TEREDO
class-map type inspect match-ANY ZBF_CM_DirectAccess_Protocols
description Nested Class Map
match class-map CM_ISATAP
match class-map CM_TEREDO
match protocol https
class-map type inspect match-ALL ZBF_CM_APP_IN
match access-group name AL_HOST_IP_IN
match access-group name ZBF_CM_DirectAccess_Protocols
policy-map type inspect ZBF_PM_EXTERNAL->DMZ
class type inspect ZBF_CM_APP_IN
inspect
So what Cisco CP did was make yet another level of nesting rather then the match-all class map having the match access list command then made a cm with access list then the main class map had only other match class maps in it..
QUESTION:
Why did CiscoCP do the extra nesting
both ways worked but i would like to know why the cisco CP did the same thing with the other layer of CM did it do this for best practise or dose this make changed later easier i cant understand whats the advange to doing it this way... but if there is a valid reason then ill great jjust trying to understand.
thanks
regards
A very sore headed
DaveWhen people say "use as few classes as possible", it's usually related not to optimize heap usage, but jar size.
But it's true that some smart use of OOP can save a lot of memory during runtime (and even jar size in some cases). Using an interface in my GUI library helps make the architecture a lot simpler and more compact, to the point that even if all the GUI widgets are being used (so the "just loading the code you need at the moment" argument is moot) memory use is still smaller because I need a lot less hacks to glue everything together.
It still is worth noting that often memory fragmentation is the true cause of running-out-of-memory-errors, and in this case loading many small classes will achieve exactly the opposite.
shmoove -
Hi
i'm a little unsure of how using ACL's works within a class map.
I want to allow access to a web server 1.1.1.1 and deny all othetraffic coming from the outside zone to the inside zone, so i have created an acl with a
permit http to 1.1.1.1 and a deny ip any any statement and applied it to the class map.
when i apply this to the policy map i can either inspect, drop or pass the traffic.
what i don't understand is how this works with the ACL permit or deny statements or the implicit deny functionality of the ACL.
for example if I apply the pass action to this class-map/ACL how does it handle the deny ip any any statement in the ACL?
If i am passing the traffic in the policy, does it still deny any deny statements in the ACL?
also what about multiple class maps in a policy map, wouldn't a deny statement in the first acl stop further processing in the policy map
hope this makes sense..
thanks for any helpWhen using ACLs in a class map, a permit entry causes the ACL condition to match and a deny entry does not. So, for your ACL "permit tcp any host 1.1.1.1 eq www", any HTTP traffic to 1.1.1.1 on 80/tcp will be matched by the class map and the implicit "deny ip any any" will not be matched. There is no action implied by the ACL when used this way, only a match or no match.
ip access-list extended ACL_HTTP
permit tcp any host 1.1.1.1 eq www
class-map type inspect match-any CM_HTTP
match access-group name ACL_HTTP
In order to actually deny the traffic, you have to specify a drop in the policy map.
policy-map PM_HTTP
class CM_HTTP
inspect
class class-default
drop
To illustrate the point a bit further, let's say you were going to allow HTTP and HTTPS with two ACLs and did it like this:
ip access-list extended ACL_HTTP
permit tcp any host 1.1.1.1 eq www
ip access-list extended ACL_HTTPS
permit tcp any host 1.1.1.1 eq 443
class-map type inspect match-any CM_HTTP
match access-group name ACL_HTTP
match access-group name ACL_HTTPS
policy-map PM_HTTP
class CM_HTTP
inspect
class class-default
drop
In the above case, HTTP traffic to 1.1.1.1 is a hit on ACL_HTTP's permit statement, is matched by the class map and is inspected by the policy map. HTTPS traffic to 1.1.1.1 is a hit on ACL_HTTPS's permit statement, is likewise matched by the class map and is inspected by the policy map. The implicit deny statements (and any other deny statements you may add) only ensure that the packet doesn't match that element of the class map and doesn't prevent it from being matched against another. -
Match-any or Match All For Class-map On Nexus?
I have an access-list MANAGEMENT
permit udp any eq snmp any
permit udp any any eq snmp
permit tcp any any eq telnet
permit tcp any eq telnet any
permit tcp any any eq 22
permit tcp any eq 22 any
My question does it matter if I use a match-any or match-all. I want to match anything in the access-list to classify the traffic correctly
class-map type qos match-any MANAGEMENT
match access-group name MANAGEMENT
Or
class-map type qos match-all MANAGEMENT
match access-group name MANAGEMENT
I understand a match-any is an or and a match-all is an and function. Does this apply to an access-list for a class-map?
ThanksIt applies to match statements within the class map. In your case, you're only using one match statement, so there will be no difference between match-all and match-any, no matter how many entries are in the ACL. If your class map had two different ACLs in two different match statements , then the and/or logic of match-all and match-any would come into play.
-
What's the difference between these two approaches and which one is recommended in what scenarios?
ip access-list extended ICMP
permit icmp any any
class-map ICMP
match access-group name ICMP
vs
class-map ICMP
match protocol ICMPIn the CCIE lab you can use any technology you wish unless there are restrictions. If they wanted you to use ACLs the task could be worded like "Use a feature that uses the least amount of CPU to perform the task". If they wanted NBAR it could be something like "Use a feature that inspects at layer 7 to perform the classification".
Daniel Dib
CCIE #37149
Please rate helpful posts. -
3850 QoS class-map match-all?
I would like to create a QoS marking policy that re-marks packet to CS5 if the inbound traffic is SIP *and* if it is marked CS3 when it comes in. I would have expected the configuration listed below will work. I only found out when I tried to apply the config that, unlike other IOS devices, "class-map match-all" does not exist in 3850 3.3.x code. It can only do "class-map match-any" Can anyone suggest a work-around config for 3850 to achieve the same end result?
ip access-list extended ACL-QOS-SIP
permit tcp any range 5060 5061 any
permit tcp any any range 5060 5061
ip access-list extended ACL-QOS-CS3
permit ip any any dscp cs3
class-map match-all CM-QOS-CS5
match access-group name ACL-QOS-CS3
match access-group name ACL-QOS-SIP
policy-map PM-QOS-MARKING
class CM-QOS-CS5
set ip dscp cs5
Any suggestions would be appreciated.jlkeys, below is configuration I ended up using to resolve the issue:
ip access-list extended ACL-QOS-SIP
permit tcp any range 5060 5061 any dscp cs3
class-map match-any CM-QOS-CS5
match access-group name ACL-QOS-SIP
policy-map PM-QOS-MARKING
class CM-QOS-CS5
set ip dscp cs5 -
Hello, sorry because of my bad English at first,
I have a problem with my IPv6 ACL, IPv6 Class-map or IOS I'm not sure so I'm asking you.
I have one 1721 router with one Ethernet and one FastEthernet interface, on Fa interface is 3 subinterfaces, and Eth interface is connected to 10 Mbps link to another 1721 router. I'm working on QoS for VoIPv6. My softphone emulator address is FEC2::1/64.
This is my configuration:
class-map match-any v6
match access-group name v6
policy-map v6
class v6
set ip dscp ef
ipv6 access-list v6 permit FEC2::/64 any
Question is, why is output of command show policy-map interface Fa0/0 showing that not a single one packet of IPv6 is not beeing marked:
R1#sho policy-map interface fa0
FastEthernet0
Service-policy input: v6
Class-map: v6 (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group name v6
0 packets, 0 bytes
5 minute rate 0 bps
QoS Set
ip dscp ef
Packets marked 0
Class-map: class-default (match-any)
92 packets, 9134 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
This exact configuration, with IPv4 is working fine. My IOS version is c1700-y-mz.122-11.T11.bin
If IOS version is too old, can you tell my what version will work so I can purchase it?
ThanksIf you are thinking of IPv6 prefix I tried everything. From /128 for single host to /64, nothing works.
-
Policer with IPv6 class-map on Catalyst 3750
Hi,
I've the following problem.
It's my goal to ratelimit incoming IPv6 traffic dependent on the destination IP address range.
On a Catalyst 3750 (Image: c3750-ipservicesk9-mz.122-55.SE1.bin) I've set up the configuration as follows:
mls qos
ipv6 access-list DESTINATION-RANGE-A
permit ipv6 any 2007::/16
ipv6 access-list DESTINATION-RANGE-B
permit ipv6 any 2B03::/16
class-map match-all A
match access-group name DESTINATION-RANGE-A
class-map match-all B
match access-group name DESTINATION-RANGE-B
policy-map RL-POLICY
class A
police 2000000 8000 exceed-action drop
class B
police 6000000 8000 exceed-action drop
interface GigabitEthernet1/0/7
switchport access vlan 90
load-interval 30
service-policy input RL-POLICY
The last CLI command which should bind the policy to the specific interface, leads to the following error message
QoS: class(A) IPv6 class not supported on interface GigabitEthernet1/0/7
Are hardware/software limitations the reason for this behavior or is there any misconfiguration?
Thanks in advance for your help!
Regards,
JensIf you are thinking of IPv6 prefix I tried everything. From /128 for single host to /64, nothing works.
-
Ratelimiter with IPv6 class-map on Catalyst 3750
Hi,
I've the following problem.
It's my goal to ratelimit incoming IPv6 traffic dependent on the destination IP address range.
On a Catalyst 3750 (Image: c3750-ipservicesk9-mz.122-55.SE1.bin) I've set up the configuration as follows:
mls qos
ipv6 access-list DESTINATION-RANGE-A
permit ipv6 any 2007::/16
ipv6 access-list DESTINATION-RANGE-B
permit ipv6 any 2B03::/16
class-map match-all A
match access-group name DESTINATION-RANGE-A
class-map match-all B
match access-group name DESTINATION-RANGE-B
policy-map RL-POLICY
class A
police 2000000 8000 exceed-action drop
class B
police 6000000 8000 exceed-action drop
interface GigabitEthernet1/0/7
switchport access vlan 90
load-interval 30
service-policy input RL-POLICY
The last CLI command which should bind the policy to the specific interface, leads to the following error message
QoS: class(A) IPv6 class not supported on interface GigabitEthernet1/0/7
Are hardware/software limitations the reason for this behavior or is there any misconfiguration?
Thanks in advance for your help!
Regards,
JensIf you are thinking of IPv6 prefix I tried everything. From /128 for single host to /64, nothing works.
-
Class-map not works, Packets not tagging
Hey Guys,
I have define policy maping and dont know why its not tagging the IPs;
class-map match-all KHAN
match access-group name ABC
match input-interface GigabitEthernet0/1
ip access-list extended ABC
permit ip host 10.11.201.20 10.11.207.128 0.0.0.127
permit ip host 10.11.201.19 10.11.207.128 0.0.0.127
policy-map TAIM
class voice
priority percent 50
set dscp ef
class KHAN
priority percent 49
set dscp af41
interface Multilink1
service-policy output TAIM
When I check the IPs on netflow it is showing half packets are tagged with af41 anf half are default.
Any idea will be appreciated.
Thanks
show policy map interface result
Class-map: TAIM (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group name ABC
Match: input-interface GigabitEthernet0/1
Priority: 49% (3763 kbps), burst bytes 94050, b/w exceed drops: 0
QoS Set
dscp af41
Packets marked 0The problem is the way you are matching the packets:
Here it shows that there are 0 packets marked and 0 packets matched:
Class-map: TAIM (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group name ABC
Match: input-interface GigabitEthernet0/1
Priority: 49% (3763 kbps), burst bytes 94050, b/w exceed drops: 0
QoS Set
dscp af41
Packets marked 0
When you define this:
class-map match-all KHAN
match access-group name ABC
match input-interface GigabitEthernet0/1
You are telling the router to match both conditions of ACL ABC and Interface input Gi0/1... most likely what happens here is that the class map does not match both condtions here.
Depending on what you need to accomplish, you can change it to be ANY:
class-map match-any KHAN
match access-group name ABC
match input-interface GigabitEthernet0/1
This way it will work if it matches either the first condition ACL ABC or second condition input Gi0/1.
Or you can just remove the input statement for Gi0/1 and match by the IPs only:
class-map match-all KHAN
match access-group name ABC
Maybe you are looking for
-
Reverse telnet to a specific line, based on AAA credentials
I want to setup a console server like a 2600 or something with a 16 or 32 port async module and allow users to access only certain ports/lines by reverse telnet based on login credentials. For example, user joe can reverse telnet to ports 1 and 2, wh
-
How to validate editable field in ALV
Hi All, I have a alv program using OOPS concept where two fields(columns) are editable in the alv output. These two columns contain table names and field names which can be edited. I just want to validate these table and field names when we press the
-
toda vez em que eu abro uma pagina aparece um popup com a mensagem para baixar adobe flash player 11.5.50.216, tanto aceitar ou não transfere um arquivo .zip
-
Database Shared_pool Configuration Problem
I have configured shared_pool size to 80 mb in 8i (8.1.6.0) database.But looking in TOAD Database Monitor it is showing almost 60+mb Free memory in Shared_Pool Memory Graph... How to reduce this free memory....???
-
I use a PCI MIO 16E board with an analog trigger. So I wire chann
el 0 to the PFIO line, and I enter "PFI0"as the triggering channel on the front panel , I put a level,and I declare channel0 and 1. When I do a DAQ it seems that PFI0 detects the signal as I haven't a timeout, but it doesn't trigger off at the good l