Tags: ,

Notable Replies

  1. Hi Matt,

    It’s in the policy-map, take a look below:

    policy-map type inspect LAN-TO-WAN
     class type inspect ICMP
     class class-default

    The output above is from the running configuration. Here’s how to change it:

    R2(config)#policy-map type inspect LAN-TO-WAN
    R2(config-pmap)#class class-default                
    Policy-map class configuration commands:
      drop  Drop the packet
      exit  Exit from class action configuration mode
      no    Negate or set default values of a command
      pass  Pass the packet

    The parameters can be used to check for certain DNS/TCP/UDP parameters and such. Here’s a quick example:

    class-map type inspect match-all HTTP_TRAFFIC
     match protocol http
    parameter-map type inspect TCP_PARAMETERS
     tcp idle-time 15
    policy-map type inspect test
     class type inspect HTTP_TRAFFIC
      inspect TCP_PARAMETERS

    Instead of just using “inspect”, we are also refering to a parameter-map where we specify that the TCP idle time is 15 seconds. There’s a bunch of parameters you can choose from:

    parameter-map commands:
      alert           Turn on/off alert
      audit-trail     Turn on/off audit trail
      dns-timeout     Specify timeout for DNS
      exit            Exit from parameter-map
      icmp            Config timeout values for icmp
      ipv6            Config IPv6 specific parameters
      max-incomplete  Specify maximum number of incomplete connections before
      no              Negate or set default values of a command
      one-minute      Specify one-minute-sample watermarks for clamping
      sessions        Maximum number of inspect sessions
      tcp             Config timeout values for tcp connections
      udp             Config timeout values for udp flows
      zone-mismatch   Configure Zone mismatch
    R1(config-profile)#tcp ?                                    
      finwait-time              Specify timeout for TCP connections after a FIN
      idle-time                 Specify idle timeout for tcp connections
      max-incomplete            Specify max half-open connection per host
      synwait-time              Specify timeout for TCP connections after a SYN and
                                no further data
      window-scale-enforcement  Window scale option for TCP packet

    Hope this helps!


  2. Hi Rene,

    I’m wanting to include a section in my ZBPF to deny access to certain URLs. Some websites are suggesting to use a parameter-map type regex whilst others are suggesting using a class-map match-any.

    parameter-map type regex url-blacklist-pmap
     pattern *.example.com
    class-map match-any URL_BLOCK
     match protocol http host "example.com"

    I am interested in doing this to try and block various telemetry attempts by 3rd parties as the hosts file is often quite useless at this. Some use URLs hardcoded with their phone home addresses inside .DLLs to circumvent detection. Can you offer any suggestions using the correct syntax?


  3. Hi Rene,
    why did you use many “inspect” command , in the class-map , in the policy-map (2 times) and in the zone-pair
    which one of them should be the one to allow the return traffic ? and which one of them can I replace with drop or pass?

    Also regarding the WAN-TO-SELF should I create LAN-To-SELF deny access from the inside zone?
    Thanks a lot

  4. Hi Ali and Matt,

    About the many inspect commands…the thing is that the class-map that is used for inspection is a different one than the regular class-map. The same thing applies to the policy-map. For example, take a look at this code:

    policy-map type inspect LAN-TO-WAN
     class type inspect ICMP

    The “policy-map type inspect” part only refers to the policy-map called LAN-TO-WAN and specifies that it’s an “inspect type” policy-map. The same thing applies to the class-map we use here.

    The only command that does inspection, is the “inspect” command.

    About where to use inspect. Let’s look at two different options:

    policy-map type inspect LAN-TO-WAN
     class type inspect ICMP

    If you configure it like above, then ICMP traffic is allowed to go from LAN to WAN…AND the return traffic is permitted.

    If you use pass instead of inspect, you’ll have to do something like this:

     policy-map type inspect LAN-TO-WAN
     class type inspect ICMP
     policy-map type inspect WAN-TO-LAN
     class type inspect ICMP

    Creating a LAN-TO-SELF zone-pair is useful when you want to restrict traffic from LAN to SELF. you could add one and only permit something like SSH with a source IP.

    Your WAN-TO-SELF policy-map looks good Matt. You can always add more class-maps to it for traffic that you do want to permit (SSH perhaps). Dropping everything by default from the outside is a good idea.


Continue the discussion forum.networklessons.com

59 more replies!