Personal tools
You are here: Home Networking Cisco IOS bug Policy with match protocol and pass action cannot attach to self-zone
 

Policy with match protocol and pass action cannot attach to self-zone

I encountered this bug on an 877 (IOS v15.1(4)M) when setting up a zone based firewall configuration. The message is:

Router(config-sec-zone-pair)#  service-policy type inspect ingressinside
%Protocol configured in class-map fw-management-ingress cannot be configured for the self zone with inspect action. Please remove the protocol and retry

The support in IOS v15.1(4) seems to be limited when it comes to stateful inspection of traffic of router generated traffic, or traffic to the router.

The initial configuration was of the form:

class-map type inspect match-any fw-management-ingress
  description Support for managing the firewall router
  match protocol ssh
  match protocol http
  match protocol https
  match protocol snmp
  match protocol icmp
exit

policy-map type inspect ingressinside
  class type inspect fw-management-ingress
    inspect
  exit

  class class-default
     drop log
  exit
exit

zone-pair security ingressinside source ZoneInside destination self
  description Private traffic to the router
  service-policy type inspect ingressinside
exit

The updated configuration

ip access-list extended fw4-management-ingress
  permit tcp  any gt 1023 any eq 22
  permit tcp  any gt 1023 any eq www
  permit tcp  any gt 1023 any eq 443
  permit tcp  any gt 1023 any eq 161
  permit udp  any gt 1023 any eq 161
  permit icmp any         any echo
exit

ipv6 access-list fw6-management-ingress
  permit tcp  any gt 1023 any eq 22
  permit tcp  any gt 1023 any eq www
  permit tcp  any gt 1023 any eq 443
  permit tcp  any gt 1023 any eq 161
  permit udp  any gt 1023 any eq 161
  permit icmp any         any echo-request
exit

class-map type inspect match-any fw-management-ingress
  description Support for managing the firewall router (see CSCsq44101)
  match access-group name fw4-management-ingress
  match access-group name fw6-management-ingress
exit 

policy-map type inspect ingressinside
  class type inspect fw-management-ingress
    inspect
  exit

  class class-default
     drop log
  exit
exit

zone-pair security ingressinside source ZoneInside destination self
  description Private traffic to the router
  service-policy type inspect ingressinside
exit

CSCsq44101 Details

CSCsq44101 Bug Details

Policy with match protocol and pass action cannot attach to self-zone

Symptom:

When apply service-policy to firewall zone-pair containing self-zone, the following error is seen.

%Protocol configured in class-map < class name> cannot be configured for the self zone. Please remove the protocol and retry

Conditions:

This issue is seen if class-map in the policy-map uses match protocol and the protocol is not in the list of supported protocol for self-zone. This issue is seen even with pass action.

 Workaround:

 Change from match protocol in the class-map to use ACL to match the port instead.

 

Links

Document Actions