Same Zone Traffic to inside hitting different rules

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Same Zone Traffic to inside hitting different rules

L0 Member

Howdy All,

 

I'm running into an issue where traffic from "Colo-Voice" segment bound to Any on the inside is hittin an "Any L3" policy (shown below) that's in place as the last policy. During our capture, we can see there's another host from the same segment bound for the same segment however it is hitting the "Cisco Voice-to-Internal_Trust" policy (as it should be.) Below are the two rules configured on the PAN. We can't see to figure out why the host hitting the "Any L3" policy is not hitting the "Cisco Voice-to-Internal_Trust". For all sense and purposes, this traffic "should" hit the Cisco Voice...policy first.

 

Our goal is to finally be able to remove the "Any L3" policy so that the PAN can be locked down.

 

Any input on this is greatly appreciated.

 

================================

}
"Cisco Voice-to-Internal_Trust" {
from Colo-Voice;
to Internal_Trust;
source 10.10.60.0/24;
destination any;
source-user any;
category any;
application [ cisco-rtmt informix ms-office365-base ntp outlook-web-online rmi-iiop rtcp rtp-base sccp sip ssh ssl tftp web-browsing];
service any;
hip-profiles any;
action allow;
}

 

"Any L3" {
from [ Colo-Voice FW_110 Mgmt P2P SF-113 SF-114 SF-115 SF-116 Trust UCS-Mgmt Internal_Trust];
to [ Colo-Voice FW_110 Mgmt P2P SF-113 SF-114 SF-115 SF-116 Trust UCS-Mgmt Internal_Trust];
source any;
destination any;
source-user any;
category any;
application any;
service any;
hip-profiles any;
action allow;
profile-setting {
group Monitor;
}
disabled no;

 

================================

Capture.PNG

2 REPLIES 2

L6 Presenter

Hey,

 

Can you post the screen shot of your policy set-up, please? Who is the source and who is the destination? Do you think destination(s) .141 and .2 are in the different zones?   Usually, device will do exactly what you have asked it to do. Unfortunately, this is not always the same as what you want.

Hi,

 

Cap11 shows some of the rules above the 'Any L3'.  Cap12 shows the 'Any L3' Rule.  I have screen cap of all the policies that precede the  "Cisco Voice-to-Internal_Trust".

 

Please advise if anything else is needed.

 

Thanks!Cap11Cap11Cap12Cap12

  • 2565 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!