When configuring ZBFW on IOS, the "class-default" class doesn't allow the inspect action (only pass and drop). What is the recommended way to match all traffic for stateful inspection? Matching TCP, UDP, and ICMP seems to work fine, but this doesn't seem ideal:
class-map type inspect match-any All_Protocols
match protocol tcp
match protocol udp
match protocol icmp
That should work. Either that or use something like:
R1(config)#ip access-list extended MATCH-ALL
R1(config-ext-nacl)#permit ip any any
R1(config-ext-nacl)#class-map type inspect match-any CM_MATCH-ALL
R1(config-cmap)#match access-group name MATCH-ALL
R1(config-cmap)#policy-map type inspect PM_IN->OUT
R1(config-pmap)#class CM_MATCH-ALL
R1(config-pmap-c)#inspect
%No specific protocol configured in class CM_MATCH-ALL for inspection. All protocols will be inspected
If no specific protocol is matched in the class-map then it will match all protocols.
