Problem with self zone in IOS zone-based firewall

Unanswered Question
Jun 28th, 2007

Hello,

I'm having strange behaviour of my IOS zone-based firewall related to self security zone. As I understand, all traffic from and to self zone is permited, unless any rule between self and other zones exists.

I havo no rule between self zone and in-zone (my inside LAN), so i thought all my traffic is permited between them. I can ping, use http, https, etc from in-zone to self, and so on, but we had a problem when started to test Cisco VoIP solution.

SCCP protocol with Cisco phones (7910 and 7960) works well, but the problem starts when we test calls between Cisco phones and softphones in our laptops.

IOS firewall drops this packet:

050113: *Jun 28 12:32:27.520 PCTime: %FW-6-DROP_UDP_PKT: Dropping udp pkt 10.1.0.1:2000 => 10.1.0.189:21348 with ip ident 549 due to policy match failure

Note that 10.1.0.1 is the inside interface for the self zone, and 10.1.0.189 is the VoIP phone (Cisco 7911) in the in-zone.

Why IOS firewall drops this packet? All other packet from self to in-zone

seems unaffected...

My config is attached, hardware is a 2811 router with Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version 12.4(11)XJ, RELEASE SOFTWARE (fc1)

Thanks in advance,

Ignacio Siles.

Attachment: 
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion