07-06-2012 02:48 AM - edited 03-11-2019 04:27 PM
Zone: Outside
Member Interfaces:
Dialer0
Zone: Inside
Member Interfaces:
Virtual-Template1
Vlan1102
Zone: Guest
Member Interfaces:
Vlan1104
Zone-pair : Inside-to-Guest
Source Zone : Inside
Destination Zone : Guest
Service-policy inspect : Zone-Inside-to-Guest
Class-map : Default-Inspection(match-any)
Action : inspect
Class Map type inspect match-any Default-Inspection (id 10)
Description: Default protocol Inspection class
Match protocol tcp
Match protocol udp
Match protocol icmp
My question is: I cannot make it work the ZBF between my internal zones. As you can see above, I've got Zone-Pair: Inside-to-Guest with 'inspect'. Unfortunately, when I tried to ping for the first time, i received:
%FW-6-DROP_PKT: Dropping icmp session GUEST:0 INSIDE:0 due to policy match failure with ip ident 0
It indicated that the traffic going BACK was blocked... WHY? There is 'inspect'
So I created a new pair: Guest-to-Inside and I changed everything to pass. It DID work. But that is not what I wanted! I wanted INSIDE to access GUEST but Guest should not access Inside. I assumed I could do it with 'inspect' but it did now work.
Let me add that I have an exactly the same zone-pair and classes/policies for Inside-to-Outside and it does work with inspect.
Why can I not 'inspect' between my internal zones? Is it because there is no NAT?
07-13-2012 10:47 PM
Hello,
Well there is a problem with the communication the host are trying to make, the router with the ZBFW enable will perform a deep packet inspection in order to investigate and confirm if a session will need to be allowed or not.
In this particular traffic you are seeing here the inspection was not succesfull ( I mean it is being inspected just that the traffic did not pass the test ( Inspection). That is why with a pass/pass on the right zones it works like a charm.
As you know that this traffic is between internal zones the pass/pass it's okay ( It keeps being secure as this is between internal host, and you can restricted by using an ACL.
Regards,
Julio
CSC it's a free support community, take your time to rate all the engineer's responses that helps you resolving your problems.
07-14-2012 05:09 AM
Do not understand what you are trying to say... zone is a zone (how would a router know it is internal zone? no nat? maybe I am not using nat at all?), why doesn't 'inspect' work between internal zones?
On another board someone suggested it was because I tested it with icmp which is stateless..
07-14-2012 11:10 AM
Hello,
First of all the router can be able to inspect ICMP sessions, he can perform a deep packet inspection and work with the echo and echo-replies.
Now let me explain my self again, I was way too tired yesterday
Traffic between inside to Guest is being inspected but the traffic is not passing the inspection engine ( this could be because of Asymetric routing, invalid payload,etc,etc)
So that being the case that is why the traffic is being allowed with a pass/pass this because the router does not become as specific as with the inspection engine.
Do you see what I mean?
Julio
07-14-2012 11:56 AM
Ok... any reason why it was happening???
What is so special about inside-to-guest (does not work) vs inside-to-outside (works great). Rules, policies etc are the same!
07-14-2012 12:16 PM
Hello,
Again this could be because of invalid flags, invalid tcp headers or payloads,etc.
Now in order o check what is happening you should take captures on both devices ( run wireshark ) and check if you see anything that is not normal on the packets.
Does this happens with all the data exchanged between the servers ( UDP,ICMP,TCP)
What is in between the two subnets besides the router?
Julio
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: