Zone based firewall - inspect does not work?

Unanswered Question
Jul 6th, 2012

Zone: Outside

  Member Interfaces:

    Dialer0

Zone: Inside

  Member Interfaces:

    Virtual-Template1

    Vlan1102

Zone: Guest

  Member Interfaces:

    Vlan1104



Zone-pair              : Inside-to-Guest

Source Zone            : Inside

Destination Zone       : Guest

Service-policy inspect : Zone-Inside-to-Guest

  Class-map : Default-Inspection(match-any)

  Action : inspect




Class Map type inspect match-any Default-Inspection (id 10)

  Description: Default protocol Inspection class

   Match protocol tcp

   Match protocol udp

   Match protocol icmp




My question is: I cannot make it work the ZBF between my internal zones. As you can see above, I've got Zone-Pair: Inside-to-Guest with 'inspect'. Unfortunately, when I tried to ping for the first time, i received:

%FW-6-DROP_PKT: Dropping icmp session GUEST:0    INSIDE:0  due to  policy match failure with ip ident 0

It indicated that the traffic going BACK was blocked... WHY? There is 'inspect'

So I created a new pair: Guest-to-Inside and I changed everything to pass. It DID work. But that is not what I wanted! I wanted INSIDE to access GUEST but Guest should not access Inside. I assumed I could do it with 'inspect' but it did now work.

Let me add that I have an exactly the same zone-pair and classes/policies for Inside-to-Outside and it does work with inspect.

Why can I not 'inspect'  between my internal zones? Is it because there is no NAT?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
Julio Carvaja Fri, 07/13/2012 - 22:47

Hello,

Well there is a problem with the communication the host are trying to make, the router with the ZBFW enable will perform a deep packet inspection in order to investigate and confirm if a session will need to be allowed or not.

In this particular traffic you are seeing here the inspection was not succesfull ( I mean it is being inspected just that the traffic did not pass the test ( Inspection). That is why with a pass/pass on the right zones it works like a charm.

As you know that this traffic is between internal zones the pass/pass it's okay ( It keeps being secure as this is between internal host, and you can restricted by using an ACL.

Regards,

Julio

CSC it's a free support community, take your time to rate all the engineer's responses that helps you resolving your problems.

Marios Sat, 07/14/2012 - 05:09

Do not understand what you are trying to say... zone is a zone (how would a router know it is internal zone? no nat? maybe I am not using nat at all?), why doesn't 'inspect' work between internal zones?

On another board someone suggested it was because I tested it with icmp which is stateless..

Julio Carvaja Sat, 07/14/2012 - 11:10

Hello,

First of all the router can be able to inspect ICMP sessions, he can perform a deep packet inspection and work with the echo and echo-replies.

Now let me explain my self again, I was way too tired yesterday

Traffic between inside to Guest is being inspected but the traffic is not passing the inspection engine ( this could be because of Asymetric routing, invalid payload,etc,etc)

So that being the case that is why the traffic is being allowed with a pass/pass this because the router does not become as specific as with the inspection engine.

Do you see what I mean?

Julio

Marios Sat, 07/14/2012 - 11:56

Ok... any reason why it was happening???

What is so special about inside-to-guest (does not work) vs inside-to-outside (works great). Rules, policies etc are the same!

Julio Carvaja Sat, 07/14/2012 - 12:16

Hello,

Again this could be because of invalid flags, invalid tcp headers or payloads,etc.

Now in order o check what is happening you should take captures on both devices ( run wireshark ) and check if you see anything that is not normal on the packets.

Does this happens with all the data exchanged between the servers ( UDP,ICMP,TCP)

What is in between the two subnets besides the router?

Julio

Actions

Login or Register to take actions

This Discussion

Posted July 6, 2012 at 2:48 AM
Stats:
Replies:5 Avg. Rating:
Views:766 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,170
4 1,473
5 1,446