Zone based firewall - inspect does not work?

Unanswered Question
Jul 6th, 2012
User Badges:

Zone: Outside

  Member Interfaces:


Zone: Inside

  Member Interfaces:



Zone: Guest

  Member Interfaces:


Zone-pair              : Inside-to-Guest

Source Zone            : Inside

Destination Zone       : Guest

Service-policy inspect : Zone-Inside-to-Guest

  Class-map : Default-Inspection(match-any)

  Action : inspect

Class Map type inspect match-any Default-Inspection (id 10)

  Description: Default protocol Inspection class

   Match protocol tcp

   Match protocol udp

   Match protocol icmp

My question is: I cannot make it work the ZBF between my internal zones. As you can see above, I've got Zone-Pair: Inside-to-Guest with 'inspect'. Unfortunately, when I tried to ping for the first time, i received:

%FW-6-DROP_PKT: Dropping icmp session GUEST:0    INSIDE:0  due to  policy match failure with ip ident 0

It indicated that the traffic going BACK was blocked... WHY? There is 'inspect'

So I created a new pair: Guest-to-Inside and I changed everything to pass. It DID work. But that is not what I wanted! I wanted INSIDE to access GUEST but Guest should not access Inside. I assumed I could do it with 'inspect' but it did now work.

Let me add that I have an exactly the same zone-pair and classes/policies for Inside-to-Outside and it does work with inspect.

Why can I not 'inspect'  between my internal zones? Is it because there is no NAT?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Julio Carvajal Fri, 07/13/2012 - 22:47
User Badges:
  • Purple, 4500 points or more


Well there is a problem with the communication the host are trying to make, the router with the ZBFW enable will perform a deep packet inspection in order to investigate and confirm if a session will need to be allowed or not.

In this particular traffic you are seeing here the inspection was not succesfull ( I mean it is being inspected just that the traffic did not pass the test ( Inspection). That is why with a pass/pass on the right zones it works like a charm.

As you know that this traffic is between internal zones the pass/pass it's okay ( It keeps being secure as this is between internal host, and you can restricted by using an ACL.



CSC it's a free support community, take your time to rate all the engineer's responses that helps you resolving your problems.

Mariusz Kuriata Sat, 07/14/2012 - 05:09
User Badges:

Do not understand what you are trying to say... zone is a zone (how would a router know it is internal zone? no nat? maybe I am not using nat at all?), why doesn't 'inspect' work between internal zones?

On another board someone suggested it was because I tested it with icmp which is stateless..

Julio Carvajal Sat, 07/14/2012 - 11:10
User Badges:
  • Purple, 4500 points or more


First of all the router can be able to inspect ICMP sessions, he can perform a deep packet inspection and work with the echo and echo-replies.

Now let me explain my self again, I was way too tired yesterday

Traffic between inside to Guest is being inspected but the traffic is not passing the inspection engine ( this could be because of Asymetric routing, invalid payload,etc,etc)

So that being the case that is why the traffic is being allowed with a pass/pass this because the router does not become as specific as with the inspection engine.

Do you see what I mean?


Mariusz Kuriata Sat, 07/14/2012 - 11:56
User Badges:

Ok... any reason why it was happening???

What is so special about inside-to-guest (does not work) vs inside-to-outside (works great). Rules, policies etc are the same!

Julio Carvajal Sat, 07/14/2012 - 12:16
User Badges:
  • Purple, 4500 points or more


Again this could be because of invalid flags, invalid tcp headers or payloads,etc.

Now in order o check what is happening you should take captures on both devices ( run wireshark ) and check if you see anything that is not normal on the packets.

Does this happens with all the data exchanged between the servers ( UDP,ICMP,TCP)

What is in between the two subnets besides the router?



This Discussion