Solved: 2921 firewall "allow" rules being dropped

Chris Coho · ‎07-06-2012

I'm new to Cisco firewalls, I am configuring a 2921 with enhanced security using the CCP. I have found a behavior that seems strange to me and I'm not sure if I'm misunderstanding something or missing a setting. It seems that if I create a firewall rule to "allow" traffic through, that traffic gets dropped, but if I set the action to "Inspect", the traffic comes through fine. I can actually reproduce this at will by setting up a rule from out-zone to self to allow traffic and I cannot telnet into it from an external ip, but if I change that rule to "inspect" i can connect fine (i dont want that rule set up permanently, was just using it to test the firewall).

If I set the allow rule to log, I see the following line in the application security log:

(target:class)-(ccp-zp-out-self:user-fw-ccp) Passing telnet pkt 1.1.1.1:58141 => 2.2.2.2:23 with ip ident 0

(where 1.1.1.1 is the external laptop and 2.2.2.2 is my WAN IP address of the 2921)

So it looks to be passing the traffic, but that traffic is getting dropped somewhere because the connection is unsuccessful.

Does anyone have any ideas? Is this the expected behavior of "Allow" action? Is there something I can do to make sure "allow" traffic actually gets through?

Thanks!

Jennifer Halim · ‎07-07-2012

"Allow" is stateless, and normally is used for stateless protocol, eg: GRE, where you would need to configure the action "Allow" in both direction.

"Inspect" is stateful, and if the protocol is TCP like telnet, it will allow the return packet as well if you configure "inspect".

View solution in original post

Jennifer Halim · ‎07-07-2012

"Allow" is stateless, and normally is used for stateless protocol, eg: GRE, where you would need to configure the action "Allow" in both direction.

"Inspect" is stateful, and if the protocol is TCP like telnet, it will allow the return packet as well if you configure "inspect".