Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

2921 firewall "allow" rules being dropped

I'm new to Cisco firewalls, I am configuring a 2921 with enhanced security using the CCP.  I have found a behavior that seems strange to me and I'm not sure if I'm misunderstanding something or missing a setting.  It seems that if I create a firewall rule to "allow" traffic through, that traffic gets dropped, but if I set the action to "Inspect", the traffic comes through fine.  I can actually reproduce this at will by setting up a rule from out-zone to self to allow traffic and I cannot telnet into it from an external ip, but if I change that rule to "inspect" i can connect fine (i dont want that rule set up permanently, was just using it to test the firewall).

If I set the allow rule to log, I see the following line in the application security log:

(target:class)-(ccp-zp-out-self:user-fw-ccp) Passing telnet pkt 1.1.1.1:58141 => 2.2.2.2:23 with ip ident 0

(where 1.1.1.1 is the external laptop and 2.2.2.2 is my WAN IP address of the 2921)

So it looks to be passing the traffic, but that traffic is getting dropped somewhere because the connection is unsuccessful.

Does anyone have any ideas?  Is this the expected behavior of "Allow" action?  Is there something I can do to make sure "allow" traffic actually gets through?

Thanks!

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

2921 firewall "allow" rules being dropped

"Allow" is stateless, and normally is used for stateless protocol, eg: GRE, where you would need to configure the action "Allow" in both direction.

"Inspect" is stateful, and if the protocol is TCP like telnet, it will allow the return packet as well if you configure "inspect".

1 REPLY
Cisco Employee

2921 firewall "allow" rules being dropped

"Allow" is stateless, and normally is used for stateless protocol, eg: GRE, where you would need to configure the action "Allow" in both direction.

"Inspect" is stateful, and if the protocol is TCP like telnet, it will allow the return packet as well if you configure "inspect".

201
Views
0
Helpful
1
Replies
CreatePlease to create content