Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

IOS firewall blocks certain return traffic

Hi Team,

I've IOS firewall configured on one of my 2921 cisco router, (my current internet traffic is destination to a wan proxy) and i've using the inspect command to enable DPI and to track the sessions, and the configuration details are as follows,

Router(config)# class-map type inspect match-any All_ProtocolsRouter(config-cmap)# match protocol tcpRouter(config-cmap)# match protocol udpRouter(config-cmap)# match protocol icmp

and I'm using zone pairs as trusted and internet,

policy-map type inspect Trusted
 class class-default
  pass
policy-map type inspect Trusted_to_Internet
 class type inspect All_Protocols
  inspect 
 class class-default
  drop

how my problem is the IOS firewall blocks certain return traffic particularly when certain websites accept the request on one IP address and send the reply via another IP address due to the IOS firewall's basic behaviour, and what I want to know is, is it possible to allow the return traffic coming from the wan proxy ip via on the IOS firewall, or is there any other alternatives avialble to achieve the same? Please advise.

Regards,

Suthakar

2 REPLIES

IOS firewall blocks certain return traffic

What return traffic is being dropped?  could you also post the configuration of all the zonepairs in question along with ACLs, class-maps and policy-maps.

--
Please remember to rate and select a correct answer

IOS firewall blocks certain return traffic

Hello,

Looks like the traffic pattern we are seeing here does not seems the appropiate to a FW due to the fact that traffic that is not being expected is being received..

For that the only way to make it happen across the Firewall is basically bypass the security policy using a PASS action on both  zone-pairs (From trusted to internet and Internet to trusted) but only matching the specitic traffic so the rest of the traffic can still be secured!

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
239
Views
0
Helpful
2
Replies
CreatePlease to create content