Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Problem in Zone Based FW Config

Could anyone see why the below config is making http downloads/streaming hang. Cant watch any streaming as it hangs in various parts but also downloading MS service packs, it will sometimes not start at all or get a few percent then cut off.

Downloading off newsgroups though is not an issue.

It is deffo router in some way. Tried a bog standard one and no issues. Seems to be since I adjusted the FW config through the CCP wizard and might of selected the medium security option.

Any ideas please?

class-map type inspect match-any ccp-skinny-inspect

match protocol skinny

class-map type inspect match-any ccp-cls-insp-traffic

match protocol cuseeme

match protocol dns

match protocol ftp

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp extended

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

class-map type inspect match-any ccp-h323nxg-inspect

match protocol h323-nxg

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-any ccp-h225ras-inspect

match protocol h225ras

class-map type inspect match-any Incoming-XBL-Traffic

match access-group name XBOX-Live

class-map type inspect match-any ccp-h323annexe-inspect

match protocol h323-annexe

class-map type inspect match-any ccp-h323-inspect

match protocol h323

class-map type inspect match-all ccp-invalid-src

match access-group 100

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

class-map type inspect match-any ccp-sip-inspect

match protocol sip

class-map type inspect match-all ccp-protocol-http

match protocol http

!

!

policy-map type inspect ccp-permit-icmpreply

class type inspect ccp-icmp-access

  inspect

class class-default

  pass

policy-map type inspect ccp-inspect

class type inspect ccp-invalid-src

  drop log

class type inspect ccp-protocol-http

  inspect

class type inspect ccp-insp-traffic

  inspect

class type inspect ccp-sip-inspect

  inspect

class type inspect ccp-h323-inspect

  inspect

class type inspect ccp-h323annexe-inspect

  inspect

class type inspect ccp-h225ras-inspect

  inspect

class type inspect ccp-h323nxg-inspect

  inspect

class type inspect ccp-skinny-inspect

  inspect

class class-default

  drop

policy-map type inspect ccp-permit

class class-default

  drop

policy-map type inspect Incoming-XBL-Policy

class type inspect Incoming-XBL-Traffic

  pass

class class-default

  drop

!

zone security in-zone

zone security out-zone

zone security private-in-zone

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply

zone-pair security ccp-zp-private-in-out source private-in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security ccp-zp-out-private-in source out-zone destination private-in-zone

service-policy type inspect Incoming-XBL-Policy

class-map type inspect match-any ccp-skinny-inspect

match protocol skinny

class-map type inspect match-any ccp-cls-insp-traffic

match protocol cuseeme

match protocol dns

match protocol ftp

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp extended

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

class-map type inspect match-any ccp-h323nxg-inspect

match protocol h323-nxg

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-any ccp-h225ras-inspect

match protocol h225ras

class-map type inspect match-any Incoming-XBL-Traffic

match access-group name XBOX-Live

class-map type inspect match-any ccp-h323annexe-inspect

match protocol h323-annexe

class-map type inspect match-any ccp-h323-inspect

match protocol h323

class-map type inspect match-all ccp-invalid-src

match access-group 100

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

class-map type inspect match-any ccp-sip-inspect

match protocol sip

class-map type inspect match-all ccp-protocol-http

match protocol http

!

!

policy-map type inspect ccp-permit-icmpreply

class type inspect ccp-icmp-access

  inspect

class class-default

  pass

policy-map type inspect ccp-inspect

class type inspect ccp-invalid-src

  drop log

class type inspect ccp-protocol-http

  inspect

class type inspect ccp-insp-traffic

  inspect

class type inspect ccp-sip-inspect

  inspect

class type inspect ccp-h323-inspect

  inspect

class type inspect ccp-h323annexe-inspect

  inspect

class type inspect ccp-h225ras-inspect

  inspect

class type inspect ccp-h323nxg-inspect

  inspect

class type inspect ccp-skinny-inspect

  inspect

class class-default

  drop

policy-map type inspect ccp-permit

class class-default

  drop

policy-map type inspect Incoming-XBL-Policy

class type inspect Incoming-XBL-Traffic

  pass

class class-default

  drop

!

zone security in-zone

zone security out-zone

zone security private-in-zone

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply

zone-pair security ccp-zp-private-in-out source private-in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security ccp-zp-out-private-in source out-zone destination private-in-zone

service-policy type inspect Incoming-XBL-Policy

1 ACCEPTED SOLUTION

Accepted Solutions

Problem in Zone Based FW Config

Hello Marcus,

First of all inspect the HTTP protocol up to layer 7 usually generates latency issues so it is better just to inspect the tcp protocol.

Second this class map( class type inspect ccp-insp-traffic) has a match all so all packets need to match all of the protocols you have there to be inspect and if a packet does not match that policy is going to be dropped.

Hope this helps,

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
19 REPLIES

Problem in Zone Based FW Config

Hello Marcus,

First of all I can see that you have the in-zone, out-zone and the private-in-zone.

My first question would be:

1-Are you unable to make this http downloads from the in-zone and the private-in-zone or just from one of them?

2- I do not see a zone-pair being sourced from the out-zone going to the in-zone, can you creat this and lets us know the result.

3-Also if that does not change Would you mind to change this:

          class-map type inspect match-all ccp-insp-traffic

                match class-map ccp-cls-insp-traffic

to this:

          class-map type inspect match-any ccp-insp-traffic

              match class-map ccp-cls-insp-traffic

4-Add the following to troubleshoot the packets being dropped by the FW

          -Ip inspect log drop-pkt

Can you test this configuration and send us the configuration with the changes maded, also I would like to see

Regards,

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Problem in Zone Based FW Config

I have tried the above with no luck.. However the debug command was very insightful.

This is what I get when starting a download from MS

*Nov  5 15:55:36.897: %FW-6-DROP_PKT: Dropping tcp session 90.223.216.153:80 192.168.10.6:49436  due to  Out-Of-Order Segment with ip ident 0

It then hangs.. So in my download list I pause then resume and it starts downloading fine for about 10 seconds before hanging again and giving me the following:

*Nov  5 15:56:08.325: %FW-6-DROP_PKT: Dropping Other session 90.223.216.152:80 2.121.50.238:49374 on zone-pair ccp-zp-out-self class class-default due to  DROP action found in policy-map with ip ident 0

*Nov  5 15:56:12.153: %FW-6-LOG_SUMMARY: 1 packet were dropped from 90.223.216.152:80 => 2.121.50.238:49377 (target:class)-(ccp-zp-out-self:class-default)

*Nov  5 15:56:12.153: %FW-6-LOG_SUMMARY: 1 packet were dropped from 90.223.216.152:80 => 2.121.50.238:49376 (target:class)-(ccp-zp-out-self:class-default)

*Nov  5 15:56:12.153: %FW-6-LOG_SUMMARY: 1 packet were dropped from 213.199.148.239:80 => 2.121.50.238:49384 (target:class)-(ccp-zp-out-self:class-default)

*Nov  5 15:56:12.153: %FW-6-LOG_SUMMARY: 1 packet were dropped from 90.223.216.152:80 => 2.121.50.238:49375 (target:class)-(ccp-zp-out-self:class-default)

*Nov  5 15:56:12.157: %FW-6-LOG_SUMMARY: 1 packet were dropped from 90.223.216.152:80 => 2.121.50.238:49374 (target:class)-(ccp-zp-out-self:class-default)

ip inspect tcp reassembly memory limit 1024

*Nov  5 15:56:08.325: %FW-6-DROP_PKT: Dropping Other session 90.223.216.152:80 2.121.50.238:49374 on zone-pair ccp-zp-out-self class class-default due to  DROP action found in policy-map with ip ident 0
*Nov  5 15:56:12.153: %FW-6-LOG_SUMMARY: 1 packet were dropped from 90.223.216.152:80 => 2.121.50.238:49377 (target:class)-(ccp-zp-out-self:class-default)
*Nov  5 15:56:12.153: %FW-6-LOG_SUMMARY: 1 packet were dropped from 90.223.216.152:80 => 2.121.50.238:49376 (target:class)-(ccp-zp-out-self:class-default)
*Nov  5 15:56:12.153: %FW-6-LOG_SUMMARY: 1 packet were dropped from 213.199.148.239:80 => 2.121.50.238:49384 (target:class)-(ccp-zp-out-self:class-default)
*Nov  5 15:56:12.153: %FW-6-LOG_SUMMARY: 1 packet were dropped from 90.223.216.152:80 => 2.121.50.238:49375 (target:class)-(ccp-zp-out-self:class-default)
*Nov  5 15:56:12.157: %FW-6-LOG_SUMMARY: 1 packet were dropped from 90.223.216.152:80 => 2.121.50.238:49374 (target:class)-(ccp-zp-out-self:class-default)

I tried using the command "ip inspect tcp reassembly memory limit 1024" as I have read there have been a few problems with the same kind of symptoms and being dropped bt the FW because of packets out of sync... But this still is not helping.

Problem in Zone Based FW Config

Hello Marcus,

Before going to the ISP and asking why are you receiving out of order packets you alredy have the ip inspect reassembly on the outside interface right?

Also can you do this:

policy-map type inspect ccp-permit

class class-default

pass.

Let us know any update.

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com

Re: Problem in Zone Based FW Config

Hello Marcus,

What version of IOS are you running???

Just to let you know  support for out-of-order packet processing in the ZBF was introduced in IOS 15.0(1)M. So if you are not there I will recommend you to do an upgrade ASAP.

That should solve everything withouth any change on the ZBFW configuration except to adding this :

 parameter-map type ooo global
  tcp reassembly memory limit 2048 
  tcp reassembly queue length 85 
  tcp reassembly timeout 54  
  exit

Regards,

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Problem in Zone Based FW Config

I have the latest IOS version for the SR520 line of router. (12.4.24T6)

Also, I have the ip virtual-reassembly on the dialer0 interface and also on the SVI's.

I tried the

policy-map type inspect ccp-permit

class class-default

pass

this did not change the behaviour.

Don't think its the ISP as this actually was working fine before I re-ran the FW wizard a while back.

Here is my original config which did seem to work:

class-map type inspect match-any SDM_AH

match access-group name SDM_AH

class-map type inspect match-any SDM-Voice-permit

match protocol sip

class-map type inspect match-any SDM_IP

match access-group name SDM_IP

class-map type inspect match-any SDM_ESP

match access-group name SDM_ESP

class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC

match protocol isakmp

match protocol ipsec-msft

match protocol user-ctcp-ezvpnsvr

match class-map SDM_AH

match class-map SDM_ESP

class-map type inspect match-all SDM_EASY_VPN_SERVER_PT

match class-map SDM_EASY_VPN_SERVER_TRAFFIC

class-map type inspect match-all ccp-cls-sdm-inspect-voip-in-1

match access-group name XBOX-Incoming

class-map type inspect match-any sdm-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-any sdm-cls-insp-traffic

match protocol cuseeme

match protocol dns

match protocol ftp

match protocol h323

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp extended

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-any XBOX-Incoming-Traffic

match access-group name XBOX-Incoming

class-map type inspect match-all sdm-invalid-src

match access-group 100

class-map type inspect match-all dhcp_out_self

match access-group name dhcp-resp-permit

class-map type inspect match-all dhcp_self_out

match access-group name dhcp-req-permit

class-map type inspect match-all sdm-protocol-http

match protocol http

!

!

policy-map type inspect sdm-permit-icmpreply

class type inspect dhcp_self_out

  pass

class type inspect sdm-cls-icmp-access

  inspect

class class-default

  pass

policy-map type inspect XBOX-Incoming-Policy

class type inspect XBOX-Incoming-Traffic

  pass

class class-default

  drop

policy-map type inspect sdm-inspect

class type inspect SDM-Voice-permit

  pass

class type inspect sdm-cls-insp-traffic

  inspect

class type inspect sdm-invalid-src

  drop log

class type inspect sdm-protocol-http

  inspect z1-z2-pmap

class class-default

  pass

policy-map type inspect sdm-inspect-voip-in

class type inspect ccp-cls-sdm-inspect-voip-in-1

  inspect

class type inspect SDM-Voice-permit

  pass

class class-default

  drop

policy-map type inspect sdm-permit

class type inspect SDM_EASY_VPN_SERVER_PT

  pass

class type inspect dhcp_out_self

  pass

class class-default

  drop

policy-map type inspect sdm-permit-ip

class type inspect SDM_IP

  pass

class class-default

  drop log

!

zone security out-zone

zone security private-in-zone

zone security in-zone

zone security ezvpn-zone

zone-pair security privateinzone-outzone source private-in-zone destination out-zone

service-policy type inspect sdm-inspect

zone-pair security outzone-privateinzone source out-zone destination private-in-zone

service-policy type inspect sdm-inspect-voip-in

zone-pair security sdm-zp-self-out source self destination out-zone

service-policy type inspect sdm-permit-icmpreply

zone-pair security sdm-zp-out-in source out-zone destination in-zone

service-policy type inspect sdm-inspect-voip-in

zone-pair security sdm-zp-out-self source out-zone destination self

service-policy type inspect sdm-permit

zone-pair security sdm-zp-in-out source in-zone destination out-zone

service-policy type inspect sdm-inspect

zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone

service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone

service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-ezvpn-in2 source ezvpn-zone destination in-zone

service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination private-in-zone

service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-in-ezvpn2 source in-zone destination ezvpn-zone

service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-in-ezvpn1 source private-in-zone destination ezvpn-zone

service-policy type inspect sdm-permit-ip

This also includes the VPN stuff I was testing. Just incase you are wondering about the extra stuff.

Hope this helps shed some light on things...

Problem in Zone Based FW Config

Hello Marcus,

Ok, so this is not the current config right??

Can I have the one with the show running config. You can take out the Ip addresses on the interfaces and usernames and passwords, but a really need to see the Access-list, the interfaces and the current ZBF configuration.

Regards,

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Problem in Zone Based FW Config

Julio,

Full run config from current setup you are after? Or full config from old one?

By the way what's the difference from the ccp created rules and the sdm ones?

Problem in Zone Based FW Config

Hello Marcus,

The current running configuration please.

There are no major differences just that CCP is the sucessor of SDM right so you should use CCP in order to get support for the new features introduced with the latest and greatest IOS images. In my case I am a CLI guy so I will always recommend to use the Command line interface.

Have a great day,

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Problem in Zone Based FW Config

This is the current running config:

HOME_RTR#sho          term len 0
HOME_RTR#show run
Building configuration...

Current configuration : 8216 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname
!
!
logging message-counter syslog
enable secret 5
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
aaa session-id common
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-2045468537
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2045468537
revocation-check none
rsakeypair TP-self-signed-2045468537
!
!
crypto pki certificate chain TP-self-signed
certificate self-signed 01
 
   quit
dot11 syslog
ip source-route
!
!
!
ip dhcp pool PRIVATE
   import all
   network 192.168.10.0 255.255.255.0
   default-router 192.168.10.254
!
ip dhcp pool WORK
   import all
   network 192.168.20.0 255.255.255.0
   default-router 192.168.20.254
!
ip dhcp pool SERVER
   host 192.168.10.200 255.255.255.0
   client-identifier 0100.248c.3fdb.a9
   client-name SERVER
!
ip dhcp pool XBOX
   host 192.168.10.210 255.255.255.0
   client-identifier 0100.25ae.eae4.88
   client-name XBOX
!
!
ip cef
ip domain name home.local
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
archive
log config
  hidekeys
!
!
!
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any Incoming-XBL-Traffic
match access-group name XBOX-Live
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
  inspect
class class-default
  pass
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
  drop log
class type inspect ccp-protocol-http
  inspect
class type inspect ccp-insp-traffic
  inspect
class type inspect ccp-sip-inspect
  inspect
class type inspect ccp-h323-inspect
  inspect
class type inspect ccp-h323annexe-inspect
  inspect
class type inspect ccp-h225ras-inspect
  inspect
class type inspect ccp-h323nxg-inspect
  inspect
class type inspect ccp-skinny-inspect
  inspect
class class-default
  drop
policy-map type inspect ccp-permit
class class-default
  drop
policy-map type inspect Incoming-XBL-Policy
class type inspect Incoming-XBL-Traffic
  pass
class class-default
  drop
!
zone security in-zone
zone security out-zone
zone security private-in-zone
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-private-in-out source private-in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-private-in source out-zone destination private-in-zone
service-policy type inspect Incoming-XBL-Policy
!
!
!
interface ATM0
no ip address
no ip redirects
no ip proxy-arp
no atm ilmi-keepalive
pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
!
!
interface ATM0.1 point-to-point
description WAN via ADSL
pvc 0/35
  pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
switchport mode trunk
!
interface FastEthernet1
shutdown
!
interface FastEthernet2
shutdown
!
interface FastEthernet3
shutdown
!
interface Vlan1
description $FW_INSIDE$
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security private-in-zone
ip tcp adjust-mss 1412
!
interface Vlan10
description $FW_INSIDE$
ip address 192.168.10.254 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security private-in-zone
ip tcp adjust-mss 1412
!
interface Vlan20
description $FW_INSIDE$
ip address 192.168.20.254 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1412
!
interface Dialer0
description ADSL Dialup
ip address negotiated
no ip redirects
ip mtu 1452
ip nat outside
ip virtual-reassembly
zone-member security out-zone
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname
ppp chap password
ppp ipcp dns request
ppp ipcp address accept
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
no ip http server
ip http secure-server
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static udp 192.168.10.210 88 interface Dialer0 88
ip nat inside source static udp 192.168.10.210 3074 interface Dialer0 3074
ip nat inside source static tcp 192.168.10.210 3074 interface Dialer0 3074
!
ip access-list extended XBOX-Live
permit udp any host 192.168.10.210 eq 88
permit udp any host 192.168.10.210 eq 3074
permit tcp any host 192.168.10.210 eq 3074
!
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 1 permit 192.168.20.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
!
!
!
!
snmp-server community public RO
!
control-plane
!
banner login ^CHOME
^C
!
line con 0
no modem enable
line aux 0
line vty 0 4
transport input ssh
!
scheduler max-task-time 5000
end

HOME_RTR#exit

Re: Problem in Zone Based FW Config

Hello Marcus,

Can you add the following:

class type inspect tcp_udp

match protocol tcp

match protocol udp

policy-map type inspect ccp-inspect

class type inspect tcp_udp

inspect

Please take out all the rest of class maps on the policy ccp-inspect, lets try that and let me know,

Regards,

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Problem in Zone Based FW Config

Tried this. No internet at all.

Getting these errors:

*Nov  7 02:16:33.369: %FW-6-DROP_PKT: Dropping udp session 90.207.238.99:53 192.168.10.200:57770 on zone-pair ccp-zp-out-private-in class class-default due to  DROP action found in policy-map with ip ident 0
*Nov  7 02:17:04.489: %FW-6-DROP_PKT: Dropping udp session 90.207.238.97:53 192.168.10.200:52356 on zone-pair ccp-zp-out-private-in class class-default due to  DROP action found in policy-map with ip ident 0
*Nov  7 02:17:06.381: %FW-6-LOG_SUMMARY: 1 packet were dropped from 90.207.238.97:53 => 192.168.10.200:63622 (target:class)-(ccp-zp-out-private-in:class-default)
*Nov  7 02:17:06.381: %FW-6-LOG_SUMMARY: 1 packet were dropped from 90.207.238.99:53 => 192.168.10.200:63622 (target:class)-(ccp-zp-out-private-in:class-default)
*Nov  7 02:17:06.381: %FW-6-LOG_SUMMARY: 3 packets were dropped from 90.207.238.97:53 => 192.168.10.3:60165 (target:class)-(ccp-zp-out-private-in:class-default)
*Nov  7 02:17:06.381: %FW-6-LOG_SUMMARY: 3 packets were dropped from 90.207.238.97:53 => 192.168.10.3:59896 (target:class)-(ccp-zp-out-private-in:class-default)
*Nov  7 02:17:06.385: %FW-6-LOG_SUMMARY: 3 packets were dropped from 90.207.238.97:53 => 192.168.10.3:51472 (target:class)-(ccp-zp-out-private-in:class-default)
*Nov  7 02:17:06.385: %FW-6-LOG_SUMMARY: 4 packets were dropped from 90.207.238.99:53 => 192.168.10.3:51472 (target:class)-(ccp-zp-out-private-in:class-default)
*Nov  7 02:17:06.385: %FW-6-LOG_SUMMARY: 4 packets were dropped from 90.207.238.99:53 => 192.168.10.3:59896 (target:class)-(ccp-zp-out-private-in:class-default)
*Nov  7 02:17:06.385: %FW-6-LOG_SUMMARY: 4 packets were dropped from 90.207.238.99:53 => 192.168.10.3:60165 (target:class)-(ccp-zp-out-private-in:class-default)

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Config reads:

class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any Incoming-XBL-Traffic
match access-group name XBOX-Live
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-all tcp_udp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
  inspect
class class-default
  pass
policy-map type inspect ccp-inspect
class type inspect tcp_udp
  inspect
policy-map type inspect ccp-permit
class class-default
  drop
policy-map type inspect Incoming-XBL-Policy
class type inspect Incoming-XBL-Traffic
  pass
class class-default
  drop
!

Thinking after I posted this.. Should there be a class class-default pass after the tcp_udp inspect?

New Member

Problem in Zone Based FW Config

Added in the class class-default pass after the tcp_udp part. Still no internet on that setup.

Problem in Zone Based FW Config

Hello Marcus,

Please change this :

class-map type inspect match-all tcp_udp

match protocol tcp

match protocol udp

to this:

class-map type inspect match-any tcp_udp

match protocol tcp

match protocol udp

And let me know.

Regards,

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Problem in Zone Based FW Config

Julio,

That works!! :-) What is it that is causing it then? As I dont want to leave out all that other config we just removed from the cip-inspect policy map.

Thanks,

Marcus.

Problem in Zone Based FW Config

Hello Marcus,

First of all inspect the HTTP protocol up to layer 7 usually generates latency issues so it is better just to inspect the tcp protocol.

Second this class map( class type inspect ccp-insp-traffic) has a match all so all packets need to match all of the protocols you have there to be inspect and if a packet does not match that policy is going to be dropped.

Hope this helps,

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Problem in Zone Based FW Config

Hope I understand this a bit more now...

This is now my class and policy map. Working great now as the problem is fixed, however, is this as safe as the config was before? Just feels like there is less checking now and things could be open in some way?

class-map type inspect match-any TCP-UDP

match protocol tcp

match protocol udp

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-any Incoming-XBL-Traffic

match access-group name XBOX-Live

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

!

!

policy-map type inspect ccp-permit-icmpreply

class type inspect ccp-icmp-access

inspect

class class-default

pass

policy-map type inspect ccp-inspect

class type inspect TCP-UDP

inspect

class class-default

drop

policy-map type inspect ccp-permit

class class-default

drop

policy-map type inspect Incoming-XBL-Policy

class type inspect Incoming-XBL-Traffic

pass

class class-default

drop

Also, this bit seems weird to me.. Looks like it calling the same checks twice?

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

This is a match all, yet the class map it refers to is a match any. Does not seem to make sense to me...

Thanks Julio!!

Problem in Zone Based FW Config

Hello Marcus,

Do not worry for the security of the changes we have made because there are related to outbound direction not inbound directions, so connections being generated on the outside got to match a completely different policy that you have created for that specific traffic.

Now regarding the last question,yes seems a little stranged because you are calling the same thing twice as you said, that is why we have changed. I am glad everything is working fine now.

Please mark the question as answered.

Regards,

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Problem in Zone Based FW Config

Thanks for all the help Julio...

On a side note now, what is this actually doing...

policy-map type inspect ccp-permit-icmpreply

Problem in Zone Based FW Config

Hello  Marcus,

That Policy says that any TCP, UDP or ICMP traffic comming from the self zone (Router interfaces) to the outside(internet).

Hope this helps.

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
1026
Views
8
Helpful
19
Replies
CreatePlease login to create content