I'm having strange behaviour of my IOS zone-based firewall related to self security zone. As I understand, all traffic from and to self zone is permited, unless any rule between self and other zones exists.
I havo no rule between self zone and in-zone (my inside LAN), so i thought all my traffic is permited between them. I can ping, use http, https, etc from in-zone to self, and so on, but we had a problem when started to test Cisco VoIP solution.
SCCP protocol with Cisco phones (7910 and 7960) works well, but the problem starts when we test calls between Cisco phones and softphones in our laptops.
IOS firewall drops this packet:
050113: *Jun 28 12:32:27.520 PCTime: %FW-6-DROP_UDP_PKT: Dropping udp pkt 10.1.0.1:2000 => 10.1.0.189:21348 with ip ident 549 due to policy match failure
Note that 10.1.0.1 is the inside interface for the self zone, and 10.1.0.189 is the VoIP phone (Cisco 7911) in the in-zone.
Why IOS firewall drops this packet? All other packet from self to in-zone
My config is attached, hardware is a 2811 router with Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version 12.4(11)XJ, RELEASE SOFTWARE (fc1)
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...